Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I6WVogMkrj.dll

Overview

General Information

Sample name:I6WVogMkrj.dll
renamed because original name is a hash value
Original sample name:0b21f113cdf4f849e604a9412a2417376394e6c810672be7fce463574c5af248.dll
Analysis ID:1544800
MD5:52024ba9c0e29961db8d7f7aaf3aa9be
SHA1:851bc830fc4e602ac64fe3422fe0513adeceb69a
SHA256:0b21f113cdf4f849e604a9412a2417376394e6c810672be7fce463574c5af248
Tags:2024bankerdllgolangloadermekotiouser-johnk3r
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6716 cmdline: loaddll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6872 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 6956 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 3300 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6912 cmdline: rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5812 cmdline: rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4960 cmdline: rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7088 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarCreate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6988 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarDestroy MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7164 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarFreeRec MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7128 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetFocus MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5252 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetDirty MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4956 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeResize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkePaint2 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6436 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeKillFocus MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeIsDirty MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeInitialize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7156 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeGetCaretRect MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3020 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseWheelEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4076 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3384 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyUpEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4460 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyPressEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5816 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyDownEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6168 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireContextMenuEvent MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6504 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFinalize MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7152 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeDestroyWebView MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5448 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeCreateWebView MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1148 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 640 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7228 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7256 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 648 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7268 cmdline: rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarRecognize MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: I6WVogMkrj.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: I6WVogMkrj.dllReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: I6WVogMkrj.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040D1C4 FindFirstFileW,FindClose,4_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,4_2_0040CBF8
Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004EA1D8 GetClipboardData,CopyEnhMetaFileW,GetEnhMetaFileHeader,4_2_004EA1D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004EAA7C GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,4_2_004EAA7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004F64444_2_004F6444
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004F67044_2_004F6704
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004E69184_2_004E6918
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004B0F644_2_004B0F64
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004B10A84_2_004B10A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043B4C44_2_0043B4C4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004FFD004_2_004FFD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004EFE804_2_004EFE80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004F1FC44_2_004F1FC4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004F5F804_2_004F5F80
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 648
Source: I6WVogMkrj.dllStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: I6WVogMkrj.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal60.winDLL@63/13@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004E5AA0 GetLastError,FormatMessageW,4_2_004E5AA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004219D8 GetDiskFreeSpaceW,4_2_004219D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004AA910 FindResourceW,LoadResource,SizeofResource,LockResource,4_2_004AA910
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7256
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6956
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1148
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\4eb95ee9-be9e-40c6-b84f-60f6610a79dfJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarCreate
Source: I6WVogMkrj.dllReversingLabs: Detection: 47%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarCreate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 648
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarCreate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarDestroy
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarFreeRec
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetFocus
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetDirty
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeResize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkePaint2
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeKillFocus
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeIsDirty
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeInitialize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeGetCaretRect
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseWheelEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyUpEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyPressEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyDownEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireContextMenuEvent
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFinalize
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeDestroyWebView
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeCreateWebView
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarRecognize
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 640
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 648
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarCreateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarDestroyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarFreeRecJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetFocusJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetDirtyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeResizeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkePaint2Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeKillFocusJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeIsDirtyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeInitializeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeGetCaretRectJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseWheelEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyUpEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyPressEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyDownEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireContextMenuEventJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFinalizeJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeDestroyWebViewJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeCreateWebViewJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarRecognizeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: I6WVogMkrj.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: I6WVogMkrj.dllStatic file information: File size 1270272 > 1048576
Source: I6WVogMkrj.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10ca00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00509D48 LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00509D48
Source: I6WVogMkrj.dllStatic PE information: section name: .didata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050E000 push 0050E0DEh; ret 4_2_0050E0D6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050E47C push 0050E519h; ret 4_2_0050E511
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00460068 push ecx; mov dword ptr [esp], edx4_2_00460069
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00504014 push 0050403Ah; ret 4_2_00504032
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050A0D8 push ecx; mov dword ptr [esp], eax4_2_0050A0DD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004380A4 push ecx; mov dword ptr [esp], eax4_2_004380A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050A1D8 push 0050A21Ah; ret 4_2_0050A212
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_005041A4 push 005041CAh; ret 4_2_005041C2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00466248 push ecx; mov dword ptr [esp], ecx4_2_0046624C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00464264 push ecx; mov dword ptr [esp], ecx4_2_00464268
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004BE2E4 push ecx; mov dword ptr [esp], edx4_2_004BE2E5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004BA2F8 push ecx; mov dword ptr [esp], edx4_2_004BA2FB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004C42F4 push ecx; mov dword ptr [esp], edx4_2_004C42F5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004682FC push ecx; mov dword ptr [esp], ecx4_2_00468300
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004C0340 push ecx; mov dword ptr [esp], edx4_2_004C0341
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00502340 push 00502398h; ret 4_2_00502390
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043A3D0 push ecx; mov dword ptr [esp], eax4_2_0043A3D1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050239C push ecx; mov dword ptr [esp], ecx4_2_005023A1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00464450 push ecx; mov dword ptr [esp], ecx4_2_00464454
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050E540 push 0050E5F6h; ret 4_2_0050E5EE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004C460C push ecx; mov dword ptr [esp], edx4_2_004C460D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050E610 push 0050E671h; ret 4_2_0050E669
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050E740 push 0050E7DCh; ret 4_2_0050E7D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0046670C push ecx; mov dword ptr [esp], edx4_2_0046670D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0046671C push ecx; mov dword ptr [esp], edx4_2_0046671D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004827C4 push 00482826h; ret 4_2_0048281E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004648E4 push ecx; mov dword ptr [esp], eax4_2_004648E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042E970 push 0042EA60h; ret 4_2_0042EA58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004C2A30 push ecx; mov dword ptr [esp], edx4_2_004C2A31
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00468B60 push ecx; mov dword ptr [esp], edx4_2_00468B61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00462CE0 push ecx; mov dword ptr [esp], ecx4_2_00462CE4
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040D1C4 FindFirstFileW,FindClose,4_2_0040D1C4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040CBF8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,4_2_0040CBF8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040EE84 GetSystemInfo,4_2_0040EE84
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: Amcache.hve.7.drBinary or memory string: VMware
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: vmci.sys
Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: VMware20,1
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_4-47833
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004B8000 IsDebuggerPresent,RaiseException,4_2_004B8000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00509D48 LoadLibraryW,GetProcAddress,GetProcAddress,IsBadReadPtr,4_2_00509D48
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0050A0D8 FreeLibrary,VirtualFree,GetProcessHeap,HeapFree,VirtualFree,4_2_0050A0D8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004079E8 cpuid 4_2_004079E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,4_2_0040D2FC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_0040C79C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00428FD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_0042920C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00425334
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_00425380
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00423868 GetLocalTime,4_2_00423868
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0040C520 InitializeCriticalSection,GetVersion,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,4_2_0040C520
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		11
Process Injection		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory41
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets25
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544800 Sample: I6WVogMkrj.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 60 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 AI detected suspicious sample 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 26 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 12->20         started        22 WerFault.exe 14->22         started        process6 24 WerFault.exe 22 16 18->24         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
I6WVogMkrj.dll47%ReversingLabsWin32.Trojan.Midie
I6WVogMkrj.dll100%AviraTR/Redcap.oggdn

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.7.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544800
Start date and time:2024-10-29 18:55:43 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:42
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:I6WVogMkrj.dll
renamed because original name is a hash value
Original Sample Name:0b21f113cdf4f849e604a9412a2417376394e6c810672be7fce463574c5af248.dll
Detection:MAL
Classification:mal60.winDLL@63/13@0/0
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 17
  • Number of non-executed functions: 88
Cookbook Comments:
  • Found application associated with file extension: .dll

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.21
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target rundll32.exe, PID 7256 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • VT rate limit hit for: I6WVogMkrj.dll

Simulations

Behavior and APIs

TimeTypeDescription
13:56:47API Interceptor1x Sleep call for process: loaddll32.exe modified
13:56:53API Interceptor3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_481a2adff66839ff830cdba352f52481c2a3d3d_7522e4b5_3a1d107d-c25a-427c-9169-83a1edd24c7f\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8695025507182572
Encrypted:false
SSDEEP:192:XEuiKORyPg0BU/wjeTlzuiFGZ24IO84ci:UuirRyP7BU/wjeRzuiFGY4IO84ci
MD5:292180A3E13005CB1FFD5BCFDC4A6878
SHA1:1387135D130F24D0438F735BBEAB8E85A7BC341A
SHA-256:80B0BD72D77489E5F3BBF4E52531D9F8D4879DB6F62FB303EE2939D506D463E2
SHA-512:334F668C1F1C811456369226367EC81422716D19514C5D9080217A90BE33D08976A40B9917333F5AC3EC94A5CD919882B6F189C23203DFDCAF12CEF83F42D716
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.1.9.8.5.4.6.1.9.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.1.9.8.9.3.6.8.0.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.1.d.1.0.7.d.-.c.2.5.a.-.4.2.7.c.-.9.1.6.9.-.8.3.a.1.e.d.d.2.4.c.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.a.6.d.7.b.7.-.3.0.1.0.-.4.5.f.5.-.8.2.d.5.-.f.7.3.1.c.d.6.8.3.2.9.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.c.-.0.0.0.1.-.0.0.1.4.-.a.a.d.1.-.a.8.e.6.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_481a2adff66839ff830cdba352f52481c2a3d3d_7522e4b5_f54c76dd-3e53-4cc6-9fc1-13f935ef4f37\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8696337135933471
Encrypted:false
SSDEEP:192:Md+biJObyPg0BU/wjeTlzuiFGZ24IO84ci:ZigbyP7BU/wjeRzuiFGY4IO84ci
MD5:AB4223C0C2B6278E2D5D5F8B8FF318FB
SHA1:45C22537116F22A364427414BB7E7D02ADDDE20F
SHA-256:E2FDE433FB2258B5968C843DD4A506FC1D2D30F374436625370EDF7CBD8E8147
SHA-512:96C5394E6C9146CABB67D4C930FC353C35529EF51B6335C49E7B1F750836EA518938DDBC657E580F2893D4C58AEDF681BF9FB8B1C80B302F52FEECA8812D0E1E
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.2.0.8.5.4.1.4.4.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.2.0.9.7.6.0.1.7.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.4.c.7.6.d.d.-.3.e.5.3.-.4.c.c.6.-.9.f.c.1.-.1.3.f.9.3.5.e.f.4.f.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.2.3.e.4.5.a.-.f.3.d.e.-.4.5.0.4.-.9.4.9.b.-.f.7.d.8.5.b.8.8.2.2.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.7.c.-.0.0.0.1.-.0.0.1.4.-.6.9.e.c.-.5.d.e.c.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_611e6188d1c72fbcea43638d116a458a2e4fe70_7522e4b5_e6a8dc82-f488-4672-a9ec-3b789bbfb76b\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8641554352894474
Encrypted:false
SSDEEP:192:AFsiIOFyPX0BU/wjeTlzuiFGZ24IO8dci:Ysi5FyPkBU/wjeRzuiFGY4IO8dci
MD5:651B7BFEA3CA6362C08FA19F8ACC4076
SHA1:40F7419456D558B43B323F85F6636B738CF11379
SHA-256:9190444659D752E8028BDD1D752E02328351F4DB30D55B4F1A30E719141893FD
SHA-512:ADBEAC5EF257A2F4A8904E251DC8A43F354F498F5841F52BC6A7437DCABDA1CEAA6D2017B5D361BA9E01D4BA2F1E37E79210DE0CC452E743A7C2A98A0129ADC8
Malicious:false
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.9.8.2.0.8.5.4.1.8.0.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.9.8.2.0.9.7.6.0.5.4.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.a.8.d.c.8.2.-.f.4.8.8.-.4.6.7.2.-.a.9.e.c.-.3.b.7.8.9.b.b.f.b.7.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.e.8.d.3.2.b.-.d.7.9.0.-.4.a.0.3.-.8.d.a.e.-.9.e.e.5.1.f.3.e.4.9.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.8.-.0.0.0.1.-.0.0.1.4.-.8.7.5.4.-.9.1.e.c.2.b.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB18C.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Tue Oct 29 17:56:38 2024, 0x1205a4 type
Category:dropped
Size (bytes):43460
Entropy (8bit):1.9469193817421129
Encrypted:false
SSDEEP:192:nBzuhIUXZdzFO5H4Nz3TfoC+lbrI22NArqXubo:tK7Vo5HMfnObr5jb
MD5:E3DE7E67C443540842F5BF84382827CE
SHA1:85F1CD6F8502D3C235C96D297189C68571590EE5
SHA-256:4E2C49E60B72F40DB67C0CA0350B47B3B30AD16B43922DF782BE87F0DFF28A58
SHA-512:8C384B701F073CC0D4668CF187CDD2B8E2096A854F62F01030C9AD8FE70D281D3139A30EAA706DC09EA80CF1AEBF467D669B2C1B351A9928C4E2C40F777B408E
Malicious:false
Preview:MDMP..a..... ........!!g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.......,....!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB268.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8318
Entropy (8bit):3.6910597050397973
Encrypted:false
SSDEEP:192:R6l7wVeJZb6IUs6Yod6sgmf8sjpr089bC/sf6Wm:R6lXJ16IUs6Yq6sgmf8sfCkfy
MD5:EE99A157499F1172DAA333A1C02F6543
SHA1:2C4563729D36874F4C47F1E8093CB166482BF783
SHA-256:9BFCA311B663129C88B6BC7BA1D089C9583B61D49EA7B49CC602DBD7E3DCFF33
SHA-512:2405D5D28E0456FBF418A7BEC4363DF257DFCB49E0888FEB5D0AE61B2B99F42A0762AE2AC44C8CF08F52AA8237712B5D62A14ABFB67727C8E0DF0E2DA3075211
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB297.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4751
Entropy (8bit):4.453540922017464
Encrypted:false
SSDEEP:48:cvIwWl8zsSJg77aI9K1WpW8VYVYm8M4JCdPLYnFX+q8vjPLYWCwGScS6d:uIjfgI78E7VBJXNKoWCwJ36d
MD5:F51B660BF1DDB2D40DD20CADACA4CD79
SHA1:7BD71D29E04D8A6C4BD8DC3A61EBC3AD28508724
SHA-256:FD1048570BB89CDC8F0C2B0B1CCDBA09E9F91ED321F260EB85CB9457615B7A9E
SHA-512:F606B5E01C6B5E699E678ADF2E33B211704666C343E355D30923FFCD25815FB66A99415DBA2A2E8EA227857B7E9E6780804E29764E813B81F58B25988D03313C
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565019" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8AB.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Tue Oct 29 17:56:48 2024, 0x1205a4 type
Category:dropped
Size (bytes):40832
Entropy (8bit):2.0399685592051653
Encrypted:false
SSDEEP:192:V+mu6IUXZ2DbPO5H4rWlQhgp7LoDpg5Ek0c9wj:7R7AG5H+uQhgpypgL
MD5:03FC48ACC652DCA37DD8FEFAA04F7BFA
SHA1:B47E253A27201851C4BCE11DD23E6E223B0D37AA
SHA-256:2E0942A6A97733170F9DC2759AFAA049991B6E7CAF3FD4069E533FA7BCB06531
SHA-512:AC14EF350D8ACC6793B11DCBE80278C891E1CAFD084102AA5212BEAFF2D327A92DB0CFEF7FDE6485A60BED3102026CEF805F2D637EE99E4FDB8E21F95DCD6AEE
Malicious:false
Preview:MDMP..a..... ........!!g.........................................)..........T.......8...........T.......................................................................................................................eJ......,.......GenuineIntel............T.......|....!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD909.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Tue Oct 29 17:56:48 2024, 0x1205a4 type
Category:dropped
Size (bytes):42836
Entropy (8bit):2.0169454649814296
Encrypted:false
SSDEEP:192:VFwuSIUXZoRO5H4tbrwqYdInJINzsM4fIqCM:Q57oE5HI3PYGJWzsNC
MD5:36D151AFD7B42E48400F76B1EEE5DB19
SHA1:18D560A9758EC861936EBA3B928A57C209E4FF0A
SHA-256:CBC2BDB1E7BF56C419597855E05286DB510CAB90A8AD374523805B04A4C694A8
SHA-512:6536D105B9034E0F7DF68C76FE270D8EEBF7E64AB8B56BB913D53EE85370C9A53C24BB52D5CA4F5F0A1569E9FF9652DF56DF1903449F4D05E157E81BD75A80E7
Malicious:false
Preview:MDMP..a..... ........!!g.........................................)..........T.......8...........T......................................................................................................................eJ......,.......GenuineIntel............T.......X....!!g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD997.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8328
Entropy (8bit):3.690179307907202
Encrypted:false
SSDEEP:192:R6l7wVeJ5F6IUUp6Yk36dgmf8sjprv89bF/sfUi3m:R6lXJ76IUa6Y86dgmf8s+FkfG
MD5:5C7458193C1722ABF9903B2A462E5ECD
SHA1:1446359CFF3446D3A70FF087440C27C64B859F43
SHA-256:640251B4EF3C80EC9DCEB37CFEC391449DB0CDE1E7168C0DBD996FCBD02BA9ED
SHA-512:8C323ED520089A10804C7513CD601250D0500565FFA6C51A07DF4EBB20FA93E75CF5B76BC2F077731023A6E570133E519D63FA76010FD3C802C7F549AA985E2A
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA52.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8264
Entropy (8bit):3.6953288333936207
Encrypted:false
SSDEEP:192:R6l7wVeJrp6IUX6Yky6dgmfTAjprO89b87sfk60m:R6lXJ16IUX6Y56dgmfTA58AfkY
MD5:B093924AADD0307E200ABE16C4C1A765
SHA1:470E07A4D81CD639B4957948FC649AB2937FB4F2
SHA-256:8E60812456223FF0C31D1A3855895F07A1E3A150B9702DDA2AAD030157E4F9D3
SHA-512:FC38F25A8206D768B0EB17A2A23D80C551827A010A523C78447240431863459F3399C5B75EB82B2EF374A545F32D5B8860FA54A084E4C9700656014D20A6761E
Malicious:false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAB1.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4751
Entropy (8bit):4.4561404879912585
Encrypted:false
SSDEEP:48:cvIwWl8zsSJg77aI9K1WpW8VYm0Ym8M4JCdPLYnF01a+q8vjPLYQ8GScSQd:uIjfgI78E7VnBJXJKoQ8J3Qd
MD5:3A742D2B7DB03A74CB39AFC47591B424
SHA1:6FA25343F48D95A920382A208DB0ECBD9CE3B7BD
SHA-256:B293A98A547D3A96BBEF84701CC7B936DBDEFBC634020CCD9BE6D35776218C18
SHA-512:B6E20E766667150AA5D3F4DE9876C1138D3D0DA396EBBFDC8AE9CCC5F7150E090840214C9AA864C82532E2616984F918F41EC33E39AA9A13D1AC4D82585FAF1A
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565019" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAC1.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4650
Entropy (8bit):4.468916711940557
Encrypted:false
SSDEEP:48:cvIwWl8zsSJg77aI9K1WpW8VY+Ym8M4JCdPLHFV+q8/dBVsGScSSd:uIjfgI78E7VeJY8sJ3Sd
MD5:098A8EF8CF39967E47B2024A2E41AD0F
SHA1:0B29FD01D4EDF8D8384B683FB21FD9DD1A774F4F
SHA-256:FCAC6D543C3D689542A1000F1F2DCFFFF932520E1C7E41596766FCC278E41296
SHA-512:41BB622DA48BFEC4B2ED0B1F4F3180322E5572439F63947D332DB56722E5E40FF6FD91A3FD5258C780F696D43256A6B3E6342E8856ACFCA6BC9A9F9A9570F704
Malicious:false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="565019" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.46625367692047
Encrypted:false
SSDEEP:6144:QIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:1XD94+WlLZMM6YFHT+G
MD5:B44107D9DA84D59175D76B0C31EFD3CC
SHA1:8FBE0C01F72C40A59C796D48C847B0E9F11C5E98
SHA-256:5F15DCBA48A9D1972FF0876BB38B7110265486E53A50CFD9507FA53CFCD2E062
SHA-512:B7FC5A51B29AF87C14D010EB2E6D7280754926B3EA4AC825979F228D05867BE87458983D514EF14BAB914394FF729370869F0056BF7B97EF1C6CF6B09E00D723
Malicious:false
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....+*..............................................................................................................................................................................................................................................................................................................................................+D..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.647761336753057
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 95.46%
  • Win32 EXE PECompact compressed (generic) (41571/9) 3.96%
  • Win16/32 Executable Delphi generic (2074/23) 0.20%
  • Generic Win/DOS Executable (2004/3) 0.19%
  • DOS Executable Generic (2002/1) 0.19%
File name:I6WVogMkrj.dll
File size:1'270'272 bytes
MD5:52024ba9c0e29961db8d7f7aaf3aa9be
SHA1:851bc830fc4e602ac64fe3422fe0513adeceb69a
SHA256:0b21f113cdf4f849e604a9412a2417376394e6c810672be7fce463574c5af248
SHA512:c5840eb5c1797abd3436ae9f572c0b051163274088463b996c8ae7509c2a48eaa28dcd28bf6e276acbd1ea4475b115ea3b8da5821190a0072f8b569314806894
SSDEEP:24576:qGADs5sp+RGMASv1z0CEYkODzNaYThVKh:EMHRnJ3EGDzNRThVK
TLSH:C3455C62F245643EC4AA0A364973AD54583FB7A2755AEC1E57F4088CCE399802F3E74F
File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x50eec8
Entrypoint Section:.itext
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:0x66F1D033 [Mon Sep 23 20:31:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:6327992c879b906e750778c69d550fed

