Edit tour

Windows Analysis Report
rcM4Cx31Iy.dll

Overview

General Information

Sample name:	rcM4Cx31Iy.dll renamed because original name is a hash value
Original sample name:	5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211.dll
Analysis ID:	1567176
MD5:	da2334af47d1daf91c6a7921875f9526
SHA1:	acc6e16ec59360157741fd0d72497d83f40dd355
SHA256:	5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211
Tags:	dllFakeMp3user-BruceAnn2
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Creates an undocumented autostart registry key

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SIDT)

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to search for IE or Outlook window (often done to steal information)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7352 cmdline: loaddll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7404 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7428 cmdline: rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

regsvr32.exe (PID: 7412 cmdline: regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

rundll32.exe (PID: 7436 cmdline: rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7500 cmdline: rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7656 cmdline: rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems): Data: Details: C:\Users\user\Desktop\rcM4Cx31Iy.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 7412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\InprocServer32\(Default)

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: IESuper, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 7412, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\(Default)

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rcM4Cx31Iy.dll

ReversingLabs: Detection: 36%

Source: rcM4Cx31Iy.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001715A _snwprintf,_snwprintf,FindFirstFileW,wcscmp,wcscmp,wcscmp,_snwprintf,_snwprintf,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		6_2_1001715A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C553 memset,FindFirstFileW,FindClose,		6_2_1000C553

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000A13F GetTickCount,memset,memset,ResetEvent,InternetReadFileExA,SetEvent,InternetReadFile,GetLastError,

6_2_1000A13F

Source: rcM4Cx31Iy.dll

String found in binary or memory: <a href="http://yahoo.cn/" target="_blank">http://www.yahoo.cn/</a> equals www.yahoo.com (Yahoo)

Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://127.0.0.1/%s
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://bbs.iesuper.com
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://bbs.qihoo.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://bt.fkee.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://bt.fkee.com/search.aspx?q=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://d.sogou.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://d.sogou.com/music.so?pf=&query=
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://data.alexa.com/data/gWjM61Z9yy83rr?cli=10&dat=snba&ver=7.2&cdt=alx_vw%3D20%26wid%3D11092%26ac
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://download.pchome.net/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://download.pchome.net/php/search.php?pid=0&searchstr=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://download.pcpop.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://download.pcpop.com/List.html?printing=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://find.verycd.com/folders/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://mp3.baidu.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://mp3.baidu.com/m?ct=134217728&word=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://search.blogcn.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.blogcn.com/BlogResult.aspx?SearchType=2&txtQuery=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.btchina.net/search.php?query=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.crsky.com/search.asp?keyword=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://search.sogua.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.sogua.com/search.asp?key=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.tuotu.com/?key=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://search.tvsou.com/?KeyWords=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://shooter.cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://shooter.cn/sub/?searchword=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://so.bbs.qihoo.com/index.html?kw=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://so.mydrivers.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://so.mydrivers.com/drivers/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://so.xunlei.com/search?search=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://try.iesuper.com/client/webinfo.htm
Source: rundll32.exe	String found in binary or memory: http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s
Source: rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s1.0.1.40OEMIDneedfileurl%s%s%spath
Source: rundll32.exe	String found in binary or memory: http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://weather.tq121.com.cn/detail.php?city=
Source: rundll32.exe	String found in binary or memory: http://www.alexa.com/data/details/traffic_details?url=%s
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.baidu.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.baidu.com/baidu?word=
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_2_dg
Source: rundll32.exe	String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_3_dg
Source: rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_3_dgEDIT_CLASSPROCInstallDoneToolbarWindow32Search
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.btchina.net/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.crsky.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.google.com/
Source: rundll32.exe	String found in binary or memory: http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.google.com/search?q=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.iciba.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.iciba.com/search?s=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.iesuper.com
Source: rundll32.exe	String found in binary or memory: http://www.iesuper.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.iesuper.com/cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.iesuper.com/cn/hl/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.iesuper.com/help.htm
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.kooxoo.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.kooxoo.com/search?q=
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.live.com.cn/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.tq121.com.cn/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.tuotu.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.tvsou.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.verycd.com/
Source: rcM4Cx31Iy.dll	String found in binary or memory: http://www.xunlei.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://www.yahoo.cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: http://yahoo.cn/
Source: rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	String found in binary or memory: https:///://IESuper_PROPIMGTahomaTAB...Google:%s

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10013F56 GetKeyState,GetKeyState,GetKeyState,GetMessagePos,ScreenToClient,wcslen,OpenClipboard,EmptyClipboard,lstrlenW,WideCharToMultiByte,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,GlobalFree,LoadStringW,GetForegroundWindow,MessageBoxW,LoadStringW,_snwprintf,SysAllocString,SysFreeString,Sleep,

6_2_10013F56

Source: C:\Windows\SysWOW64\rundll32.exe

6_2_10013F56

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002839 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	6_2_10002839
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005095 GetPropW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetWindowTextW,_snwprintf,SetWindowTextW,CallWindowProcW,	6_2_10005095
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001EF3 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,SysAllocString,_wtoi,SysFreeString,_wcsicmp,SysAllocString,GetCursorPos,ScreenToClient,SysFreeString,SysFreeString,SysFreeString,	6_2_10001EF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10013F56 GetKeyState,GetKeyState,GetKeyState,GetMessagePos,ScreenToClient,wcslen,OpenClipboard,EmptyClipboard,lstrlenW,WideCharToMultiByte,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,GlobalFree,LoadStringW,GetForegroundWindow,MessageBoxW,LoadStringW,_snwprintf,SysAllocString,SysFreeString,Sleep,	6_2_10013F56

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10010ADA: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle,

6_2_10010ADA

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10012267

6_2_10012267

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100160B6 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10017FA0 appears 52 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656

Source: rcM4Cx31Iy.dll

Binary or memory string: OriginalFilenameiesuper.dll vs rcM4Cx31Iy.dll

Source: rcM4Cx31Iy.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal60.winDLL@15/5@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000ADD3 GetTickCount,PathGetDriveNumberW,GetDiskFreeSpaceExW,LdrInitializeThunk,CreateFileW,__aulldiv,

6_2_1000ADD3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000BA33 CoInitialize,CoCreateInstance,SysAllocString,SysFreeString,_wcsicmp,_snwprintf,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,memset,SysFreeString,SysFreeString,CoUninitialize,DeleteFileW,

6_2_1000BA33

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10016972 FindResourceW,LoadResource,SizeofResource,LockResource,

6_2_10016972

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7500
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c569dea6-bd4f-496c-865e-878ae600b039

Jump to behavior

Source: rcM4Cx31Iy.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1

Source: rcM4Cx31Iy.dll

ReversingLabs: Detection: 36%

Source: rundll32.exe

String found in binary or memory: http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}\InprocServer32

Jump to behavior

Source: rcM4Cx31Iy.dll

Static PE information: section name: .phoenix

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10018000 push eax; ret		6_2_1001802E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017FA0 push eax; ret		6_2_10017FBE

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle, \\.\PhysicalDrive%d

6_2_10010ADA

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle, \\.\PhysicalDrive%d

6_2_10010ADA

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NULL	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NULL	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NoExplorer	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NoExplorer	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10014ED8 sidt fword ptr [100D51C8h]

6_2_10014ED8

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001715A _snwprintf,_snwprintf,FindFirstFileW,wcscmp,wcscmp,wcscmp,_snwprintf,_snwprintf,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		6_2_1001715A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C553 memset,FindFirstFileW,FindClose,		6_2_1000C553

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000A074 GetTickCount,LdrInitializeThunk,InternetSetOptionW,

6_2_1000A074

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10007C13 OutputDebugStringA,GetLastError,

6_2_10007C13

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10014ED8 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,

6_2_10014ED8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000381A _snwprintf,wcsrchr,wcsncpy,DeleteFileW,LoadStringW,GetForegroundWindow,MessageBoxW,GetModuleFileNameW,GetShortPathNameW,_snwprintf,ShellExecuteW,PostThreadMessageW,

6_2_1000381A

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000E992 GetSystemTime,SystemTimeToFileTime,CommitUrlCacheEntryW,

6_2_1000E992

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10007B74 GetVersion,GetVersion,GetFileAttributesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetVersion,GetProcAddress,

6_2_10007B74

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006D83 GetClassNameW,wcscmp,EnumChildWindows,FindWindowExW,FindWindowExW,FindWindowExW,		6_2_10006D83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CF69 FindWindowExW,FindWindowExW,FindWindowExW,PostMessageW,		6_2_1000CF69

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	21 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Bootkit	11 Process Injection	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	4 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Bootkit	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Rundll32	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rcM4Cx31Iy.dll	37%	ReversingLabs	Win32.Spyware.Alexa