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC0h
mov eax, 0050A278h
call 00007F4968A45E95h
call 00007F4968A3F2B0h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x1220000x2a8.edata
IMAGE_DIRECTORY_ENTRY_IMPORT0x11f0000x1c46.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x13d0000x4600.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x184ec.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x11f5a40x464.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1210000x366.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x10c84c0x10ca00e40ca14576877bdd96258eb250cdd39cFalse0.3667557948464402data6.491753611867068IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext0x10e0000xee00x10008917bf6f7ad16e4275730516cc04df04False0.5341796875data6.068280438350264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x10f0000x8f680x90000f629b7fec5e60c7e3fae553d84fdd0fFalse0.6358506944444444data6.6215295006299IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss0x1180000x62fc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x11f0000x1c460x1e00bd166391d3b2991897d3f90ec0b419cbFalse0.32083333333333336data4.974350011480841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata0x1210000x3660x4009c7b1e6fd492c18332b403fa3ad29c2eFalse0.3544921875data3.0967012674854977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata0x1220000x2a80x400aed7877352887f114a96067a16ae4ee5False0.40625data4.011066897531627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata0x1230000x440x200c9f8bfa36b2dc5163b75d3196d251b45False0.15625data1.1660636886017055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x1240000x184ec0x18600739fc8376d6e5f7f2cb5f2211db67114False0.5805889423076923data6.710387994919482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x13d0000x46000x46004b9e035e6f2d81214c7aef343b68aa22False0.2732142857142857data3.6892938669939976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_STRING0x13d4600x31cDOS executable (COM, 0x8C-variant)0.4258793969849246
RT_STRING0x13d77c0xb5cdata0.2548143053645117
RT_STRING0x13e2d80x428data0.37406015037593987
RT_STRING0x13e7000x3c4data0.37655601659751037
RT_STRING0x13eac40x3ccdata0.2757201646090535
RT_STRING0x13ee900x394data0.4334061135371179
RT_STRING0x13f2240x4e4data0.35303514376996803
RT_STRING0x13f7080x374data0.3563348416289593
RT_STRING0x13fa7c0x454data0.38898916967509023
RT_STRING0x13fed00x1ecdata0.3983739837398374
RT_STRING0x1400bc0xc4data0.6428571428571429
RT_STRING0x1401800x170data0.5597826086956522
RT_STRING0x1402f00x334data0.41585365853658535
RT_STRING0x1406240x408data0.3168604651162791
RT_STRING0x140a2c0x36cdata0.4018264840182648
RT_STRING0x140d980x2b8data0.4367816091954023
RT_RCDATA0x1410500x10data1.5
RT_RCDATA0x1410600x378data0.5934684684684685
RT_RCDATA0x1413d80x2dataEnglishUnited States5.0
RT_VERSION0x1413dc0x20cdataEnglishUnited States0.4770992366412214

Imports

DLLImport
oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dllCharNextW, LoadStringW
kernel32.dllSleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dllGetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary
user32.dllReleaseDC, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, LoadImageW, LoadIconW, GetSystemMetrics, GetSysColor, GetIconInfo, GetDC, GetClipboardData, FrameRect, FillRect, DrawTextExW, DrawIconEx, DrawFocusRect, DestroyIcon, CreateIcon, CopyIcon, CharUpperBuffW, CharUpperW, CharLowerBuffW
gdi32.dllUnrealizeObject, StretchDIBits, StretchBlt, SetWinMetaFileBits, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, RoundRect, ResizePalette, Rectangle, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStretchBltMode, GetStockObject, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutW, ExtFloodFill, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc
version.dllVerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetFilePointer, SetEvent, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GetVersionExW, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcessHeap, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, EnumSystemLocalesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dllRegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dllSleep
netapi32.dllNetApiBufferFree, NetWkstaGetInfo
oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
ole32.dllCoCreateInstance, IsEqualGUID
msvcrt.dllmemset, memcpy

Exports

NameOrdinalAddress
BarCreate40x50a26c
BarDestroy50x50a268
BarFreeRec60x50a264
BarRecognize70x50a260
TMethodImplementationIntercept30x45f330
__dbk_fcall_wrapper20x41041c
dbkFCallWrapperAddr10x51b630
wkeCreateWebView130x50a248
wkeDestroyWebView80x50a25c
wkeFinalize90x50a258
wkeFireContextMenuEvent160x50a23c
wkeFireKeyDownEvent120x50a24c
wkeFireKeyPressEvent140x50a244
wkeFireKeyUpEvent230x50a220
wkeFireMouseEvent150x50a240
wkeFireMouseWheelEvent170x50a238
wkeGetCaretRect200x50a22c
wkeInitialize220x50a224
wkeIsDirty210x50a228
wkeKillFocus190x50a230
wkePaint2240x50a21c
wkeResize110x50a250
wkeSetDirty100x50a254
wkeSetFocus180x50a234

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 29, 2024 18:56:56.723920107 CET53631811.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:56:37
Start date:29/10/2024
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll"
Imagebase:0xbb0000
File size:126'464 bytes
MD5 hash:51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:1
Start time:13:56:37
Start date:29/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:13:56:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1
Imagebase:0x240000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:13:56:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarCreate
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:56:37
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",#1
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:7
Start time:13:56:38
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6956 -s 648
Imagebase:0x290000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:13:56:40
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarDestroy
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:9
Start time:13:56:43
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\I6WVogMkrj.dll,BarFreeRec
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:10
Start time:13:56:46
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarCreate
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:11
Start time:13:56:46
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarDestroy
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:12
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarFreeRec
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Reputation:high
Has exited:true

General

Target ID:13
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetFocus
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:14
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeSetDirty
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:15
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeResize
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:16
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkePaint2
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:17
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeKillFocus
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:18
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeIsDirty
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:19
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeInitialize
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:20
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeGetCaretRect
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:21
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseWheelEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:22
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireMouseEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:23
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyUpEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:24
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyPressEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:25
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireKeyDownEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:26
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFireContextMenuEvent
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:27
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeFinalize
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:28
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeDestroyWebView
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:29
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",wkeCreateWebView
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:30
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",dbkFCallWrapperAddr
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:31
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",__dbk_fcall_wrapper
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:32
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",TMethodImplementationIntercept
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:33
Start time:13:56:47
Start date:29/10/2024
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\I6WVogMkrj.dll",BarRecognize
Imagebase:0x2b0000
File size:61'440 bytes
MD5 hash:889B99C52A60DD49227C5E485A016679
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Borland Delphi
Has exited:true

General

Target ID:36
Start time:13:56:48
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 640
Imagebase:0x290000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:13:56:48
Start date:29/10/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 648
Imagebase:0x290000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.9%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:9.6%
    Total number of Nodes:332
    Total number of Limit Nodes:36
    execution_graph 47775 427884 47790 40a060 47775->47790 47779 4278bc 47780 4278c8 GetFileVersionInfoSizeW 47779->47780 47781 42796e 47780->47781 47782 4278d8 47780->47782 47799 409c38 47781->47799 47785 427901 GetFileVersionInfoW 47782->47785 47786 427925 47785->47786 47787 42790b VerQueryValueW 47785->47787 47798 406e40 11 API calls 47786->47798 47787->47786 47789 427966 47792 40a064 47790->47792 47791 40a088 47794 40a1c8 47791->47794 47792->47791 47803 406e40 11 API calls 47792->47803 47796 40a130 47794->47796 47795 40a16b 47795->47779 47796->47795 47804 406e40 11 API calls 47796->47804 47798->47789 47800 409c3e 47799->47800 47802 409c59 47799->47802 47800->47802 47805 406e40 11 API calls 47800->47805 47803->47791 47804->47795 47805->47802 47806 50eec8 47811 410548 47806->47811 47812 410553 47811->47812 47816 40961c 47812->47816 47815 409968 11 API calls 47817 409630 GetCurrentThreadId 47816->47817 47818 40962b 47816->47818 47819 409666 47817->47819 47818->47817 47820 409968 47819->47820 47821 4096d9 47819->47821 47823 409984 47820->47823 47824 409995 47820->47824 47835 4095b0 47821->47835 47841 4098d0 GetStdHandle WriteFile GetStdHandle WriteFile 47823->47841 47826 40999e GetCurrentThreadId 47824->47826 47829 4099ab 47824->47829 47826->47829 47828 40998e 47828->47824 47830 406ec8 11 API calls 47829->47830 47831 409a3b FreeLibrary 47829->47831 47832 409a63 47829->47832 47830->47829 47831->47829 47833 409a72 ExitProcess 47832->47833 47834 409a6c 47832->47834 47834->47833 47836 4095f8 47835->47836 47837 4095c0 47835->47837 47836->47815 47837->47836 47842 50e47c 47837->47842 47856 40ee84 GetSystemInfo 47837->47856 47857 50e000 47837->47857 47841->47828 47843 50e504 47842->47843 47844 50e496 47842->47844 47843->47837 47869 4097a0 47844->47869 47846 50e4a0 47848 50e4c2 47846->47848 47890 40a018 11 API calls 47846->47890 47875 42782c GetVersionExW 47848->47875 47850 50e4d6 47877 4289ec GetModuleHandleW 47850->47877 47854 50e4e7 47891 427e74 95 API calls 47854->47891 47856->47837 47858 50e0c9 47857->47858 47859 50e01e 47857->47859 47858->47837 47860 50e028 SetThreadLocale 47859->47860 47923 40c520 InitializeCriticalSection GetVersion 47860->47923 47864 50e05e 47865 50e077 GetCommandLineW 47864->47865 47927 405244 GetStartupInfoW 47865->47927 47867 50e0a1 GetACP GetCurrentThreadId 47928 40ee98 GetVersion 47867->47928 47870 4097ac 47869->47870 47874 4097e3 47870->47874 47892 4096e4 57 API calls 47870->47892 47893 40973c 57 API calls 47870->47893 47894 40978c 57 API calls 47870->47894 47874->47846 47876 427861 47875->47876 47876->47850 47878 428a0d 47877->47878 47879 4289fd 47877->47879 47882 40d104 47878->47882 47895 4139b0 13 API calls 47879->47895 47881 428a08 47881->47878 47883 40d126 47882->47883 47884 40d138 47882->47884 47896 40cde8 47883->47896 47888 409c38 11 API calls 47884->47888 47886 40d130 47920 40d168 11 API calls 47886->47920 47889 40d15a 47888->47889 47889->47854 47890->47848 47891->47843 47892->47870 47893->47870 47894->47870 47895->47881 47897 40cdff 47896->47897 47898 40ce13 GetModuleFileNameW 47897->47898 47899 40ce28 47897->47899 47898->47899 47900 40ce50 RegOpenKeyExW 47899->47900 47901 40cff7 47899->47901 47902 40cf11 47900->47902 47903 40ce77 RegOpenKeyExW 47900->47903 47904 409c38 11 API calls 47901->47904 47921 40cbf8 7 API calls 47902->47921 47903->47902 47906 40ce95 RegOpenKeyExW 47903->47906 47905 40d00c 47904->47905 47905->47886 47906->47902 47908 40ceb3 RegOpenKeyExW 47906->47908 47908->47902 47912 40ced1 RegOpenKeyExW 47908->47912 47909 40cf2f RegQueryValueExW 47910 40cf80 RegQueryValueExW 47909->47910 47911 40cf4d 47909->47911 47913 40cf7e 47910->47913 47914 40cf9c 47910->47914 47916 40cf55 RegQueryValueExW 47911->47916 47912->47902 47915 40ceef RegOpenKeyExW 47912->47915 47917 40cfe6 RegCloseKey 47913->47917 47922 406e40 11 API calls 47913->47922 47918 40cfa4 RegQueryValueExW 47914->47918 47915->47901 47915->47902 47916->47913 47917->47886 47918->47913 47920->47884 47921->47909 47922->47917 47924 40c550 6 API calls 47923->47924 47925 40c59e 47923->47925 47924->47925 47926 40ee84 GetSystemInfo 47925->47926 47926->47864 47927->47867 47928->47858 47929 40c278 47930 40c288 GetModuleFileNameW 47929->47930 47932 40c2a4 47929->47932 47933 40d4ec GetModuleFileNameW 47930->47933 47934 40d53a 47933->47934 47943 40d3c8 47934->47943 47936 40d566 47937 40d580 47936->47937 47939 40d578 LoadLibraryExW 47936->47939 47969 409c98 47937->47969 47939->47937 47941 409c38 11 API calls 47942 40d5a5 47941->47942 47942->47932 47944 40d3e9 47943->47944 47945 409c38 11 API calls 47944->47945 47946 40d406 47945->47946 47947 40d471 47946->47947 47949 40a060 11 API calls 47946->47949 47948 409c98 11 API calls 47947->47948 47950 40d4de 47948->47950 47952 40d41b 47949->47952 47950->47936 47951 40d44c 47953 40d104 30 API calls 47951->47953 47952->47951 48028 40ab24 47952->48028 47954 40d45e 47953->47954 47956 40d473 GetUserDefaultUILanguage 47954->47956 47957 40d464 47954->47957 47973 40cab4 EnterCriticalSection 47956->47973 47958 40d230 13 API calls 47957->47958 47958->47947 47963 40d4b5 47963->47947 48010 40d2fc 47963->48010 47964 40d49b GetSystemDefaultUILanguage 47966 40cab4 28 API calls 47964->47966 47967 40d4a8 47966->47967 47968 40d230 13 API calls 47967->47968 47968->47963 47971 409c9e 47969->47971 47970 409cc4 47970->47941 47971->47970 48069 406e40 11 API calls 47971->48069 47974 40cb00 LeaveCriticalSection 47973->47974 47975 40cae0 47973->47975 47976 409c38 11 API calls 47974->47976 47977 40caf1 LeaveCriticalSection 47975->47977 47978 40cb11 IsValidLocale 47976->47978 47979 40cba2 47977->47979 47980 40cb20 47978->47980 47981 40cb6f EnterCriticalSection 47978->47981 47984 409c38 11 API calls 47979->47984 47982 40cb34 47980->47982 47983 40cb29 47980->47983 47987 40cb87 47981->47987 48033 40c79c 14 API calls 47982->48033 48032 40c998 17 API calls 47983->48032 47986 40cbb7 47984->47986 47998 40d230 47986->47998 47992 40cb98 LeaveCriticalSection 47987->47992 47989 40cb3d GetSystemDefaultUILanguage 47989->47981 47991 40cb47 47989->47991 47990 40cb32 47990->47981 47993 40cb58 GetSystemDefaultUILanguage 47991->47993 48034 40a018 11 API calls 47991->48034 47992->47979 48035 40c79c 14 API calls 47993->48035 47996 40cb65 48036 40a018 11 API calls 47996->48036 47999 40d24e 47998->47999 48000 409c38 11 API calls 47999->48000 48001 40d26b 48000->48001 48002 40d2c9 48001->48002 48004 40d2d0 48001->48004 48007 40ab24 11 API calls 48001->48007 48037 40a9b4 48001->48037 48048 40d1c4 48001->48048 48003 409c38 11 API calls 48002->48003 48003->48004 48005 409c98 11 API calls 48004->48005 48006 40d2ea 48005->48006 48006->47963 48006->47964 48007->48001 48058 409d1c 48010->48058 48013 40d34c 48014 40a9b4 11 API calls 48013->48014 48015 40d359 48014->48015 48016 40d1c4 13 API calls 48015->48016 48019 40d360 48016->48019 48017 40d399 48018 409c98 11 API calls 48017->48018 48020 40d3b3 48018->48020 48019->48017 48022 40a9b4 11 API calls 48019->48022 48021 409c38 11 API calls 48020->48021 48023 40d3bb 48021->48023 48024 40d387 48022->48024 48023->47947 48025 40d1c4 13 API calls 48024->48025 48026 40d38e 48025->48026 48026->48017 48027 409c38 11 API calls 48026->48027 48027->48017 48029 40ab2f 48028->48029 48060 409dc0 48029->48060 48032->47990 48033->47989 48034->47993 48035->47996 48036->47981 48038 40aa26 48037->48038 48039 40a9b8 48037->48039 48040 40a9c0 48039->48040 48042 40a018 48039->48042 48040->48038 48044 40a9cf 48040->48044 48056 40a018 11 API calls 48040->48056 48041 40a05c 48041->48001 48042->48041 48055 406e40 11 API calls 48042->48055 48044->48038 48057 40a018 11 API calls 48044->48057 48047 40aa22 48047->48001 48049 40d1d9 48048->48049 48050 40d1f6 FindFirstFileW 48049->48050 48051 40d206 FindClose 48050->48051 48052 40d20c 48050->48052 48051->48052 48053 409c38 11 API calls 48052->48053 48054 40d221 48053->48054 48054->48001 48055->48041 48056->48044 48057->48047 48059 409d20 GetUserDefaultUILanguage GetLocaleInfoW 48058->48059 48059->48013 48061 409dd0 48060->48061 48064 409c5c 48061->48064 48065 409c62 48064->48065 48066 409c7d 48064->48066 48065->48066 48068 406e40 11 API calls 48065->48068 48066->47951 48068->48066 48069->47971 48070 4eee14 MulDiv 48071 4eee66 48070->48071 48072 4eee50 48070->48072 48086 4d8de8 48071->48086 48138 4eedd0 GetDC SelectObject GetTextMetricsW ReleaseDC 48072->48138 48075 4eee55 48075->48071 48078 40a060 11 API calls 48075->48078 48076 4eee72 48090 4d8ed0 48076->48090 48078->48071 48083 4eeeb9 48087 4d8dee 48086->48087 48088 4d8ed0 14 API calls 48087->48088 48089 4d8e06 48088->48089 48089->48076 48091 4d8edd 48090->48091 48092 4d8ef7 48090->48092 48093 4d8eed 48091->48093 48094 4d8ee3 RegCloseKey 48091->48094 48096 4d915c 48092->48096 48095 4d8ea0 13 API calls 48093->48095 48094->48093 48095->48092 48097 40a060 11 API calls 48096->48097 48098 4d9186 48097->48098 48100 4d91a6 48098->48100 48145 40ab6c 11 API calls 48098->48145 48101 4d91d4 RegOpenKeyExW 48100->48101 48102 4d91e3 48101->48102 48103 4d91ec 48102->48103 48108 4d922a 48102->48108 48104 4d9218 48103->48104 48146 40aa3c 11 API calls 48103->48146 48147 4d8efc 13 API calls 48104->48147 48107 4d9225 48111 409c38 11 API calls 48107->48111 48109 4d924a RegOpenKeyExW 48108->48109 48110 4d9259 48109->48110 48113 4d9262 48110->48113 48117 4d929d 48110->48117 48112 4d931e 48111->48112 48112->48083 48123 4d99e8 48112->48123 48114 4d928e 48113->48114 48148 40aa3c 11 API calls 48113->48148 48149 4d8efc 13 API calls 48114->48149 48118 4d92bb RegOpenKeyExW 48117->48118 48120 4d92ca 48118->48120 48119 4d92fc 48151 4d8efc 13 API calls 48119->48151 48120->48107 48120->48119 48150 40aa3c 11 API calls 48120->48150 48152 4d9930 48123->48152 48126 4d9a57 48128 409c38 11 API calls 48126->48128 48127 4d9a02 48129 409dc0 11 API calls 48127->48129 48136 4d9a4c 48128->48136 48130 4d9a14 48129->48130 48155 4d9edc 48130->48155 48132 4d9a2c 48133 4d9a4e 48132->48133 48134 4d9a38 48132->48134 48164 4d8c68 80 API calls 48133->48164 48163 40a8dc 11 API calls 48134->48163 48139 4d8ea0 48136->48139 48138->48075 48140 4d8ecc 48139->48140 48141 4d8eaa 48139->48141 48140->48083 48142 4d8eb6 RegCloseKey 48141->48142 48143 4d8eb0 RegFlushKey 48141->48143 48144 409c38 11 API calls 48142->48144 48143->48142 48144->48140 48145->48100 48147->48107 48149->48107 48151->48107 48165 4d98dc 48152->48165 48154 4d9944 48154->48126 48154->48127 48169 40a748 48155->48169 48157 4d9f02 RegQueryValueExW 48158 4d9f15 48157->48158 48159 4d9f3d 48158->48159 48171 426a14 80 API calls 48158->48171 48159->48132 48161 4d9f38 48172 4092b4 11 API calls 48161->48172 48163->48136 48164->48136 48166 4d98f4 48165->48166 48167 4d9908 RegQueryValueExW 48166->48167 48168 4d991b 48167->48168 48168->48154 48170 40a74e 48169->48170 48170->48157 48171->48161 48173 40591c 48174 405934 48173->48174 48175 405b7c 48173->48175 48178 405946 48174->48178 48186 4059d1 Sleep 48174->48186 48176 405c94 48175->48176 48177 405b40 48175->48177 48179 4056c8 VirtualAlloc 48176->48179 48180 405c9d 48176->48180 48185 405b5a Sleep 48177->48185 48187 405b9a 48177->48187 48181 405955 48178->48181 48188 405a34 48178->48188 48192 405a15 Sleep 48178->48192 48182 405703 48179->48182 48183 4056f3 48179->48183 48197 40567c Sleep Sleep 48183->48197 48185->48187 48189 405b70 Sleep 48185->48189 48186->48178 48190 4059e7 Sleep 48186->48190 48191 405bb8 48187->48191 48193 405600 VirtualAlloc 48187->48193 48196 405a40 48188->48196 48198 405600 48188->48198 48189->48177 48190->48174 48192->48188 48195 405a2b Sleep 48192->48195 48193->48191 48195->48178 48197->48182 48202 405594 48198->48202 48200 405609 VirtualAlloc 48201 405620 48200->48201 48201->48196 48203 405534 48202->48203 48203->48200

    Executed Functions

    Function 0040D2FC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D3BC,?,?), ref: 0040D32E
    • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D3BC,?,?), ref: 0040D337
      • Part of subcall function 0040D1C4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D222,?,00000001), ref: 0040D1F7
      • Part of subcall function 0040D1C4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D222,?,00000001), ref: 0040D207
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
    • String ID:
    • API String ID: 3216391948-0
    • Opcode ID: bb5aebafb1050cca1833a86485a25d2ce173cc466728c947d737821306c0bec7
    • Instruction ID: 31cc6c2f53d714b9faa06a3b986118d36ba9187928ad3646f11bb52bdd509fcd
    • Opcode Fuzzy Hash: bb5aebafb1050cca1833a86485a25d2ce173cc466728c947d737821306c0bec7
    • Instruction Fuzzy Hash: DD113670E042099BDF00EFA5D952AAEB3B4EF45304F50447EB904B73C2D7785E098669
    Function 0040D1C4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 333 40d1c4-40d204 call 409d1c call 40a748 FindFirstFileW 338 40d206-40d207 FindClose 333->338 339 40d20c-40d221 call 409c38 333->339 338->339
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,00000000,0040D222,?,00000001), ref: 0040D1F7
    • FindClose.KERNEL32(00000000,00000000,?,00000000,0040D222,?,00000001), ref: 0040D207
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: fd6b56c6bec8101a1a2edd49b896a968750317b75b60eb436ea3e7407fe2b467
    • Instruction ID: f2706f95e4b90df003fff4208de2c5c05cd5cdeba3f5e8022b992bb7b9acb03d
    • Opcode Fuzzy Hash: fd6b56c6bec8101a1a2edd49b896a968750317b75b60eb436ea3e7407fe2b467
    • Instruction Fuzzy Hash: 80F08271944608BEDB20FBB5DC5299EB7FCEB48314BA005BAB404F31D2EB389E14995D
    Function 0040EE84 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: c27e8cf9b7b8b28db5bf16ce19b686b88097b3598cd7681285108ea85b127420
    • Instruction ID: 4e8efc271a9064b51e8e7fb51594f2112b3c6a5914667696f4d1ddbf71e3eb2d
    • Opcode Fuzzy Hash: c27e8cf9b7b8b28db5bf16ce19b686b88097b3598cd7681285108ea85b127420
    • Instruction Fuzzy Hash: 72A012208088000EC408A7194C4350F31805941118FC40624785CA92C2E619896546EF
    Function 0040CDE8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D00D,?,?), ref: 0040CE21
    • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D,?,?), ref: 0040CE6A
    • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D,?,?), ref: 0040CE8C
    • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040CEAA
    • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040CEC8
    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040CEE6
    • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040CF04
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D00D), ref: 0040CF44
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001), ref: 0040CF6F
    • RegCloseKey.ADVAPI32(?,0040CFF7,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CFF0,?,80000001,Software\Embarcadero\Locales), ref: 0040CFEA
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Open$QueryValue$CloseFileModuleName
    • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
    • API String ID: 2701450724-3496071916
    • Opcode ID: f7c917e479dc5b8b684dcf2a59e43bffe3130ab6fea02e13758483d346620e00
    • Instruction ID: 80583e44c54d8f6c8431ac525ce0e8cce3f8a82ce7c118a8e5b64ed8406c3328
    • Opcode Fuzzy Hash: f7c917e479dc5b8b684dcf2a59e43bffe3130ab6fea02e13758483d346620e00
    • Instruction Fuzzy Hash: DC512675A40609BEEB20DBA5CC82FAFB7BCDB08704F504077BA04F61C1D6789D059A5D
    Function 0040CAB4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • EnterCriticalSection.KERNEL32(0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000,00000000), ref: 0040CAD2
    • LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000), ref: 0040CAF6
    • LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF,?,?,00000000,00000000), ref: 0040CB05
    • IsValidLocale.KERNEL32(00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB17
    • EnterCriticalSection.KERNEL32(0051AC10,00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB74
    • LeaveCriticalSection.KERNEL32(0051AC10,0051AC10,00000000,00000002,0051AC10,0051AC10,00000000,0040CBB8,?,?,?,00000000,?,0040D480,00000000,0040D4DF), ref: 0040CB9D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$Leave$Enter$LocaleValid
    • String ID: en-GB,en,en-US,
    • API String ID: 975949045-3021119265
    • Opcode ID: 16983b795ea3f6d15511b6f3b7a2fd081026003eab2b4e0bc2c7165cd39925dc
    • Instruction ID: dbd07ac227d82710da470fa0a9828874cbe6fbb8e5c29b4c0eb771d3e90eaa4c
    • Opcode Fuzzy Hash: 16983b795ea3f6d15511b6f3b7a2fd081026003eab2b4e0bc2c7165cd39925dc
    • Instruction Fuzzy Hash: 59214220740744D7EA12B77AA85376E36A4EB45718F50853BB000B72C2D9BD9D418ADF
    Function 004EEE14 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 004EEE3A
      • Part of subcall function 004EEDD0: GetDC.USER32(00000000), ref: 004EEDD9
      • Part of subcall function 004EEDD0: SelectObject.GDI32(00000000,058A00B4), ref: 004EEDEB
      • Part of subcall function 004EEDD0: GetTextMetricsW.GDI32(00000000), ref: 004EEDF6
      • Part of subcall function 004EEDD0: ReleaseDC.USER32(00000000,00000000), ref: 004EEE07
    Strings
    • MS Shell Dlg 2, xrefs: 004EEEA4
    • Tahoma, xrefs: 004EEE5C
    • SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes, xrefs: 004EEE90
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: MetricsObjectReleaseSelectText
    • String ID: MS Shell Dlg 2$SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes$Tahoma
    • API String ID: 2013942131-1011973972
    • Opcode ID: d2bcd2deef6eb559d64add552246956aa2ec45d3fe0922e4718ce2347d479668
    • Instruction ID: 9666196dba4feeb41e25a5e53062c5388affdd73144829a0af6ece6f2ecaceee
    • Opcode Fuzzy Hash: d2bcd2deef6eb559d64add552246956aa2ec45d3fe0922e4718ce2347d479668
    • Instruction Fuzzy Hash: 4911D030600149AFC711EF6BCC12A9E7BB5EB45705F90847BF400A7791DB39AD01CB18
    Function 0040961C Relevance: 6.2, APIs: 4, Instructions: 161threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 84 40961c-409629 85 409630-409664 GetCurrentThreadId 84->85 86 40962b 84->86 87 409666 85->87 88 409668-409694 call 409500 85->88 86->85 87->88 91 409696-409698 88->91 92 40969d-4096a4 88->92 91->92 93 40969a 91->93 94 4096a6-4096a9 92->94 95 4096ae-4096b4 92->95 93->92 94->95 96 4096b6 95->96 97 4096b9-4096c0 95->97 96->97 98 4096c2-4096c9 97->98 99 4096cf-4096d3 97->99 98->99 100 409968-409982 99->100 101 4096d9 call 4095b0 99->101 103 409984-409990 call 409848 call 4098d0 100->103 104 409995-40999c 100->104 105 4096de 101->105 103->104 107 40999e-4099a9 GetCurrentThreadId 104->107 108 4099bf-4099c3 104->108 107->108 112 4099ab-4099ba call 409520 call 4098a4 107->112 109 4099c5-4099c9 108->109 110 4099dd-4099e1 108->110 109->110 113 4099cb-4099db 109->113 114 4099e3-4099e6 110->114 115 4099ed-4099f1 110->115 112->108 113->110 114->115 118 4099e8-4099ea 114->118 119 409a10-409a19 call 409548 115->119 120 4099f3-4099fc call 406ec8 115->120 118->115 129 409a20-409a25 119->129 130 409a1b-409a1e 119->130 120->119 131 4099fe-409a0e call 407dcc call 406ec8 120->131 132 409a41-409a4c call 409520 129->132 133 409a27-409a35 call 40d6dc 129->133 130->129 130->132 131->119 142 409a51-409a55 132->142 143 409a4e 132->143 133->132 141 409a37-409a39 133->141 141->132 147 409a3b-409a3c FreeLibrary 141->147 145 409a57-409a59 call 4098a4 142->145 146 409a5e-409a61 142->146 143->142 145->146 149 409a63-409a6a 146->149 150 409a7a-409a8b 146->150 147->132 151 409a72-409a75 ExitProcess 149->151 152 409a6c 149->152 150->110 152->151
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00409653
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 5a2d98b2b9303db085ca7903a3e8743554e309b17d8937ec0eab1567879db523
    • Instruction ID: 57d564f7514a768ac0d6b140dc1e0ae383663f7c9c7dd69698fd604fdf563357
    • Opcode Fuzzy Hash: 5a2d98b2b9303db085ca7903a3e8743554e309b17d8937ec0eab1567879db523
    • Instruction Fuzzy Hash: FF516B706002449BDB25EF6AC88479B7BE1AF59314F14843FE809AA3D3D779DC88CB59
    Function 0050E000 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SetThreadLocale.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E02D
      • Part of subcall function 0040C520: InitializeCriticalSection.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C525
      • Part of subcall function 0040C520: GetVersion.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C533
      • Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C55A
      • Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C560
      • Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C574
      • Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C57A
      • Part of subcall function 0040C520: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C58E
      • Part of subcall function 0040C520: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C594
      • Part of subcall function 0040EE84: GetSystemInfo.KERNEL32 ref: 0040EE88
    • GetCommandLineW.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E092
      • Part of subcall function 00405244: GetStartupInfoW.KERNEL32 ref: 00405255
    • GetACP.KERNEL32(00000400,00000000,0050E0D7), ref: 0050E0A6
    • GetCurrentThreadId.KERNEL32 ref: 0050E0BA
      • Part of subcall function 0040EE98: GetVersion.KERNEL32(0050E0C9,00000400,00000000,0050E0D7), ref: 0040EE98
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
    • String ID:
    • API String ID: 2740004594-0
    • Opcode ID: da96efc90d0f3f823da1e0c30568e20cb602c22b5ccd4f7319bb0d9d278b2238
    • Instruction ID: b63630b870325ab19e945f9b7a74bc4420f07e9680e2ed97b13d29786ef075bf
    • Opcode Fuzzy Hash: da96efc90d0f3f823da1e0c30568e20cb602c22b5ccd4f7319bb0d9d278b2238
    • Instruction Fuzzy Hash: 3411217040478889D720FF72AC1A2693AA4FB19308710C87ED1006A2E2DFBD540CEF6E
    Function 004D915C Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,004D931F), ref: 004D91D5
    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,004D931F), ref: 004D924B
    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004D92BC
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Open
    • String ID:
    • API String ID: 71445658-0
    • Opcode ID: 297e97f5790f3bfbe46446021c8049ae68c7a4fb6bdd877cd8b5aad7bbb95b8b
    • Instruction ID: ad3af0877aad2f918cc60e01b05eab59aa261d8504b712c7e441bbb361f6d9d3
    • Opcode Fuzzy Hash: 297e97f5790f3bfbe46446021c8049ae68c7a4fb6bdd877cd8b5aad7bbb95b8b
    • Instruction Fuzzy Hash: 87515431B00208BFDB11EBA5C852B9EB7FAAB48304F15446FB444E3382DA7D9F069759
    Function 00427884 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00427984), ref: 004278C9
    • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00427967,?,00000000,?,00000000,00427984), ref: 00427902
    • VerQueryValueW.VERSION(?,00427998,?,?,00000000,?,00000000,?,00000000,00427967,?,00000000,?,00000000,00427984), ref: 0042791C
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileInfoVersion$QuerySizeValue
    • String ID:
    • API String ID: 2179348866-0
    • Opcode ID: d254ea856f19eca79d65d9f3d227b80f169b0e93736270e157245cabf41f0a7c
    • Instruction ID: c637f2b1f86e41ba3c57f6c02bd3706f471a10e856d15e50b91235f572eefc7d
    • Opcode Fuzzy Hash: d254ea856f19eca79d65d9f3d227b80f169b0e93736270e157245cabf41f0a7c
    • Instruction Fuzzy Hash: BC3141B5A04319AFEB00DFA9D881DAEB7F8EB48704B9144BAF544E3241D778DE40CB65
    Function 004D9EDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,004D9BB9), ref: 004D9F07
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: QueryValue
    • String ID: 8DA
    • API String ID: 3660427363-1089967677
    • Opcode ID: 4b8f109ffa458af5b80d3f600e29b6dd852a44268165187a87c0d92eeb6d53c5
    • Instruction ID: 5c6f9e54e9a39c42fa8f0f82047cbc0cda9d7a51aa0df00bfa0a0535877037b1
    • Opcode Fuzzy Hash: 4b8f109ffa458af5b80d3f600e29b6dd852a44268165187a87c0d92eeb6d53c5
    • Instruction Fuzzy Hash: 72015271600208AFDB00EFA9DC81ADAB7A89B59314F0081ABF914DB342DA759E0587A5
    Function 0040D3C8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 251 40d3c8-40d40a call 409d1c * 2 call 409c38 258 40d410-40d420 call 40a060 251->258 259 40d4c4-40d4de call 409c98 251->259 264 40d422-40d425 258->264 265 40d427-40d42c 258->265 264->265 266 40d453-40d462 call 40d104 265->266 267 40d42e-40d437 265->267 273 40d473-40d490 GetUserDefaultUILanguage call 40cab4 call 40d230 266->273 274 40d464-40d471 call 40d230 266->274 268 40d439-40d44c call 40ab24 267->268 269 40d44e-40d451 267->269 268->266 269->266 269->267 282 40d492-40d499 273->282 283 40d4b5-40d4b8 273->283 274->259 282->283 284 40d49b-40d4b0 GetSystemDefaultUILanguage call 40cab4 call 40d230 282->284 283->259 285 40d4ba-40d4bf call 40d2fc 283->285 284->283 285->259
    APIs
    • GetUserDefaultUILanguage.KERNEL32(00000000,0040D4DF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D566,00000000,?,00000105), ref: 0040D473
    • GetSystemDefaultUILanguage.KERNEL32(00000000,0040D4DF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D566,00000000,?,00000105), ref: 0040D49B
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: DefaultLanguage$SystemUser
    • String ID:
    • API String ID: 384301227-0
    • Opcode ID: e5fbb9e0fc620f56b36578c07845851fe2fed8148833940ec20a2950b4b279a8
    • Instruction ID: 914cf1b0947d833fcc03ff50d5076885400eec8b7426a2207ce03941fa5f7576
    • Opcode Fuzzy Hash: e5fbb9e0fc620f56b36578c07845851fe2fed8148833940ec20a2950b4b279a8
    • Instruction Fuzzy Hash: DB31EB30E142099BDB10EFA9C891BAEB7B5EF44304F50457BE400B72D2D778AD498A59
    Function 0040D4EC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D528
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D579
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileLibraryLoadModuleName
    • String ID:
    • API String ID: 1159719554-0
    • Opcode ID: 783f705d58062fb5f8e85dc88ba71afedba3f43c8334a4a5c8ebaaa4e4aa5bf8
    • Instruction ID: 258510d9c4dee0299c5f3f79c4fbca46c564eaaadbdb9c5c4e3057b0bb4fa4ad
    • Opcode Fuzzy Hash: 783f705d58062fb5f8e85dc88ba71afedba3f43c8334a4a5c8ebaaa4e4aa5bf8
    • Instruction Fuzzy Hash: 3F114F70E4461CABDB10EB94CC86BDE73B8DB04304F5144BAB508B72D1EA785F858A99
    Function 00405600 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 328 405600-40561e call 405594 VirtualAlloc 331 405620-40566d 328->331 332 40566e-405679 328->332
    APIs
    • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C17), ref: 00405617
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: @.
    • API String ID: 4275171209-4201455939
    • Opcode ID: e9bd031fac14de1d523f3f0fd1d0bc821c44dc6a8c79c950d7b754ab0e602f81
    • Instruction ID: 7dac567e4a07de2f06f580edb35680116b9bdba5c2a0860377bbd693bdd19f0d
    • Opcode Fuzzy Hash: e9bd031fac14de1d523f3f0fd1d0bc821c44dc6a8c79c950d7b754ab0e602f81
    • Instruction Fuzzy Hash: 49F0AFF2B003004FD7248F789D407A67AD4FB08324F10827FE908EB798DBB488048B84
    Function 004D8EA0 Relevance: 3.0, APIs: 2, Instructions: 18registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 342 4d8ea0-4d8ea8 343 4d8ecc-4d8ecd 342->343 344 4d8eaa-4d8eae 342->344 345 4d8eb6-4d8ec7 RegCloseKey call 409c38 344->345 346 4d8eb0-4d8eb1 RegFlushKey 344->346 345->343 346->345
    APIs
    • RegFlushKey.ADVAPI32(00000000,?,004D8F0C,?,?,00000000,004D9123,00000000,00000000,00000000,?,?,00000000,004D9139), ref: 004D8EB1
    • RegCloseKey.ADVAPI32(00000000,?,004D8F0C,?,?,00000000,004D9123,00000000,00000000,00000000,?,?,00000000,004D9139), ref: 004D8EBA
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CloseFlush
    • String ID:
    • API String ID: 320916635-0
    • Opcode ID: 53487b9075c46a64610a4022df3c6a921f3544410d10f835025151eaea8ac81c
    • Instruction ID: 6f4c2654893a1a96a1da4be1dd0c350b83e18a7e628d6434c516513760379d46
    • Opcode Fuzzy Hash: 53487b9075c46a64610a4022df3c6a921f3544410d10f835025151eaea8ac81c
    • Instruction Fuzzy Hash: 40D067B1E042049ADF60EF7AC9C5A577BDC6F44315B08C4ABB808DF247DA3CD9409B28
    Function 004D98DC Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,004D9AE0,00000000,004D9C1C), ref: 004D990D
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: QueryValue
    • String ID:
    • API String ID: 3660427363-0
    • Opcode ID: ad67be82557188437bc6127552a9993e0998d0cde0f580ab283647e522f4a4dc
    • Instruction ID: bf80709a24f295cc4fff76cdf4c79f612c8773d4563c6b2b62db8eae0a0485ee
    • Opcode Fuzzy Hash: ad67be82557188437bc6127552a9993e0998d0cde0f580ab283647e522f4a4dc
    • Instruction Fuzzy Hash: 3CF01C623052046FD344FA6E9C81F6B66DC9B88754F10843FB248C7342D964DC058375
    Function 0040C278 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040C296
      • Part of subcall function 0040D4EC: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D528
      • Part of subcall function 0040D4EC: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D5A6,?,00400000,0050FC1C), ref: 0040D579
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileModuleName$LibraryLoad
    • String ID:
    • API String ID: 4113206344-0
    • Opcode ID: d994d483d02e46fdff6fa18ed6b597f72d1d7e29fcadbbba57b44e2c2294e8a2
    • Instruction ID: dd2aa8039920255b97d322d6193c29fca073ce87a4a4145dda77fc50cf625817
    • Opcode Fuzzy Hash: d994d483d02e46fdff6fa18ed6b597f72d1d7e29fcadbbba57b44e2c2294e8a2
    • Instruction Fuzzy Hash: 07E0ED71E003109BCB10DF98C9C5A4737D8AB08754F0446A6AD14DF387D775DD148BD5

    Non-executed Functions

    Function 004EAA7C Relevance: 48.5, APIs: 32, Instructions: 501windowCOMMON
    Download Yara Rule
    APIs
    • GetObjectW.GDI32(00000000,00000054,?), ref: 004EAAFC
    • GetDC.USER32(00000000), ref: 004EAB0D
    • CreateCompatibleDC.GDI32(00000000), ref: 004EAB1E
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004EAB6A
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004EAB8E
    • SelectObject.GDI32(?,?), ref: 004EADE6
    • SelectPalette.GDI32(?,00000000,00000000), ref: 004EAE26
    • RealizePalette.GDI32(?), ref: 004EAE32
    • SetTextColor.GDI32(?,00000000), ref: 004EAE9B
    • SetBkColor.GDI32(?,00000000), ref: 004EAEB6
    • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,004EB046,?,00000000,004EB068,?,00000000,004EB079), ref: 004EAEFF
    • FillRect.USER32(?,00000000,00000000), ref: 004EAE83
      • Part of subcall function 004E32AC: GetSysColor.USER32(?), ref: 004E32B6
    • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 004EAF21
    • CreateCompatibleDC.GDI32(00000000), ref: 004EAF34
    • SelectObject.GDI32(004EB33B,00000000), ref: 004EAF57
    • SelectPalette.GDI32(004EB33B,00000000,00000000), ref: 004EAF73
    • RealizePalette.GDI32(004EB33B), ref: 004EAF7E
    • SetTextColor.GDI32(004EB33B,00000000), ref: 004EAF9C
    • SetBkColor.GDI32(004EB33B,00000000), ref: 004EAFB7
    • BitBlt.GDI32(?,00000000,00000000,?,?,004EB33B,00000000,00000000,00CC0020), ref: 004EAFDF
    • SelectPalette.GDI32(004EB33B,00000000,000000FF), ref: 004EAFF1
    • SelectObject.GDI32(004EB33B,00000000), ref: 004EAFFB
    • DeleteDC.GDI32(004EB33B), ref: 004EB016
      • Part of subcall function 004E45BC: EnterCriticalSection.KERNEL32(-00000008), ref: 004E45E4
      • Part of subcall function 004E45BC: CreateBrushIndirect.GDI32(?), ref: 004E4671
      • Part of subcall function 004E45BC: LeaveCriticalSection.KERNEL32(?,004E46A5,-00000008), ref: 004E4698
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapCriticalRealizeSectionText$BrushDeleteEnterFillIndirectLeaveRectTable
    • String ID:
    • API String ID: 3271313764-0
    • Opcode ID: fe2f7d032ca60ba23a25b8aee0731278cea1c8a05eae85922534dd69cbd64bb5
    • Instruction ID: 35a244f6f23a8f79e02010a3497fee76c02ec5d27261e314751b2550eb949676
    • Opcode Fuzzy Hash: fe2f7d032ca60ba23a25b8aee0731278cea1c8a05eae85922534dd69cbd64bb5
    • Instruction Fuzzy Hash: 47121975A00248AFDB10DFAAC885F9EB7B9EF08315F118456F914EB291C778EE80CB55
    Function 0040C520 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSection.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C525
    • GetVersion.KERNEL32(0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C533
    • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C55A
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C560
    • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C574
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C57A
    • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,0051AC10,0050E037,00000400,00000000,0050E0D7), ref: 0040C58E
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040C594
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
    • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
    • API String ID: 74573329-1403180336
    • Opcode ID: 3eb0d1b683875d0a4e7ed686173063676bd5968c29d9e357da0c930b2f0c2479
    • Instruction ID: 8edfc10a46b7400df28ad4f2c85025a5e0675a444164cbed82ad90a550fe5e83
    • Opcode Fuzzy Hash: 3eb0d1b683875d0a4e7ed686173063676bd5968c29d9e357da0c930b2f0c2479
    • Instruction Fuzzy Hash: 15F05EB8951B10BADA023772AD8375F3680DA1070CB20853BB100790D2DEBC19549E9E
    Function 004FFD00 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 742windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(00000000), ref: 004FFE79
    • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 004FFEC0
    • DeleteObject.GDI32(00000000), ref: 004FFEDE
    • DeleteDC.GDI32(00000000), ref: 004FFEE7
    • SelectObject.GDI32(00000000,00000000), ref: 004FFF18
    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004FFF47
    • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00500607
    • SelectObject.GDI32(00000000,?), ref: 00500614
    • DeleteObject.GDI32(00000000), ref: 0050061D
    • DeleteDC.GDI32(00000000), ref: 00500626
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: DeleteObject$CreateSelect$CompatibleSection
    • String ID: 4iQ
    • API String ID: 1283611041-1953506770
    • Opcode ID: 87f42ffe2940853f7b07a902669b98f5112d728a734461c04560added41e3c61
    • Instruction ID: 2a53fd6577aa69cd640af16f82094b70b5e904696d66bbbc34e5b5c6be5fb232
    • Opcode Fuzzy Hash: 87f42ffe2940853f7b07a902669b98f5112d728a734461c04560added41e3c61
    • Instruction Fuzzy Hash: 68528D71E042598FCB15CFA9C891BEDBBF2FF45300F1481AAE458EB2D2C638A945DB14
    Function 0040CBF8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,0041A5A8,?,?), ref: 0040CC15
    • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CC26
    • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD26
    • FindClose.KERNEL32(?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD38
    • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD44
    • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041A5A8,?,?), ref: 0040CD89
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
    • String ID: GetLongPathNameW$\$kernel32.dll
    • API String ID: 1930782624-3908791685
    • Opcode ID: 047ad798f282a4f53d2bfa85006bf39dd452bc892cd983c7192c00f70524a19f
    • Instruction ID: 182d901b7ba620ca83dfe24b28ff924219823170be1df94bbfac5eeb8ceb1ef4
    • Opcode Fuzzy Hash: 047ad798f282a4f53d2bfa85006bf39dd452bc892cd983c7192c00f70524a19f
    • Instruction Fuzzy Hash: 73417F71A00618DBDB20EBA4CCC5ADEB3B5AF84314F1846BA9504F72C1E77CAE45CB49
    Function 00509D48 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00509FAD,?,00000000,?,00000000), ref: 00509DCA
    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00509F7E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoadRead
    • String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library: $|Q
    • API String ID: 1452896035-845704095
    • Opcode ID: a350832e6622f06ebbb4aa03441d1f0806fc1e7979af0df3603cb1a68a9d9c61
    • Instruction ID: cb0e8f154f5d8e20885b4e4c17905f6d0f23e46598b97e20fcdecfd68eda8cce
    • Opcode Fuzzy Hash: a350832e6622f06ebbb4aa03441d1f0806fc1e7979af0df3603cb1a68a9d9c61
    • Instruction Fuzzy Hash: E3717E74A0020AAFDB10DF69CC85BAEBBF9FF89314F4084A9B055DB296D774AD45CB10
    Function 0050A0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108memoryCOMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00509565,?,?,?,?,?,00000000,00000000), ref: 0050A148
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00000000,00509565,?,?,?,?,?,00000000,00000000), ref: 0050A177
    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00000000,00509565,?,?,?,?,?,00000000,00000000), ref: 0050A182
    • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00509565,?,?,?,?,?,00000000,00000000), ref: 0050A188
    • VirtualFree.KERNEL32(?,?,00008000,?,?,?,?,00000000,00509565,?,?,?,?,?,00000000,00000000), ref: 0050A1C8
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Free$HeapVirtual$LibraryProcess
    • String ID: xQ
    • API String ID: 565514093-43582919
    • Opcode ID: 3a386a5fd6d1402ad8d81a95de2a556638464c5062f3f14e69f0b9c78b378eef
    • Instruction ID: 76179150074d3ce0cc79262463ea8e222313a534f36e7d2c2c3f0779f007523c
    • Opcode Fuzzy Hash: 3a386a5fd6d1402ad8d81a95de2a556638464c5062f3f14e69f0b9c78b378eef
    • Instruction Fuzzy Hash: 53318CB5605605AFD220EF69CC84F6ABBA8FB89750F108619F954CB2A1C720ED45C7A1
    Function 004AA910 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA927
    • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA941
    • SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000,?), ref: 004AA95B
    • LockResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,004AA7FE,00000000), ref: 004AA965
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Resource$FindLoadLockSizeof
    • String ID:
    • API String ID: 3473537107-0
    • Opcode ID: fc04eeb3631007fa40f9e630dbcfa29d272b4c52aaff94a3e4b6f83a4223a638
    • Instruction ID: cb9b2a388fffd021e353bf4cf2117ea65373932cb549638ab777629fd56d0805
    • Opcode Fuzzy Hash: fc04eeb3631007fa40f9e630dbcfa29d272b4c52aaff94a3e4b6f83a4223a638
    • Instruction Fuzzy Hash: 96F062B26042047F5744EE5EA841D5B7BECDE5A264310011FF908D7207DA38ED51837D
    Function 0040C79C Relevance: 4.6, APIs: 3, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • IsValidLocale.KERNEL32(?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C846
    • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C862
    • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040C901,?,0041A5A8,?,00000000), ref: 0040C873
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Locale$Info$Valid
    • String ID:
    • API String ID: 1826331170-0
    • Opcode ID: d62bc5ecf4585d0b78f38a216359797881bb5583d195145a11d1f228b605bdfe
    • Instruction ID: 2a28b5b25d505860436f04a2e6c8396a795a98c7f85c76968f02c108a8d9c51a
    • Opcode Fuzzy Hash: d62bc5ecf4585d0b78f38a216359797881bb5583d195145a11d1f228b605bdfe
    • Instruction Fuzzy Hash: BB319C71A0061CEBDB20EB55DC81BDE77B9EB44705F6042BAA508B32D0D6395E80DE59
    Function 004EA1D8 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
    Download Yara Rule
    APIs
    • GetClipboardData.USER32(0000000E), ref: 004EA1E5
    • CopyEnhMetaFileW.GDI32(00000000,00000000), ref: 004EA207
    • GetEnhMetaFileHeader.GDI32(?,0000006C,?,00000000,00000000), ref: 004EA219
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileMeta$ClipboardCopyDataHeader
    • String ID:
    • API String ID: 1752724394-0
    • Opcode ID: df580b83bcb808fe8714f0c060172fd1198b5156b2426af107d4585c0625933f
    • Instruction ID: e3a5f8ff37fe88f7cb839eea9a619b84a4b4500c5f75e9ef562bb59eb940f4bb
    • Opcode Fuzzy Hash: df580b83bcb808fe8714f0c060172fd1198b5156b2426af107d4585c0625933f
    • Instruction Fuzzy Hash: 32117C726003448FC710DFAEC885A9AB7F8AF09314F10866EE509DB252DA74EC48CB94
    Function 004EFE80 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 783COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: jjj
    • API String ID: 0-2289343631
    • Opcode ID: 379f3ad564931047c85a0e8324c1b925258155478eac1b2c346929ac29ebc0ac
    • Instruction ID: 0e6e8520d3be3831dee58035f3478674022d586b9291955b557444e96a04ac11
    • Opcode Fuzzy Hash: 379f3ad564931047c85a0e8324c1b925258155478eac1b2c346929ac29ebc0ac
    • Instruction Fuzzy Hash: CB723970600204CFDB29CF19D9C0B677BA2FB95315F14869AD9464F38BC738E856CB6A
    Function 004F1FC4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 699COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: 9Q
    • API String ID: 0-4141447236
    • Opcode ID: c85e39b14b60b4e960e998f2343e0d1547b2847ac62002dfaddbb849c39a277c
    • Instruction ID: 872c69647381f06e73c0189917d9e5469cc943f97499b4375cee1c22dc96545a
    • Opcode Fuzzy Hash: c85e39b14b60b4e960e998f2343e0d1547b2847ac62002dfaddbb849c39a277c
    • Instruction Fuzzy Hash: 40626D70900209DFDB19CF58C984BBEBBB1BF88304F15819ADD559B386C778D985CB89
    Function 004B8000 Relevance: 3.1, APIs: 2, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(00000000,004B80BB), ref: 004B8032
    • RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,00000000,004B808D,?,00000000,004B80BB), ref: 004B807E
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: DebuggerExceptionPresentRaise
    • String ID:
    • API String ID: 1899633966-0
    • Opcode ID: 918f654b1989dfd3ee398986ac0d4d5983e76a9e6b43d16da8286ca8f312fc4d
    • Instruction ID: aa851b4e1d0f37632037c728c599de388d05abd6bc809da2430ac8adde4c7f7f
    • Opcode Fuzzy Hash: 918f654b1989dfd3ee398986ac0d4d5983e76a9e6b43d16da8286ca8f312fc4d
    • Instruction Fuzzy Hash: 7A11D671A14208AFD710EF65DC52ADEBBFCEB48704F61447BE500E3651EB785E04CA68
    Function 004E5AA0 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,004E5B3C,?,00000000,?,004E5B54,00000000,004EB19B,00000000,004EB33B,?,00000000,00000054,?,00000000,?), ref: 004E5AC0
    • FormatMessageW.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,004E5B3C,?,00000000,?,004E5B54,00000000,004EB19B,00000000), ref: 004E5AE6
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 3d658324b1b03f1d33dfdd215c91ea1b99e4dd16f5471f85141302732c58e772
    • Instruction ID: c91c4b4c8320e0c1e530085dddd9d5d25a400c360d6da16a75b1d286b8cd0c3b
    • Opcode Fuzzy Hash: 3d658324b1b03f1d33dfdd215c91ea1b99e4dd16f5471f85141302732c58e772
    • Instruction Fuzzy Hash: 7401AC707147455FE721FB628D92F9977A8DB04709F5044BAF704E62C3EAB86D40891D
    Function 004219D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 004219F9
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: DiskFreeSpace
    • String ID:
    • API String ID: 1705453755-0
    • Opcode ID: 7055af4c37e798c4eedd1ab66a3f56a97fac90cff517f4e9d1e1818016eb5d1c
    • Instruction ID: 0ac6486f21f903cb75f282dfc890b26380fbcd4d5ccfbab9b17402b0b1878633
    • Opcode Fuzzy Hash: 7055af4c37e798c4eedd1ab66a3f56a97fac90cff517f4e9d1e1818016eb5d1c
    • Instruction Fuzzy Hash: 6011CCB5A00209AFDB04CF99C8819AFB7F9EFC8704B14C56AA509E7354E6319A41CBA4
    Function 00425334 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: ea3b3c1b5a1cf1a130d0f040b5935ae3e0cd2e837d4e3e09926aa746a21f6665
    • Instruction ID: 4ace5e9765896cc83d0c08b398fcb6cdb51b1f9deae2cd3a8e1490c56280457a
    • Opcode Fuzzy Hash: ea3b3c1b5a1cf1a130d0f040b5935ae3e0cd2e837d4e3e09926aa746a21f6665
    • Instruction Fuzzy Hash: DEE0D87171071817D714A9599C86DFBB25CAB88340F4045BFBE05D7383EDB49E4446ED
    Function 0042920C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(00428FB4,00000002,?,?,0042958D,004257FD,?,00000000,0042583E,?,?,?,00000000,00000000), ref: 00429239
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: cca9abc3a11610917688cb0633c448d3797570d25fd4a641b53c3c50ab693acf
    • Instruction ID: 63fa091e9d080db82cecbc2cc5fa61dc70d90b6f989caf0edc4abe69f196ef62
    • Opcode Fuzzy Hash: cca9abc3a11610917688cb0633c448d3797570d25fd4a641b53c3c50ab693acf
    • Instruction Fuzzy Hash: A0E02662B415319BC120B7BA1E43B9A7A024F81BA4F08857BF498DF3C3EA6D0C0541FE
    Function 00425380 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00425482,?,00000001,00000000,00425691), ref: 00425393
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: e6b6a51cb939c12e8be8693ad0cf5385fb4deb90edb709e785ba876ef48dd5f6
    • Instruction ID: 9eed19484239e9ca95c0a1dfbed1db1bf7cda38a4e2fdab08b9ea4c2367ee6e5
    • Opcode Fuzzy Hash: e6b6a51cb939c12e8be8693ad0cf5385fb4deb90edb709e785ba876ef48dd5f6
    • Instruction Fuzzy Hash: 0BD05EA631922036E210915B7E45DBB5ADCDBC47B2F14483FBE48CA201D2A4CC059275
    Function 00428FD0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000400,?,00429086,?,00000000,004291D3), ref: 00428FEB
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: e4b498ff0c44464bb9c319f2c4cdb7eba90f2cd8f1e1edfbafd7f3df4e5c9a38
    • Instruction ID: a303c1cb07ff97bfd8ef16a179b2a7490fc3f5062c6a27ca45c0f37d97ec2e54
    • Opcode Fuzzy Hash: e4b498ff0c44464bb9c319f2c4cdb7eba90f2cd8f1e1edfbafd7f3df4e5c9a38
    • Instruction Fuzzy Hash: F6D0A7E1B2420023E30426548C42B6722889B84704F10443C7784973C0EE7C591552BF
    Function 00423868 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: LocalTime
    • String ID:
    • API String ID: 481472006-0
    • Opcode ID: 4c927502ff6ca848d6d79f783507b1be3d95d0ac7cdb7b449a5a22e2f4b00210
    • Instruction ID: 8da0d5d7dce6a760fb6fb5968247694cf968f8d8edeffb1c78389c91dfcd4fca
    • Opcode Fuzzy Hash: 4c927502ff6ca848d6d79f783507b1be3d95d0ac7cdb7b449a5a22e2f4b00210
    • Instruction Fuzzy Hash: 25A0125044582011814037190C0317570405840621FC40789B8F8403D1E91E026040D7
    Function 004F6704 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: xGQ
    • API String ID: 0-116873306
    • Opcode ID: e390bb8781cfb50e0bf67600d25b5dc8b096431c9f5b13ce083519ddae5a6ed1
    • Instruction ID: b43b3417401406a326c0658d495f7bfac22fcab4f87dfe3d4983a9788a7a34dd
    • Opcode Fuzzy Hash: e390bb8781cfb50e0bf67600d25b5dc8b096431c9f5b13ce083519ddae5a6ed1
    • Instruction Fuzzy Hash: 84814D77D105774BE7628E28C8043A17392AFDC39DF6B42B4ED04ABA42D536BD5386C0
    Function 004F6444 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: xGQ
    • API String ID: 0-116873306
    • Opcode ID: 6bc0205b4ab2c64538ca0b113fa78fac9b85d5e4605181a21ca93e4cce34d19d
    • Instruction ID: 9cfbf6d39703a2f841c89ad7d8bc5bd644356b16f8883d5035a763e39ed3e34d
    • Opcode Fuzzy Hash: 6bc0205b4ab2c64538ca0b113fa78fac9b85d5e4605181a21ca93e4cce34d19d
    • Instruction Fuzzy Hash: DB711877D204775BEB609E68C8043617392EF8925CF6B46B4DE04BBA42C636BD539AC0
    Function 0043B4C4 Relevance: .4, Instructions: 408COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 96dbd05c6a5cda271e1d6996937e8b3347f306cca49e2da1ac7c058721fcefef
    • Instruction ID: 0e1373ad738d05412743fbfe0b30fd2dda4791c2bd02ca1af8785a3d2d390580
    • Opcode Fuzzy Hash: 96dbd05c6a5cda271e1d6996937e8b3347f306cca49e2da1ac7c058721fcefef
    • Instruction Fuzzy Hash: 8702BE32910235DFDB96CF6AC040109B7B6FF8A72472A82D6D854AB229D370BE51DFD1
    Function 004F5F80 Relevance: .2, Instructions: 238COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3c8e7f5fa08233c9cf6af3f4da3c8a8b0854dd8decd54ec8197df6d450736b3b
    • Instruction ID: 3b8a4b9bdbcbb050131b8f531c600d22b301e14a5b3c7c96b4b24d21a3266e97
    • Opcode Fuzzy Hash: 3c8e7f5fa08233c9cf6af3f4da3c8a8b0854dd8decd54ec8197df6d450736b3b
    • Instruction Fuzzy Hash: 2871A53238978207E7288E7D9CE02B7EAD35FC531872EC97D95DAC3F42D979A4164248
    Function 004B0F64 Relevance: .1, Instructions: 102COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
    • Instruction ID: b7ad73d6065eefe40be1e3c61ddaa82719b5b59149f48ac65b38381fd691009e
    • Opcode Fuzzy Hash: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
    • Instruction Fuzzy Hash: F8418E31B002558BDB58EE2DC8D16A6B7A2AF94254B18C675DCA88F70BC938DD42C7A0
    Function 004B10A8 Relevance: .1, Instructions: 102COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
    • Instruction ID: 9a75494c871b48b3840d49ff1b59f6b632724ee8b9803b4084a2a4f9b95828cd
    • Opcode Fuzzy Hash: d7b4a472199e05cc7d5662b025e4d780bd874dc3e3dcfc1069f2e998be189936
    • Instruction Fuzzy Hash: 40419336A002559BDB48DE5DC8D1696B7A3BFC8314B19C675DCA88F70BC938DE02C7A0
    Function 004E6918 Relevance: .0, Instructions: 17COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2bc20041c257ff7d61a283088bfa9f2de2708563aa29e0e00101f28d62c41ba6
    • Instruction ID: 2dc40e0aa77415d55bc0616e35fc77692ce9a422371aba29c42deb2143eb0115
    • Opcode Fuzzy Hash: 2bc20041c257ff7d61a283088bfa9f2de2708563aa29e0e00101f28d62c41ba6
    • Instruction Fuzzy Hash: EEE0016420010A8ED348BF38C1098A2B3E3EFECA1038BC4D0D44A9F23EF622C481C300
    Function 004079E8 Relevance: .0, Instructions: 14COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
    • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
    • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
    • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
    Function 004FABB4 Relevance: 49.7, APIs: 33, Instructions: 249windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(?), ref: 004FABD2
    • CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 004FABE7
    • SelectObject.GDI32(00000000,00000000), ref: 004FABEE
    • CreateCompatibleDC.GDI32(?), ref: 004FAC22
    • CreateCompatibleDC.GDI32(?), ref: 004FAC2E
    • CreateCompatibleDC.GDI32(?), ref: 004FAC3A
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004FAC4D
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004FAC5D
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 004FAC6B
    • SelectObject.GDI32(?,?), ref: 004FAC7B
    • SelectObject.GDI32(?,?), ref: 004FAC8B
    • SelectObject.GDI32(?,?), ref: 004FAC9B
    • SetBkColor.GDI32(00000000,?), ref: 004FACA8
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004FACCC
    • SetBkColor.GDI32(00000000,?), ref: 004FACD6
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00330008), ref: 004FACF2
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004FAD12
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 004FAD2E
    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,008800C6), ref: 004FAD4F
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00EE0086), ref: 004FAD70
    • BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 004FAD90
    • SelectObject.GDI32(?,?), ref: 004FAD9D
    • DeleteObject.GDI32(00000000), ref: 004FADA3
    • SelectObject.GDI32(?,?), ref: 004FADB0
    • DeleteObject.GDI32(00000000), ref: 004FADB6
    • SelectObject.GDI32(?,?), ref: 004FADC3
    • DeleteObject.GDI32(00000000), ref: 004FADC9
    • SelectObject.GDI32(00000000,?), ref: 004FADD3
    • DeleteObject.GDI32(00000000), ref: 004FADD9
    • DeleteDC.GDI32(?), ref: 004FADE2
    • DeleteDC.GDI32(?), ref: 004FADEB
    • DeleteDC.GDI32(?), ref: 004FADF4
    • DeleteDC.GDI32(00000000), ref: 004FADFA
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Object$CreateDeleteSelect$Compatible$Bitmap$Stretch$Color
    • String ID:
    • API String ID: 881050057-0
    • Opcode ID: d06672be3dad3db98e6b51f863aed52956d6e0b67a9b4389ede429620055148c
    • Instruction ID: 825b2a03bc1370e51723bfade82acbff92c39003225e20d7aaefe19e3380dd92
    • Opcode Fuzzy Hash: d06672be3dad3db98e6b51f863aed52956d6e0b67a9b4389ede429620055148c
    • Instruction Fuzzy Hash: 82815BB2E40218BADB10DEE9CD85FDFBBBCAB09715F104459F604FB241D675AE408BA4
    Function 0042EF9C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042EFA5
      • Part of subcall function 0042EF70: GetProcAddress.KERNEL32(00000000), ref: 0042EF89
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
    • API String ID: 1646373207-1918263038
    • Opcode ID: 51ba0cccc0257aa61a896f7588f8220aaff411b585e609356873e0dfdd144972
    • Instruction ID: 4d8a8b603ccf47e63391c59ab7cad31be334c78caf3acb6b5dd0fd78b8a56fbb
    • Opcode Fuzzy Hash: 51ba0cccc0257aa61a896f7588f8220aaff411b585e609356873e0dfdd144972
    • Instruction Fuzzy Hash: 15412761708239AA53046B6FBE0146677F8EA567103E1C4BBB404CBA69DB3CBC89573D
    Function 004E5CEC Relevance: 37.7, APIs: 25, Instructions: 245windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 004E5D2F
    • SelectObject.GDI32(?,?), ref: 004E5D44
    • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,CCAA0029,00000000,004E5DB4,?,?), ref: 004E5D88
    • SelectObject.GDI32(?,?), ref: 004E5DA2
    • DeleteObject.GDI32(?), ref: 004E5DAE
    • CreateCompatibleDC.GDI32(00000000), ref: 004E5DC2
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 004E5DE3
    • SelectObject.GDI32(?,?), ref: 004E5DF8
    • SelectPalette.GDI32(?,26080DA6,00000000), ref: 004E5E0C
    • SelectPalette.GDI32(?,?,00000000), ref: 004E5E1E
    • SelectPalette.GDI32(?,00000000,000000FF), ref: 004E5E33
    • SelectPalette.GDI32(?,26080DA6,000000FF), ref: 004E5E49
    • RealizePalette.GDI32(?), ref: 004E5E55
    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004E5E77
    • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 004E5E99
    • SetTextColor.GDI32(?,00000000), ref: 004E5EA1
    • SetBkColor.GDI32(?,00FFFFFF), ref: 004E5EAF
    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004E5EDB
    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004E5F00
    • SetTextColor.GDI32(?,?), ref: 004E5F0A
    • SetBkColor.GDI32(?,?), ref: 004E5F14
    • SelectObject.GDI32(?,00000000), ref: 004E5F27
    • DeleteObject.GDI32(?), ref: 004E5F30
    • SelectPalette.GDI32(?,00000000,00000000), ref: 004E5F52
    • DeleteDC.GDI32(?), ref: 004E5F5B
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
    • String ID:
    • API String ID: 3976802218-0
    • Opcode ID: 43d8b39ab4dd5ce79809afa6858bbd5f60031e559fdee60acb28460889f616a0
    • Instruction ID: 38fa64abe18cb97f8eb184acde96cdf6a208ad42503521d94ff01eaf164f0f81
    • Opcode Fuzzy Hash: 43d8b39ab4dd5ce79809afa6858bbd5f60031e559fdee60acb28460889f616a0
    • Instruction Fuzzy Hash: 938193B2A00209AFDB50DEA9CC85EEF7BEDAB0D715F100559F618E7240C238AE408B65
    Function 004EB140 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
    Download Yara Rule
    APIs
    • GetObjectW.GDI32(00000000,00000054,?), ref: 004EB163
    • GetDC.USER32(00000000), ref: 004EB191
    • CreateCompatibleDC.GDI32(?), ref: 004EB1A2
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004EB1BD
    • SelectObject.GDI32(?,00000000), ref: 004EB1D7
    • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004EB1F9
    • CreateCompatibleDC.GDI32(?), ref: 004EB207
    • SelectObject.GDI32(00000000,00000000), ref: 004EB24F
    • SelectPalette.GDI32(00000000,?,00000000), ref: 004EB262
    • RealizePalette.GDI32(00000000), ref: 004EB26B
    • SelectPalette.GDI32(?,?,00000000), ref: 004EB277
    • RealizePalette.GDI32(?), ref: 004EB280
    • SetBkColor.GDI32(00000000,00000000), ref: 004EB28A
    • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004EB2AE
    • SetBkColor.GDI32(00000000,00000000), ref: 004EB2B8
    • SelectObject.GDI32(00000000,00000000), ref: 004EB2CB
    • DeleteObject.GDI32(00000000), ref: 004EB2D7
    • DeleteDC.GDI32(00000000), ref: 004EB2ED
    • SelectObject.GDI32(?,00000000), ref: 004EB308
    • DeleteDC.GDI32(00000000), ref: 004EB324
    • ReleaseDC.USER32(00000000,00000000), ref: 004EB335
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
    • String ID:
    • API String ID: 332224125-0
    • Opcode ID: 12377b0042ab6e2186f72ca2209710d3867943cee396a54fa97a17432a339029
    • Instruction ID: a297371bd76699a261ad6334b1a26cfdb4486747052644e0b66a5fa1a439e62f
    • Opcode Fuzzy Hash: 12377b0042ab6e2186f72ca2209710d3867943cee396a54fa97a17432a339029
    • Instruction Fuzzy Hash: 1E51FF72E00355BBDB10DAEACC56FEFB7BCEF09705F10445AB614E7281D6789A408B94
    Function 004EC71C Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 357windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004EC9A4
    • CreateCompatibleDC.GDI32(00000001), ref: 004ECA09
    • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004ECA1E
    • SelectObject.GDI32(?,00000000), ref: 004ECA28
    • SelectPalette.GDI32(?,?,00000000), ref: 004ECA58
    • RealizePalette.GDI32(?), ref: 004ECA64
    • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 004ECA88
    • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,004ECAE1,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004ECA96
    • SelectPalette.GDI32(?,00000000,000000FF), ref: 004ECAC8
    • SelectObject.GDI32(?,?), ref: 004ECAD5
    • DeleteObject.GDI32(00000000), ref: 004ECADB
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
    • String ID: ($BM
    • API String ID: 2831685396-2980357723
    • Opcode ID: bc2e50b65ce28e308335f2ca97ec246ddb3155b7ab192c19029a384e0355db69
    • Instruction ID: 1c6f4d6dbefb65d9536ca18beee8037943f059734a44cde3a0c53135673d5454
    • Opcode Fuzzy Hash: bc2e50b65ce28e308335f2ca97ec246ddb3155b7ab192c19029a384e0355db69
    • Instruction Fuzzy Hash: CAE16E70A002589FDF04DFAAC885BAEBBF5FF49305F10856AF904A7391D7389941CB58
    Function 004EB698 Relevance: 24.3, APIs: 16, Instructions: 265windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
      • Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
      • Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0
    • SelectPalette.GDI32(?,?,000000FF), ref: 004EB6DB
    • RealizePalette.GDI32(?), ref: 004EB6EA
    • GetStretchBltMode.GDI32(00000000), ref: 004EB6FC
    • GetDeviceCaps.GDI32(?,0000000C), ref: 004EB70D
    • GetDeviceCaps.GDI32(?,0000000E), ref: 004EB71C
    • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C,00000000), ref: 004EB74F
    • SetStretchBltMode.GDI32(?,00000004), ref: 004EB75D
    • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C,00000000), ref: 004EB775
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 004EB792
    • CreateCompatibleDC.GDI32(00000000), ref: 004EB7F3
    • SelectObject.GDI32(?,?), ref: 004EB808
    • SelectObject.GDI32(?,00000000), ref: 004EB867
    • DeleteDC.GDI32(00000000), ref: 004EB876
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CapsDevice$ModePaletteSelectStretch$BrushCreateObject$CompatibleDeleteHalftoneRealizeRelease
    • String ID:
    • API String ID: 28117789-0
    • Opcode ID: 230a5d8b8307ea4118e7af7672871789c69a95fa8ce89b2824e3c90030dde8aa
    • Instruction ID: 489584e9c4cd725b990482e09af51c0bca80148c9d3d35cd6fb0d49a7a8e8351
    • Opcode Fuzzy Hash: 230a5d8b8307ea4118e7af7672871789c69a95fa8ce89b2824e3c90030dde8aa
    • Instruction Fuzzy Hash: 76A1D8B1600245AFDB40EFAAC985F9AB7E8EF08305F504559F605E7652D738ED40CBA4
    Function 00509850 Relevance: 22.7, APIs: 6, Strings: 9, Instructions: 217COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE$|Q
    • API String ID: 0-438586054
    • Opcode ID: ea9811850a28c673e8ba07f7467ac12840e37c958a34b87808dfa0b1f8de0348
    • Instruction ID: 8102f4c3b3978186836da9695eae30be303f1a08c9f3132bf2e5225ad4174031
    • Opcode Fuzzy Hash: ea9811850a28c673e8ba07f7467ac12840e37c958a34b87808dfa0b1f8de0348
    • Instruction Fuzzy Hash: 9171BC71B04205AFDB10DF69D881BAEBBF9FB88300F0484AAF514E7686DA749D048B55
    Function 004E5B58 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(00000000), ref: 004E5B6F
    • CreateCompatibleDC.GDI32(00000000), ref: 004E5B79
    • GetObjectW.GDI32(?,00000018,?), ref: 004E5B99
    • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004E5BB0
    • GetDC.USER32(00000000), ref: 004E5BBC
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004E5BE9
    • ReleaseDC.USER32(00000000,00000000), ref: 004E5C0F
    • SelectObject.GDI32(?,?), ref: 004E5C2A
    • SelectObject.GDI32(?,00000000), ref: 004E5C39
    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004E5C65
    • SelectObject.GDI32(?,00000000), ref: 004E5C73
    • SelectObject.GDI32(?,00000000), ref: 004E5C81
    • DeleteDC.GDI32(?), ref: 004E5C97
    • DeleteDC.GDI32(?), ref: 004E5CA0
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
    • String ID:
    • API String ID: 644427674-0
    • Opcode ID: aef1841c4e128ff32c9b36ede18983638337cbd9838766df907cc8eb69374be7
    • Instruction ID: 17c9c49937640a7ee63a15ab90711d013368aaab887e413720973401a1c3c297
    • Opcode Fuzzy Hash: aef1841c4e128ff32c9b36ede18983638337cbd9838766df907cc8eb69374be7
    • Instruction Fuzzy Hash: 3D410C72E40754BFDB10EAE9C952FAFB7BCAB09705F50045AB600E7281D6789A4087A4
    Function 004EB964 Relevance: 19.8, APIs: 13, Instructions: 255windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
      • Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
      • Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0
    • SelectPalette.GDI32(?,?,000000FF), ref: 004EB9A7
    • RealizePalette.GDI32(?), ref: 004EB9B6
    • GetDeviceCaps.GDI32(?,0000000C), ref: 004EB9C8
    • GetDeviceCaps.GDI32(?,0000000E), ref: 004EB9D7
    • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004EBA0A
    • SetStretchBltMode.GDI32(?,00000004), ref: 004EBA18
    • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004EBA30
    • SetStretchBltMode.GDI32(00000000,00000003), ref: 004EBA4D
    • CreateCompatibleDC.GDI32(00000000), ref: 004EBAAE
    • SelectObject.GDI32(?,?), ref: 004EBAC3
    • SelectObject.GDI32(?,00000000), ref: 004EBB22
    • DeleteDC.GDI32(00000000), ref: 004EBB31
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
    • String ID:
    • API String ID: 2414602066-0
    • Opcode ID: cd1fa1e0ecb1de98fa74186667cffcb93663ecd76ac09dee35a8bf4f5781b3c6
    • Instruction ID: 7ad90294f0dfa4864f0bea30e35c96d4e1fa41525923fe95d334a894f78dac22
    • Opcode Fuzzy Hash: cd1fa1e0ecb1de98fa74186667cffcb93663ecd76ac09dee35a8bf4f5781b3c6
    • Instruction Fuzzy Hash: 54912971604245AFDB50DFAAC981F9FBBE8AB08305F10455AF505E7651D738ED40CBA4
    Function 004EE9A8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • IsEqualGUID.OLE32(?,?), ref: 004EE9B4
    • IsEqualGUID.OLE32(?,00512700), ref: 004EE9D5
    • IsEqualGUID.OLE32(?,00512710), ref: 004EE9EB
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Equal
    • String ID: 'Q$0'Q$@'Q$P'Q
    • API String ID: 4016716531-2080303212
    • Opcode ID: 06bb2107244251df08c43c72d47f9c7f3fc38b35fa4f6f78b8e9e6ec36d68293
    • Instruction ID: b4731463bd9311d4a1a1251d39e72e79ce3f5e0f269ead5cc3875890bfe52812
    • Opcode Fuzzy Hash: 06bb2107244251df08c43c72d47f9c7f3fc38b35fa4f6f78b8e9e6ec36d68293
    • Instruction Fuzzy Hash: 291178710085849EDB61DB2BAD80AF72B5D6F5A305F04509BFD804F243D39D884A876E
    Function 00425DC8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 199threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00408850: GetTickCount.KERNEL32 ref: 00408887
      • Part of subcall function 00408850: GetTickCount.KERNEL32 ref: 0040889F
      • Part of subcall function 00425334: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352
    • GetThreadLocale.KERNEL32(00000000,00000004), ref: 00425E60
    • EnumCalendarInfoW.KERNEL32(00425C8C,00000000,00000000,00000004), ref: 00425E6B
    • GetThreadLocale.KERNEL32(00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425EA6
    • EnumCalendarInfoW.KERNEL32(00425D30,00000000,00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425EB1
    • GetThreadLocale.KERNEL32(00000000,00000004), ref: 00425F42
    • EnumCalendarInfoW.KERNEL32(00425C8C,00000000,00000000,00000004), ref: 00425F4D
    • GetThreadLocale.KERNEL32(00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425F8A
    • EnumCalendarInfoW.KERNEL32(00425D30,00000000,00000000,00000003,00425C8C,00000000,00000000,00000004), ref: 00425F95
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InfoLocale$CalendarEnumThread$CountTick
    • String ID: B.C.$[B
    • API String ID: 1601775584-1960173975
    • Opcode ID: 1b6920561c2492ac86307a42e23f5190f9ff0a585815c4d74622e06b8b266038
    • Instruction ID: 696a8cbb88cbf135683503293481ae752516e7a6c47e6b4c93b3b9376ce1ac3d
    • Opcode Fuzzy Hash: 1b6920561c2492ac86307a42e23f5190f9ff0a585815c4d74622e06b8b266038
    • Instruction Fuzzy Hash: 9761F570B006129FE710EF69E885AAA77E5EF44724B51857EF400EB3E1C738AD41DB98
    Function 004ED7A0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 258windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004ED0C0: DeleteObject.GDI32(00000000), ref: 004ED206
    • DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004ED865
    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,?,?), ref: 004ED8E3
    • GetIconInfo.USER32(00000000,?), ref: 004ED947
    • GetDIBits.GDI32(00000000,?,00000000,00000000,?,00000000,?), ref: 004ED980
    • SetDIBits.GDI32(00000000,00000000,?,00000000,?,00000000,004EDA2B), ref: 004ED9E9
    • DeleteObject.GDI32(?), ref: 004ED9FF
    • DeleteObject.GDI32(?), ref: 004EDA08
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: BitsDeleteObject$Icon$DrawInfo
    • String ID: $,
    • API String ID: 1810795657-71045815
    • Opcode ID: 0c5187b6c173e4ec8a62df78b25059c000a8f0dee15bd527dab433ee5dea9988
    • Instruction ID: 3b15df45811348dce314f71d9fb3896dfd83895a50164542f8512fd99f32aa23
    • Opcode Fuzzy Hash: 0c5187b6c173e4ec8a62df78b25059c000a8f0dee15bd527dab433ee5dea9988
    • Instruction Fuzzy Hash: F4913871B00145AFD700EFAAC885A9EBBF9FF48305F6041AAF505EB251DA34ED45CB94
    Function 004253AC Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 216threadCOMMON
    Download Yara Rule
    APIs
    • IsValidLocale.KERNEL32(?,00000001,00000000,00425691,?,?,?,?,00000000,00000000), ref: 004253D3
    • GetThreadLocale.KERNEL32(?,00000001,00000000,00425691,?,?,?,?,00000000,00000000), ref: 004253DC
      • Part of subcall function 00425380: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,00425482,?,00000001,00000000,00425691), ref: 00425393
      • Part of subcall function 00425334: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00425352
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Locale$Info$ThreadValid
    • String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
    • API String ID: 233154393-3379564615
    • Opcode ID: ecbc7d69b4f11c979955816f9b11cd38cc839c94d643873308f8a088d78fbf3d
    • Instruction ID: ae11f37f10c7c7cc2ece4aa2851bd9592c5e3db29736d4fa45ff2483457f4832
    • Opcode Fuzzy Hash: ecbc7d69b4f11c979955816f9b11cd38cc839c94d643873308f8a088d78fbf3d
    • Instruction Fuzzy Hash: 597122307005699BDB01EBA5E881ADE72A6DF84344FD0807BF904EB646DB3CDE16879D
    Function 004266A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97filewindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004264A8: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00426654), ref: 004264DB
      • Part of subcall function 004264A8: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004264FF
      • Part of subcall function 004264A8: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042651A
      • Part of subcall function 004264A8: LoadStringW.USER32(00000000,0000FFEB,?,00000100), ref: 004265B5
    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,004267C5), ref: 00426701
    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00426734
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00426746
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0042674C
    • GetStdHandle.KERNEL32(000000F4,004267E0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 00426760
    • WriteFile.KERNEL32(00000000,000000F4,004267E0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00426766
    • LoadStringW.USER32(00000000,0000FFEC,?,00000040), ref: 0042678A
    • MessageBoxW.USER32(00000000,?,?,00002010), ref: 004267A4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
    • String ID: tfB
    • API String ID: 135118572-130872579
    • Opcode ID: 9bd242eae4f90391b472806f37277f73713ffbdadf9196c88fd53bc0c4fbecbc
    • Instruction ID: f4d91264f439f9afde1fae8dc8c0fd47b018c982b43080126821b41619b54a46
    • Opcode Fuzzy Hash: 9bd242eae4f90391b472806f37277f73713ffbdadf9196c88fd53bc0c4fbecbc
    • Instruction Fuzzy Hash: B0318775744218BFE710DB55DC83FDA73BCEB04704F9041A6B604E61D1DA74AE84876D
    Function 004E4AC0 Relevance: 15.2, APIs: 10, Instructions: 228windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E4780
      • Part of subcall function 004E4778: LeaveCriticalSection.KERNEL32(0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E478D
      • Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(?,0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870), ref: 004E4796
    • CreateCompatibleDC.GDI32(00000000), ref: 004E4B64
    • SelectObject.GDI32(?,?), ref: 004E4B74
    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 004E4C70
    • SetTextColor.GDI32(?,00000000), ref: 004E4C7E
    • SetBkColor.GDI32(?,00FFFFFF), ref: 004E4C92
    • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 004E4CC5
    • SetTextColor.GDI32(?,?), ref: 004E4CD5
    • SetBkColor.GDI32(?,?), ref: 004E4CE5
    • SelectObject.GDI32(?,00000000), ref: 004E4D15
    • DeleteDC.GDI32(?), ref: 004E4D1E
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
    • String ID:
    • API String ID: 675119849-0
    • Opcode ID: 17a9f5c396fd801cce45f3af1a2c03a7e908330b3a1013798d2b0e4747143bd7
    • Instruction ID: 71bf14b9f78042d93af0d274de238ac5bd12102c0260bb26fb2fcf8b95af7db9
    • Opcode Fuzzy Hash: 17a9f5c396fd801cce45f3af1a2c03a7e908330b3a1013798d2b0e4747143bd7
    • Instruction Fuzzy Hash: EE919375A00248AFCB40DFAAC981E9EBBF9EF4D315B10449AF505EB661C734EE41CB64
    Function 004085C8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004085DD
    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004085E3
    • GetLogicalProcessorInformation.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 004085F6
    • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 004085FF
    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,00408676,?,00000000,?,GetLogicalProcessorInformation), ref: 0040862A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
    • String ID: @$GetLogicalProcessorInformation$kernel32.dll
    • API String ID: 1184211438-79381301
    • Opcode ID: 9b6de5aca907aff7f49779a1cb565253b723d78320fe21404139914b83ab067e
    • Instruction ID: 500c6e41f31b7fdb6d34238680861789b78f08bdeabe16a24c436e355b3d89bb
    • Opcode Fuzzy Hash: 9b6de5aca907aff7f49779a1cb565253b723d78320fe21404139914b83ab067e
    • Instruction Fuzzy Hash: E0116370D00208AADB10EBA5CA05B5EB7A4DF04304F1288BFE854B72C1DA7E8E508E59
    Function 00410594 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0041064C
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 01433c88fba5b4f775e71df606895a677a3445a2bc368d898035e78ffffcbf29
    • Instruction ID: 0ce41ded5bccfca64fbac36b7d610e41f84856dd8e2a7bbc42b78d3b128abe8f
    • Opcode Fuzzy Hash: 01433c88fba5b4f775e71df606895a677a3445a2bc368d898035e78ffffcbf29
    • Instruction Fuzzy Hash: 0CA19075A013099FDB20DFA8D881BEEB7B5FF58310F14812AE915A7390DBB4A9C4CB54
    Function 00430A54 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00430AED
    • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00430B09
    • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00430B42
    • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00430BBF
    • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00430BD8
    • VariantCopy.OLEAUT32(?), ref: 00430C0D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ArraySafe$BoundIndex$CopyCreateVariant
    • String ID:
    • API String ID: 351091851-3916222277
    • Opcode ID: b24821290767192b64c8f13178bb3ebd50a91d5dafaf8b93d1d09599547c4c5d
    • Instruction ID: c5ac3e0bb315912875ce6d6a8b12eb4200af54bb65bf5f77a9b42e84e07fd96b
    • Opcode Fuzzy Hash: b24821290767192b64c8f13178bb3ebd50a91d5dafaf8b93d1d09599547c4c5d
    • Instruction Fuzzy Hash: 2C51227590022D9BCB25DB59CC91BDAB3BCAF4C304F0052DAF548E7252D634AF848F65
    Function 004E9A04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004E9AA6
    • MulDiv.KERNEL32(?,000009EC,00000000), ref: 004E9AC3
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004E9AEF
    • GetEnhMetaFileHeader.GDI32(00000016,0000006C,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004E9B0F
    • DeleteEnhMetaFile.GDI32(00000016), ref: 004E9B30
    • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,0000006C,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 004E9B43
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileMeta$Bits$DeleteHeader
    • String ID: `
    • API String ID: 1990453761-2679148245
    • Opcode ID: 1bc734305bfd0bdb724ca875092e956d4852018e6443de175511f346f92c27bf
    • Instruction ID: e4881d64baec76ee9eafe246b21c5bc9d5a9281d976d74d65e8b275913b0d6f5
    • Opcode Fuzzy Hash: 1bc734305bfd0bdb724ca875092e956d4852018e6443de175511f346f92c27bf
    • Instruction Fuzzy Hash: 8A412275D00248AFDB40DFA9C881AAEB7F9FF48711F50816AF904EB241E7389E40CB64
    Function 004061E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 00406206
    • WriteFile.KERNEL32(00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 0040620C
    • GetStdHandle.KERNEL32(000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 0040622B
    • WriteFile.KERNEL32(00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?,00000000,?,?,00000000,00406B8F), ref: 00406231
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000,?), ref: 00406248
    • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00405354,00000000,?,00000000,00000000,000000F4,00405358,00000000), ref: 0040624E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileHandleWrite
    • String ID: TS@
    • API String ID: 3320372497-1941835897
    • Opcode ID: 773f2b01c096205ed1640b90909cb80b96b374e64d656fdce13fcbbb072e403a
    • Instruction ID: 82cfcf8d63e4733cb96d407babe502fa205990dff362196b090b8b3cf9cfd937
    • Opcode Fuzzy Hash: 773f2b01c096205ed1640b90909cb80b96b374e64d656fdce13fcbbb072e403a
    • Instruction Fuzzy Hash: 9D0162A16486147DE110F2BA9C8AF6F368CDB18724F10077E7618F60D2C5785C449B7A
    Function 0040591C Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 298sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000), ref: 004059D3
    • Sleep.KERNEL32(0000000A,00000000), ref: 004059E9
    • Sleep.KERNEL32(00000000), ref: 00405A17
    • Sleep.KERNEL32(0000000A,00000000), ref: 00405A2D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Sleep
    • String ID: @.
    • API String ID: 3472027048-4201455939
    • Opcode ID: ada7fe0ad1e969fa1615a2ce2c1f205a77d44d1215cb1e65cc2c198de2b16ae9
    • Instruction ID: a95b6186faaf28ee99436786a323c89c11953a43e3af36f3f78c15d8c677067a
    • Opcode Fuzzy Hash: ada7fe0ad1e969fa1615a2ce2c1f205a77d44d1215cb1e65cc2c198de2b16ae9
    • Instruction Fuzzy Hash: 0DC16972601B118FD725CF28D884367BBA1EB95320F1882BFD4059B3D5C778A849DF88
    Function 00405CA0 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000,?,?,00000000,00405912), ref: 00405D36
    • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405912), ref: 00405D50
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: b3bac45a803a588073ab35a9efb47af0939235da5b92122c96ba95b50cef7661
    • Instruction ID: 4f935fbc936f4d5eb3d08406d1a455a3bc696dbd4939a17767f2164eefdcc051
    • Opcode Fuzzy Hash: b3bac45a803a588073ab35a9efb47af0939235da5b92122c96ba95b50cef7661
    • Instruction Fuzzy Hash: 1371D231604B008FE725DB28D888B67BBD4EF95314F14C2BFD844AB3D2D67888459F59
    Function 004E6084 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004E60B2
    • GetDeviceCaps.GDI32(?,00000068), ref: 004E60CE
    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004E60ED
    • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004E6111
    • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 004E612F
    • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 004E6143
    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004E6163
    • ReleaseDC.USER32(00000000,?), ref: 004E617B
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: EntriesPaletteSystem$CapsDeviceRelease
    • String ID:
    • API String ID: 1781840570-0
    • Opcode ID: 76daa9d26c080c564ad9041f13802c656f185a4c8ec9210214833560b50aa864
    • Instruction ID: 253042d8ae561a030da4b25cfcc59df415f83bc43ecdec077c49d488911ed581
    • Opcode Fuzzy Hash: 76daa9d26c080c564ad9041f13802c656f185a4c8ec9210214833560b50aa864
    • Instruction Fuzzy Hash: 8F2156B1A40218BADB50DFA5DD86F9EB3BCEB08705F510496F704E71C1D679AF408B28
    Function 00405E98 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6090a39ba4113efe279c4ce94d3a27bfd3a3f347abc7f88e99f6aa2524520e12
    • Instruction ID: 14c4d9104ddc23c6b9370c21b65e9a421d4bec3d23930416dd05d6dcb6f7df23
    • Opcode Fuzzy Hash: 6090a39ba4113efe279c4ce94d3a27bfd3a3f347abc7f88e99f6aa2524520e12
    • Instruction Fuzzy Hash: 01C12262710A014BD714AA7D9C8836FB286DBC4325F68823FE645EB3C6DA7CCC458B58
    Function 00501CB0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(?), ref: 00501CF9
    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00501D28
    • SelectObject.GDI32(?,?), ref: 00501D38
    • DeleteObject.GDI32(?), ref: 00501F51
    • DeleteDC.GDI32(?), ref: 00501F5D
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CreateDeleteObject$CompatibleSectionSelect
    • String ID: |O
    • API String ID: 2986811175-2178481767
    • Opcode ID: a9bbe83d257c807f7c6cf5841645ed630d934bfa751ed75cbcc86d9f87175290
    • Instruction ID: 23b0b9da3e35150a70dc60c8eabed989a34c9c4d103326d6d83e4f384e214d9f
    • Opcode Fuzzy Hash: a9bbe83d257c807f7c6cf5841645ed630d934bfa751ed75cbcc86d9f87175290
    • Instruction Fuzzy Hash: 60B1C575E0060A9FCB04DF99C985AAEBBF5FF48300F2181A5E914A73A1D734AD41CF55
    Function 004FC798 Relevance: 10.7, APIs: 7, Instructions: 198windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004FC400: DeleteObject.GDI32(?), ref: 004FC40B
      • Part of subcall function 004FC400: DeleteDC.GDI32(?), ref: 004FC418
      • Part of subcall function 004FC400: DeleteObject.GDI32(?), ref: 004FC434
    • CreateCompatibleDC.GDI32(00000000), ref: 004FC903
    • CreateHalftonePalette.GDI32(?,00000000), ref: 004FC93E
    • ResizePalette.GDI32(?,00000001), ref: 004FC973
    • SelectPalette.GDI32(?,?,00000000), ref: 004FC998
    • RealizePalette.GDI32(?), ref: 004FC9A3
    • CreateDIBSection.GDI32(?,-00000474,00000000,-00000450,00000000,00000000), ref: 004FC9CE
    • SelectObject.GDI32(?,00000000), ref: 004FC9E1
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Palette$CreateDeleteObject$Select$CompatibleHalftoneRealizeResizeSection
    • String ID:
    • API String ID: 2525607832-0
    • Opcode ID: 3b39bf79a773d9044507b5f4a6ba50a4e1458e9f25aaa5a6f7355112836dca1f
    • Instruction ID: 4ba82757873bb3c143a4d1742f8b993ef62ffc4f5942cec004fa87537f0c0421
    • Opcode Fuzzy Hash: 3b39bf79a773d9044507b5f4a6ba50a4e1458e9f25aaa5a6f7355112836dca1f
    • Instruction Fuzzy Hash: E67137756005289FDB04EF19C4D5F6637E5EF0A305F0541E6F2048F3AAC678E84ACB9A
    Function 00408850 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00408CDC: GetCurrentThreadId.KERNEL32 ref: 00408CDF
    • GetTickCount.KERNEL32 ref: 00408887
    • GetTickCount.KERNEL32 ref: 0040889F
    • GetCurrentThreadId.KERNEL32 ref: 004088CE
    • GetTickCount.KERNEL32 ref: 004088F9
    • GetTickCount.KERNEL32 ref: 00408930
    • GetTickCount.KERNEL32 ref: 0040895A
    • GetCurrentThreadId.KERNEL32 ref: 004089CA
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CountTick$CurrentThread
    • String ID:
    • API String ID: 3968769311-0
    • Opcode ID: 7d0f63ae373317c5f21e857476dc24018feec28cf215cb5a173da7a4db92fdee
    • Instruction ID: 59fdbd664e4c2a787114e1462c869c0698e504600effbf6fb817d1e717bb5ab3
    • Opcode Fuzzy Hash: 7d0f63ae373317c5f21e857476dc24018feec28cf215cb5a173da7a4db92fdee
    • Instruction Fuzzy Hash: BB415E716083419EDB21BE79CA4032BBAD1AB91354F14893FD4D8A73C2EE798881D75B
    Function 004EA090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • MulDiv.KERNEL32(?,?,000009EC), ref: 004EA0E2
    • MulDiv.KERNEL32(?,?,000009EC), ref: 004EA0F9
    • GetDC.USER32(00000000), ref: 004EA110
    • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004EA1CB,?,00000000,?,?,000009EC,?,?,000009EC), ref: 004EA134
    • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004EA1AB,?,?,00000000,00000000,00000008,?,00000000,004EA1CB), ref: 004EA167
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: BitsFileMeta
    • String ID: `
    • API String ID: 858000408-2679148245
    • Opcode ID: b7f937434eb2587f847978740abbd8c81bb9dfc3e5197959b54ccdff63f1a7cc
    • Instruction ID: 560aeff5e142fb22fc32d70ae3aa060d7ef4d96bf65ee7c2df06f2301dcbdb9f
    • Opcode Fuzzy Hash: b7f937434eb2587f847978740abbd8c81bb9dfc3e5197959b54ccdff63f1a7cc
    • Instruction Fuzzy Hash: AD318775A00248ABDB00DFD5C882BEEF7B8EF0D705F514496F904EB281D678AE50D7A9
    Function 004EA974 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004E62F0: GetObjectW.GDI32(00000000,00000004), ref: 004E6307
      • Part of subcall function 004E62F0: GetPaletteEntries.GDI32(00000000,00000000,?,00000028), ref: 004E632A
    • GetDC.USER32(00000000), ref: 004EA9B2
    • CreateCompatibleDC.GDI32(?), ref: 004EA9BE
    • SelectObject.GDI32(?), ref: 004EA9CB
    • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004EAA23,?,?,?,?,00000000), ref: 004EA9EF
    • SelectObject.GDI32(?,?), ref: 004EAA09
    • DeleteDC.GDI32(?), ref: 004EAA12
    • ReleaseDC.USER32(00000000,?), ref: 004EAA1D
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
    • String ID:
    • API String ID: 4046155103-0
    • Opcode ID: ec8649657c05e97b9ba1c19bfcd01e8d0b09a6ae33e64875ffb60a9979b168a2
    • Instruction ID: a90b19bdd86dec3490e2a43e61abe2758ba6d863edaf7bda9a2135b5bf853f90
    • Opcode Fuzzy Hash: ec8649657c05e97b9ba1c19bfcd01e8d0b09a6ae33e64875ffb60a9979b168a2
    • Instruction Fuzzy Hash: 54115172E00359BFDB10EFE9C851AEEB7BCEB09705F4044AAF504E7241E6789E5087A4
    Function 004098D0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?,?,00409AA2,00406F13,00406F5A,?,?), ref: 00409909
    • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?,?,00409AA2,00406F13,00406F5A,?), ref: 0040990F
    • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E,?,?,?), ref: 0040992A
    • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040998E), ref: 00409930
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileHandleWrite
    • String ID: Error$Runtime error at 00000000
    • API String ID: 3320372497-2970929446
    • Opcode ID: 1f536b54c0f7e54d54e2ef4696db32368710aa63d846f2239d9123bcbb9aa4c9
    • Instruction ID: 1cafd5f0b55deffaaa1a260c41e3c473f996b032a313f4f96ee96a2a81eb749b
    • Opcode Fuzzy Hash: 1f536b54c0f7e54d54e2ef4696db32368710aa63d846f2239d9123bcbb9aa4c9
    • Instruction Fuzzy Hash: FBF04491A4134479FA3077A55C56F6F2B589704B18F18893FB650782D3CAB84C889766
    Function 004E65E0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(0000000B), ref: 004E662E
    • GetSystemMetrics.USER32(0000000C), ref: 004E663A
    • GetDC.USER32(00000000), ref: 004E6656
    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 004E667D
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004E668A
    • ReleaseDC.USER32(00000000,00000000), ref: 004E66C3
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CapsDeviceMetricsSystem$Release
    • String ID:
    • API String ID: 447804332-0
    • Opcode ID: 514544e9451769a20b0d63ec12d45414229ecaa25948937d2ba282ff4bb2ffa2
    • Instruction ID: 4016dc568379c8c19e12672c107d27f7e339e6f7b848dc7462e147759cb92e24
    • Opcode Fuzzy Hash: 514544e9451769a20b0d63ec12d45414229ecaa25948937d2ba282ff4bb2ffa2
    • Instruction Fuzzy Hash: BA318474E00244EFEB00DFA6C841AAEBBB5FF49751F11856AF414AB384C6749D41CB65
    Function 004E6234 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
    Download Yara Rule
    APIs
    • CreateCompatibleDC.GDI32(00000000), ref: 004E6252
    • SelectObject.GDI32(00000000,00000000), ref: 004E625B
    • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,?,00000000,?,?,004EC367), ref: 004E626F
    • SelectObject.GDI32(00000000,00000000), ref: 004E627B
    • DeleteDC.GDI32(00000000), ref: 004E6281
    • CreatePalette.GDI32 ref: 004E62DC
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
    • String ID:
    • API String ID: 2515223848-0
    • Opcode ID: b997db316f2abecf04d04fb6944116b78a9572eb58e1c4966b0c088b7dbf38d2
    • Instruction ID: a9122789ae2112ab5d480f456968dacfb5192fdd903596c14086488a8c203ac4
    • Opcode Fuzzy Hash: b997db316f2abecf04d04fb6944116b78a9572eb58e1c4966b0c088b7dbf38d2
    • Instruction Fuzzy Hash: 5311063120434022E210BB679C43BAB72A8DFD579AF01C52FF649D7382E67C8D49439E
    Function 004E6A9C Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004E6950: GetObjectW.GDI32(?,00000054), ref: 004E6964
    • CreateCompatibleDC.GDI32(00000000), ref: 004E6ABE
    • SelectPalette.GDI32(?,?,00000000), ref: 004E6ADF
    • RealizePalette.GDI32(?), ref: 004E6AEB
    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 004E6B02
    • SelectPalette.GDI32(?,00000000,00000000), ref: 004E6B2A
    • DeleteDC.GDI32(?), ref: 004E6B33
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
    • String ID:
    • API String ID: 1221726059-0
    • Opcode ID: 9dbd0a09d7bff179ba26f2c840b696ab711f6e12a27d33c9ec649e9677f75141
    • Instruction ID: ce5ef7bc2b447eaaf5ad7ea58a7014afe3a29db5ee430c20c38cefb41b0ea7be
    • Opcode Fuzzy Hash: 9dbd0a09d7bff179ba26f2c840b696ab711f6e12a27d33c9ec649e9677f75141
    • Instruction Fuzzy Hash: EF114275E403047FDB10DFAA8C42F9EBBEDDB49701F51806AB514E7281D678AE408768
    Function 004EEBA4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • SetDIBits.GDI32(00000000,00000000), ref: 004EECF4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Bits
    • String ID: $,$p'Q$pN
    • API String ID: 3573556081-239200797
    • Opcode ID: 9391e0394f7916f73dff1277520d4d705974b46ce81b844c17144b3c710da58a
    • Instruction ID: d001d4b02fea60d2ddc19119e45af84f904a8900783e5666cdb239e35887b621
    • Opcode Fuzzy Hash: 9391e0394f7916f73dff1277520d4d705974b46ce81b844c17144b3c710da58a
    • Instruction Fuzzy Hash: D951C074A00208AFDB40DF9AD881E9EB7F9FB48314F5181A6F914EB362D735AE44CB54
    Function 004EE3C8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • GetDIBits.GDI32(00000000,00000000,00000000,?,?,0000002C,00000000), ref: 004EE4B2
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Bits
    • String ID: $,$`'Q$p'Q
    • API String ID: 3573556081-2603654308
    • Opcode ID: 1e4b7877f9ed25d0df77042371f75b087c682ce0a9e97075b5fa9396fb5ffe63
    • Instruction ID: 3a37b5cc9bf0c8d8000a68fc77529f267484bf6e279f2dcca66fcdbc30fe467d
    • Opcode Fuzzy Hash: 1e4b7877f9ed25d0df77042371f75b087c682ce0a9e97075b5fa9396fb5ffe63
    • Instruction Fuzzy Hash: F74155B1A00104AFDB40DF6AC885A9A77F9FF09318B2101A6FC04EB356D775ED45CBA4
    Function 004264A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00426654), ref: 004264DB
    • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004264FF
    • GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0042651A
    • LoadStringW.USER32(00000000,0000FFEB,?,00000100), ref: 004265B5
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileModuleName$LoadQueryStringVirtual
    • String ID: MZP
    • API String ID: 3990497365-2889622443
    • Opcode ID: 2b3f44e4f7a2d6c1b3fee60125f5a3b7ebe0d388335a30d1c0c566c348941ca3
    • Instruction ID: 3ebe75aaea26270c49df469c1dfa27cf559e126611b230fa96b652b759ddd534
    • Opcode Fuzzy Hash: 2b3f44e4f7a2d6c1b3fee60125f5a3b7ebe0d388335a30d1c0c566c348941ca3
    • Instruction Fuzzy Hash: 0F415170A002289FDB20DF65DC81BC9B7F9AB59304F8140EAE508E7241D7799E948F59
    Function 004ED0C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004ED17C
    • CreateHalftonePalette.GDI32(00000000,00000000), ref: 004ED189
    • ReleaseDC.USER32(00000000,00000000), ref: 004ED198
    • DeleteObject.GDI32(00000000), ref: 004ED206
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CreateDeleteHalftoneObjectPaletteRelease
    • String ID: (
    • API String ID: 577518360-3887548279
    • Opcode ID: 32ce22b9de10bafd101c2613fd01f6445f106ada3cda1462df667431703dc535
    • Instruction ID: f4cdfa598af05b45841861bd228acaa28986e0525782047027fcf41f9e0f99af
    • Opcode Fuzzy Hash: 32ce22b9de10bafd101c2613fd01f6445f106ada3cda1462df667431703dc535
    • Instruction Fuzzy Hash: E941A070E042489FCB10DFA6C885ADEFBB5EF49305F1480AAE404AB351D7789A45DB59
    Function 004B7154 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77threadCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,004B722A,?,?,004B5444,00000001), ref: 004B71CC
    • GetCurrentThread.KERNEL32 ref: 004B7204
    • GetCurrentThreadId.KERNEL32 ref: 004B720C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CurrentThread$ErrorLast
    • String ID: BnK$pDA
    • API String ID: 4172138867-3175749474
    • Opcode ID: 45a52948063ae869c5ffade8446d791127c4dd31563bf402034811a5a010da89
    • Instruction ID: 1da225fa056e761f40802f8a1fc69d71c6e2631732e1a8f1b7ca1faddf28d046
    • Opcode Fuzzy Hash: 45a52948063ae869c5ffade8446d791127c4dd31563bf402034811a5a010da89
    • Instruction Fuzzy Hash: 69214B709086456ED701DFB5CC817EABBE4BF89304F0485BBE42497782DB389805C7B9
    Function 0043690C Relevance: 7.8, APIs: 5, Instructions: 332COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9b1296c92a046bb743362478882edb4bed3443ecb9e909bca9af9b7118eca8f6
    • Instruction ID: 8d3459a469465bc4371695b4e367a65a38b978d34797e4c4e50731b7cb5a1aca
    • Opcode Fuzzy Hash: 9b1296c92a046bb743362478882edb4bed3443ecb9e909bca9af9b7118eca8f6
    • Instruction Fuzzy Hash: AFD1C235A00209AFCF00EF95C4918EEFBB9EF0D310F5590A6E840A7251D638AE46DB79
    Function 004F0894 Relevance: 7.6, APIs: 6, Instructions: 148COMMON
    Download Yara Rule
    APIs
    • memcpy.MSVCRT(?,?,00000038), ref: 004F08C0
    • memcpy.MSVCRT(00000000,00000000,000016C4), ref: 004F08F3
    • memcpy.MSVCRT(00000000,?,?), ref: 004F0989
    • memcpy.MSVCRT(00000000,?,?), ref: 004F099F
    • memcpy.MSVCRT(00000000,?,?), ref: 004F09B5
    • memcpy.MSVCRT(00000000,?,?), ref: 004F09C9
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: memcpy
    • String ID:
    • API String ID: 3510742995-0
    • Opcode ID: d948a10c9f1e2417ed34ae8df7b8044f991836d94fef36a5c337458bb54a48b1
    • Instruction ID: bcd7db05d191351e9405a97d2655ef30d3ed96d280d6279a09f2b3dd0a47b8f8
    • Opcode Fuzzy Hash: d948a10c9f1e2417ed34ae8df7b8044f991836d94fef36a5c337458bb54a48b1
    • Instruction Fuzzy Hash: 965175B1600200AFDB14CF69CCC5E6677A8BF88314F08827AEE098F346E735E944CB94
    Function 004EC31C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004EC372
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
    • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
    • ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CapsDevice$CreateHalftonePaletteRelease
    • String ID:
    • API String ID: 2404249990-0
    • Opcode ID: c4a1b20b6082907148ca0743ca9c7e76063a1768cc102af30ff38a7623f7df5f
    • Instruction ID: 76c421ad3c698b7ff88da0f61c3aa7df07cb2880bcd4f869b6d47c825d99da29
    • Opcode Fuzzy Hash: c4a1b20b6082907148ca0743ca9c7e76063a1768cc102af30ff38a7623f7df5f
    • Instruction Fuzzy Hash: 3D11D3315012D9AEEB20AF27C481BEF3B94AF55357F04505BFC005A281D7BC8DA2C7A9
    Function 004E619C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004E61B4
    • GetDeviceCaps.GDI32(?,00000068), ref: 004E61D0
    • GetPaletteEntries.GDI32(26080DA6,00000000,00000008,?), ref: 004E61E8
    • GetPaletteEntries.GDI32(26080DA6,00000008,00000008,?), ref: 004E6200
    • ReleaseDC.USER32(00000000,?), ref: 004E621C
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: EntriesPalette$CapsDeviceRelease
    • String ID:
    • API String ID: 3128150645-0
    • Opcode ID: e2e0119970b46360f4dbaca9755fcc1ef81ad606db22181b8a12d53334abd375
    • Instruction ID: fb62e25858754de89261d63ddcf899fc845c4e56b322bcc1c3ebe9d0414cdd2c
    • Opcode Fuzzy Hash: e2e0119970b46360f4dbaca9755fcc1ef81ad606db22181b8a12d53334abd375
    • Instruction Fuzzy Hash: 191108716483447EEB00DFA6EC42FA97FACE719706F40849BF204DA1C1DABA5544C324
    Function 0040904A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON
    Download Yara Rule
    APIs
    • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 0040911E
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID: ,qB$hsB
    • API String ID: 3192549508-2187915683
    • Opcode ID: 1700f64120af452dff93675b6e54fdb508242944783359e32faae08426496f92
    • Instruction ID: 7df4318895a31e83b2a36aa030ba475ccd5b90e95bae95c0b52881597b1f7c6e
    • Opcode Fuzzy Hash: 1700f64120af452dff93675b6e54fdb508242944783359e32faae08426496f92
    • Instruction Fuzzy Hash: 834196717042029FE720DF14C888B6BB7E5EB85314F15857AE448AB393C739EC45CB59
    Function 00508D60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNEL32(?,?,00004000), ref: 00508DAD
    • VirtualProtect.KERNEL32(?,?,?,?,?), ref: 00508E32
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Virtual$FreeProtect
    • String ID: FinalizeSections: VirtualProtect failed$|Q
    • API String ID: 2581862158-3827351531
    • Opcode ID: fa35e50d7f234b5e07e6fb23c962c04590894bc765923caa80c9eb3eee81d87f
    • Instruction ID: c0528e627903ef523b2bc58cdeb6eae21d0cc9785fdc87bd281bc9d83346ef9d
    • Opcode Fuzzy Hash: fa35e50d7f234b5e07e6fb23c962c04590894bc765923caa80c9eb3eee81d87f
    • Instruction Fuzzy Hash: DF31F2756012069FD750DF58C985FAABBE8BF08750F144584FA98DB3E2CB34ED508B90
    Function 00423C28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,00423D0B), ref: 00423CAE
    • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,00423D0B), ref: 00423CB4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: DateFormatLocaleThread
    • String ID: $yyyy
    • API String ID: 3303714858-404527807
    • Opcode ID: 0809fa2659c157af8da77a48e90bfea0ac0ad0ed8c95e6ae3a57ad6ba9429efe
    • Instruction ID: 4198a1d351d31b9a86c79895a928489856ad1452b39a35c365c2990c697424f4
    • Opcode Fuzzy Hash: 0809fa2659c157af8da77a48e90bfea0ac0ad0ed8c95e6ae3a57ad6ba9429efe
    • Instruction Fuzzy Hash: F4217F35A046289BDB10EF95D842AAEB3F8EF08701F91406BF905F7281D63C9F00C76A
    Function 0042D69C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(0041F85C,00000001), ref: 0042D6B8
    • GetCPInfo.KERNEL32(0042D79C,0042C1C5,0041F85C,00000001), ref: 0042D6D9
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Info
    • String ID: $CA$\A
    • API String ID: 1807457897-218779800
    • Opcode ID: aecf4f1dfd8fc7b5cebb160ad552daee8337b3df9b28935e0f3520fc2f74d5a9
    • Instruction ID: bde635dc5e59c05a9696b674051b92f9c94b1989a3f6841168800d4cce0c92c9
    • Opcode Fuzzy Hash: aecf4f1dfd8fc7b5cebb160ad552daee8337b3df9b28935e0f3520fc2f74d5a9
    • Instruction Fuzzy Hash: E501D671B00A158FC720EF69E981997B7E4AF05364700853FFC99C7351EB39D9048BA9
    Function 004E3964 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 153COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,00000000,004E3BCC), ref: 004E39AC
    • LeaveCriticalSection.KERNEL32(?,004E3BA3,?,00000000,004E3BCC), ref: 004E3B96
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: Default$-Q
    • API String ID: 3168844106-3821686248
    • Opcode ID: 1a1d0b3d7fef57fbd369e5ba3f48b81e015b8509224f28914d8de7d590d176ed
    • Instruction ID: 19d7f923896caa44bc4d2895c7d959a39db7ed687c0c5984d3f2fc8e9670fb4e
    • Opcode Fuzzy Hash: 1a1d0b3d7fef57fbd369e5ba3f48b81e015b8509224f28914d8de7d590d176ed
    • Instruction Fuzzy Hash: BA519470A083589FDB02DFA9C845AEEBBF5FF48305F51446AE404A7352D778AE44CB14
    Function 004E3ED0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
    Download Yara Rule
    APIs
    • GetObjectW.GDI32(?,00000000,00000000), ref: 004E3EF7
    • GetObjectW.GDI32(?,00000010,?), ref: 004E3F0A
    • GetObjectW.GDI32(?,00000000,?), ref: 004E3F63
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Object
    • String ID:
    • API String ID: 2936123098-0
    • Opcode ID: a40579d9f90c76d0c9fca4423f8c07d8447b4155338eb9add3561dc35ea178ad
    • Instruction ID: b9ca84249461113418995685c1b411e63f59ddf32e5f5f2b3ba05ad8a3118a75
    • Opcode Fuzzy Hash: a40579d9f90c76d0c9fca4423f8c07d8447b4155338eb9add3561dc35ea178ad
    • Instruction Fuzzy Hash: 09319471A047849FD711CF5AC885EAABBF9EF49311F14846EF854DB741D234E9008B64
    Function 0040C998 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
    Download Yara Rule
    APIs
    • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C9A9
    • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040CA07
    • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CA64
    • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040CA97
      • Part of subcall function 0040C954: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040CA15), ref: 0040C96B
      • Part of subcall function 0040C954: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040CA15), ref: 0040C988
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Thread$LanguagesPreferred$Language
    • String ID:
    • API String ID: 2255706666-0
    • Opcode ID: ab0a3fc87b5d274f299d69668d3c9eef21079eaeea860c77a07499101e2d6c50
    • Instruction ID: 8d1cb3547ee4b9364daa38f1b6dc697d03ddbece5e120c74778344a30482e11a
    • Opcode Fuzzy Hash: ab0a3fc87b5d274f299d69668d3c9eef21079eaeea860c77a07499101e2d6c50
    • Instruction Fuzzy Hash: DF313D70A0021E9BDB10DBA9C8C57AFB7B5EF04304F00427AE555E7291DB789A04CB95
    Function 004EA788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E4780
      • Part of subcall function 004E4778: LeaveCriticalSection.KERNEL32(0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870,?,0051DE34), ref: 004E478D
      • Part of subcall function 004E4778: EnterCriticalSection.KERNEL32(?,0051DE34,0051DE34,?,004E4858,?,?,?,?,?,?,?,?,00000000,004E4870), ref: 004E4796
      • Part of subcall function 004EC31C: GetDC.USER32(00000000), ref: 004EC372
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004EC387
      • Part of subcall function 004EC31C: GetDeviceCaps.GDI32(00000000,0000000E), ref: 004EC391
      • Part of subcall function 004EC31C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004EA7DB,00000000,004EA867), ref: 004EC3B5
      • Part of subcall function 004EC31C: ReleaseDC.USER32(00000000,00000000), ref: 004EC3C0
    • CreateCompatibleDC.GDI32(00000000), ref: 004EA7DD
    • SelectObject.GDI32(00000000,?), ref: 004EA7F6
    • SelectPalette.GDI32(00000000,?,000000FF), ref: 004EA81F
    • RealizePalette.GDI32(00000000), ref: 004EA82B
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
    • String ID:
    • API String ID: 979337279-0
    • Opcode ID: e4708b13d4162338c8fa8d9abf0c706dab058b01908a5adb0ec73a38d2e26af5
    • Instruction ID: 70351cf6032dbd0939f732d494bf93bb1b6777d92977e90662745986a4f58f41
    • Opcode Fuzzy Hash: e4708b13d4162338c8fa8d9abf0c706dab058b01908a5adb0ec73a38d2e26af5
    • Instruction Fuzzy Hash: E8310634A00684EFD704EF5AD981D5EB7F5FF48315B6241A6E804AB322C738EE82DB54
    Function 004EDF8C Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: Object$Delete$IconInfo
    • String ID:
    • API String ID: 507670407-0
    • Opcode ID: 7a1785c32ae41643537aa2786bfbdbae53e7e625d4899cd26e3bbc34933ba4e6
    • Instruction ID: 1a97c13f3edbda2b3c1502a7d4827854aa80e6db8bf7018fb0a338cf34cd0894
    • Opcode Fuzzy Hash: 7a1785c32ae41643537aa2786bfbdbae53e7e625d4899cd26e3bbc34933ba4e6
    • Instruction Fuzzy Hash: 32119175A00208AFDB00DFABC982C9EB7F9EB48311B1085AAF904D7351DB75EE00DA94
    Function 004EEDD0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 004EEDD9
    • SelectObject.GDI32(00000000,058A00B4), ref: 004EEDEB
    • GetTextMetricsW.GDI32(00000000), ref: 004EEDF6
    • ReleaseDC.USER32(00000000,00000000), ref: 004EEE07
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: MetricsObjectReleaseSelectText
    • String ID:
    • API String ID: 2013942131-0
    • Opcode ID: 69fa914ca851ee74fc1149395581ca18b64c37d6fa6240ddf4510f1bbda6b75f
    • Instruction ID: a86a7c8164184303e7b2e3849245c9a5924fc7d8bd12fc902a680fb7c4b12911
    • Opcode Fuzzy Hash: 69fa914ca851ee74fc1149395581ca18b64c37d6fa6240ddf4510f1bbda6b75f
    • Instruction Fuzzy Hash: 94E04F626027B032D551666B5D86BDB2A4C4F026ABF480116FD44997D1DA0DCE5083FA
    Function 00427150 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00427356), ref: 004271F0
    • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,00427356), ref: 0042721C
      • Part of subcall function 0040EDD0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040EE15
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: FileLoadModuleNameQueryStringVirtual
    • String ID: T@A
    • API String ID: 902310565-1700159869
    • Opcode ID: e577adea336b6daf2d508854450fc309325dd34785544d58294c828bb4b4ff14
    • Instruction ID: 7609f04d8739139529e0a8c791b671d79e9844dfbef93b8af63634754ef4d455
    • Opcode Fuzzy Hash: e577adea336b6daf2d508854450fc309325dd34785544d58294c828bb4b4ff14
    • Instruction Fuzzy Hash: C2511834A08269DFCB10DF29DC88AD9B7F4AF48304F4045EAA808A7351D778AE84CF59
    Function 00428748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
    Download Yara Rule
    APIs
    • CharUpperW.USER32(?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000,0042BB77,00000000,0042BCB7), ref: 00428707
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CharUpper
    • String ID: A$Z
    • API String ID: 9403516-4098844585
    • Opcode ID: 0853d31e4c62cbf45948dc29de724639dcf269313cc23831c9dadc14004e3c7b
    • Instruction ID: b9253ecd29e492176c38fe4a03f9f14fb6b287faa95297cdab911eb37b575cf8
    • Opcode Fuzzy Hash: 0853d31e4c62cbf45948dc29de724639dcf269313cc23831c9dadc14004e3c7b
    • Instruction Fuzzy Hash: 431136127466200BE720643FAC817FF958A87C63A4F99023FF505D73C1DC5C8C0142D9
    Function 00408F1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00408F8A
    • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00008F20), ref: 00408FC7
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID: hsB
    • API String ID: 3192549508-625297667
    • Opcode ID: 71af4e390d5abfd6d2040d1b975c0e968029a7204a6687ef051946c3d04c1d81
    • Instruction ID: a3b05377a8d17e60e07457b386e13646049d2c6927d33ce14a72d1f6f32e6c37
    • Opcode Fuzzy Hash: 71af4e390d5abfd6d2040d1b975c0e968029a7204a6687ef051946c3d04c1d81
    • Instruction Fuzzy Hash: 1A3180B0604301AFD720DB24C984F2BB7EAEB88714F14857EF548972A2CB38EC45D719
    Function 004D8F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON
    Download Yara Rule
    APIs
    • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004D9018), ref: 004D8FBC
    • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,004D9018), ref: 004D8FD4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: CloseCreate
    • String ID: 0DA
    • API String ID: 2932200918-1323616133
    • Opcode ID: 0b6825df3cda6e191ee5dae1c5a93d024d2d7485a7bdbe94a9cb73b9ce3a7961
    • Instruction ID: 25a5c2a9eb58d250ad0b9fde8e6aed9dba2bf92039a102360e846b09499ff578
    • Opcode Fuzzy Hash: 0b6825df3cda6e191ee5dae1c5a93d024d2d7485a7bdbe94a9cb73b9ce3a7961
    • Instruction Fuzzy Hash: A4215171B04208ABDB11EFA5CC52BAE77F9EB48704F10407BB504E7381EA78AE059659
    Function 0040945E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • UnhandledExceptionFilter.KERNEL32(00000006), ref: 0040947F
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID: hsB$ptB
    • API String ID: 3192549508-579888589
    • Opcode ID: 6040466f00e2c8a053fbe7c5040ef9d1dac393dd0ce99f32a3ea5679555daf94
    • Instruction ID: 1c15842ca407df81533eab869cf356bb1e86fa8830085c109665a44f2841b22d
    • Opcode Fuzzy Hash: 6040466f00e2c8a053fbe7c5040ef9d1dac393dd0ce99f32a3ea5679555daf94
    • Instruction Fuzzy Hash: 722187742082059BDB24DF29D884B2B7391AB98710F14C53AA845973D7C73CEC46DB59
    Function 004E9928 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • SetEnhMetaFileBits.GDI32(0000006C,?,00000000,004E99F3), ref: 004E99AB
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: BitsFileMeta
    • String ID: EMF$l
    • API String ID: 858000408-2398670571
    • Opcode ID: 27cd40e4f1488cb42868d610382ee7cf148af8a1a8fef5df1c79c7da63ff49e0
    • Instruction ID: d8b59ccd57732e94ff2d5b122cdf495c560b21a665579054683b94a632da62f7
    • Opcode Fuzzy Hash: 27cd40e4f1488cb42868d610382ee7cf148af8a1a8fef5df1c79c7da63ff49e0
    • Instruction Fuzzy Hash: 84217F71A00244DFCB10EFAAC881A6EB7F5FF49714F55426EE405AB786DB38AD01CB58
    Function 00433380 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InitVariant
    • String ID: U8C$U8C
    • API String ID: 1927566239-2794899156
    • Opcode ID: bf84ff7d7a7fa1e4d11fdd5ea57b6b83ee227fd57091e2d3d130a9277d5c18c0
    • Instruction ID: 10ef4f3836cae0979ee085a1d740926b99cd50873d78cc0727187c4e793fe30e
    • Opcode Fuzzy Hash: bf84ff7d7a7fa1e4d11fdd5ea57b6b83ee227fd57091e2d3d130a9277d5c18c0
    • Instruction Fuzzy Hash: 61F0EC75E0020DEBCB00DF99D881AEEBBF8FB08710F008156EA54E7350E778AA44CB95
    Function 004339A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: InitVariant
    • String ID: >C$>C
    • API String ID: 1927566239-3959820462
    • Opcode ID: 43f8b8c7ba45ec28c2f9dc46d8ae9a04e321d06ddab5c4339944580a4fdc2b13
    • Instruction ID: be07bd84cf863bd451e5846b8312b43da6e13796850f7b56658942201145f373
    • Opcode Fuzzy Hash: 43f8b8c7ba45ec28c2f9dc46d8ae9a04e321d06ddab5c4339944580a4fdc2b13
    • Instruction Fuzzy Hash: 39F0EC75E0020DABCB00DF99C881ADFB7F8FB08710F008156EA14E7340E774AA44CB95
    Function 004289EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0050E4DB,00000000,0050E512), ref: 004289F2
      • Part of subcall function 004139B0: GetProcAddress.KERNEL32(0043C998,?), ref: 004139DA
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1866198573.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1866167773.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866375893.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866434020.0000000000510000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866497055.0000000000511000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866563923.0000000000513000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866738809.0000000000518000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051D000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1866906595.000000000051F000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867204453.0000000000520000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867239315.0000000000521000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000522000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000004.00000002.1867269095.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_rundll32.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: GetDiskFreeSpaceExW$kernel32.dll
    • API String ID: 1646373207-1127948838
    • Opcode ID: c7edea2ffbbda9fdc0d07ee16b935c76c2adbbdc0e38b75f3dfa78325f9fbb0d
    • Instruction ID: 8ccd786351900723a36e45e0a3bb3a683afe0fdfe4abf5b7f5dbba0d790a7421
    • Opcode Fuzzy Hash: c7edea2ffbbda9fdc0d07ee16b935c76c2adbbdc0e38b75f3dfa78325f9fbb0d
    • Instruction Fuzzy Hash: 24D05EB07123624AD760ABA1B882B1E2288A320F06F80013FB20145B26CFFD8848534C