Source	Detection	Scanner	Label
http://www.kooxoo.com/	0%	Avira URL Cloud	safe
http://www.crsky.com/	0%	Avira URL Cloud	safe
http://www.tuotu.com/	0%	Avira URL Cloud	safe
http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s1.0.1.40OEMIDneedfileurl%s%s%spath	0%	Avira URL Cloud	safe
http://www.iesuper.com	0%	Avira URL Cloud	safe
http://search.crsky.com/search.asp?keyword=	0%	Avira URL Cloud	safe
http://mp3.baidu.com/m?ct=134217728&word=	0%	Avira URL Cloud	safe
http://bbs.qihoo.com/	0%	Avira URL Cloud	safe
http://www.tq121.com.cn/	0%	Avira URL Cloud	safe
http://so.xunlei.com/search?search=	0%	Avira URL Cloud	safe
http://so.mydrivers.com/drivers/	0%	Avira URL Cloud	safe
http://127.0.0.1/%s	0%	Avira URL Cloud	safe
http://www.tvsou.com/	0%	Avira URL Cloud	safe
http://search.cn.yahoo.com/search?p=	0%	Avira URL Cloud	safe
http://www.iesuper.com/help.htm	0%	Avira URL Cloud	safe
http://www.yahoo.cn/	0%	Avira URL Cloud	safe
http://yahoo.cn/	0%	Avira URL Cloud	safe
http://www.verycd.com/	0%	Avira URL Cloud	safe
http://search.blogcn.com/BlogResult.aspx?SearchType=2&txtQuery=	0%	Avira URL Cloud	safe
http://www.iesuper.com/cn/	0%	Avira URL Cloud	safe
http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s	0%	Avira URL Cloud	safe
http://download.pchome.net/php/search.php?pid=0&searchstr=	0%	Avira URL Cloud	safe
http://www.kooxoo.com/search?q=	0%	Avira URL Cloud	safe
http://www.live.com.cn/	0%	Avira URL Cloud	safe
http://search.btchina.net/search.php?query=	0%	Avira URL Cloud	safe
http://d.sogou.com/	0%	Avira URL Cloud	safe
http://weather.tq121.com.cn/detail.php?city=	0%	Avira URL Cloud	safe
http://download.pcpop.com/	0%	Avira URL Cloud	safe
http://try.iesuper.com/client/webinfo.htm	0%	Avira URL Cloud	safe
http://www.iesuper.com/	0%	Avira URL Cloud	safe
http://bt.fkee.com/	0%	Avira URL Cloud	safe
http://so.mydrivers.com/	0%	Avira URL Cloud	safe
https:///://IESuper_PROPIMGTahomaTAB...Google:%s	0%	Avira URL Cloud	safe
http://find.verycd.com/folders/	0%	Avira URL Cloud	safe
http://mp3.baidu.com/	0%	Avira URL Cloud	safe
http://so.bbs.qihoo.com/index.html?kw=	0%	Avira URL Cloud	safe
http://d.sogou.com/music.so?pf=&query=	0%	Avira URL Cloud	safe
http://www.iesuper.com/cn/hl/	0%	Avira URL Cloud	safe
http://search.blogcn.com/	0%	Avira URL Cloud	safe
http://bt.fkee.com/search.aspx?q=	0%	Avira URL Cloud	safe
http://download.pchome.net/	0%	Avira URL Cloud	safe
http://bbs.iesuper.com	0%	Avira URL Cloud	safe
http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s	0%	Avira URL Cloud	safe
http://search.tvsou.com/?KeyWords=	0%	Avira URL Cloud	safe
http://www.btchina.net/	0%	Avira URL Cloud	safe
http://download.pcpop.com/List.html?printing=	0%	Avira URL Cloud	safe
http://search.tuotu.com/?key=	0%	Avira URL Cloud	safe
http://search.sogua.com/	0%	Avira URL Cloud	safe
http://search.sogua.com/search.asp?key=	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s	rundll32.exe	false		high
http://www.xunlei.com/	rcM4Cx31Iy.dll	false		high
http://www.baidu.com/baidu?word=%s&tn=sper_2_dg	rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://www.tq121.com.cn/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s1.0.1.40OEMIDneedfileurl%s%s%spath	rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.kooxoo.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://so.xunlei.com/search?search=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://mp3.baidu.com/m?ct=134217728&word=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.tuotu.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://bbs.qihoo.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.crsky.com/search.asp?keyword=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iesuper.com	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.live.com/results.aspx?q=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://www.crsky.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://so.mydrivers.com/drivers/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.baidu.com/baidu?word=%s&tn=sper_3_dgEDIT_CLASSPROCInstallDoneToolbarWindow32Search	rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://yahoo.cn/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.cn.yahoo.com/search?p=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://127.0.0.1/%s	rundll32.exe, rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.tvsou.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iesuper.com/help.htm	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.yahoo.cn/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iesuper.com/cn/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.baidu.com/baidu?word=	rcM4Cx31Iy.dll	false		high
http://shooter.cn/sub/?searchword=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://www.verycd.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.blogcn.com/BlogResult.aspx?SearchType=2&txtQuery=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iciba.com/search?s=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s	rundll32.exe	false	Avira URL Cloud: safe	unknown
http://www.live.com.cn/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://download.pchome.net/php/search.php?pid=0&searchstr=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://weather.tq121.com.cn/detail.php?city=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://d.sogou.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.kooxoo.com/search?q=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.btchina.net/search.php?query=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://download.pcpop.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://www.iesuper.com/	rundll32.exe	false	Avira URL Cloud: safe	unknown
http://www.google.com/search?q=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://try.iesuper.com/client/webinfo.htm	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://so.mydrivers.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.alexa.com/data/details/traffic_details?url=%s	rundll32.exe	false		high
http://shooter.cn/	rcM4Cx31Iy.dll	false		high
http://bt.fkee.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
https:///://IESuper_PROPIMGTahomaTAB...Google:%s	rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iesuper.com/cn/hl/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://find.verycd.com/folders/	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.baidu.com/baidu?word=%s&tn=sper_3_dg	rundll32.exe	false		high
http://www.baidu.com/	rcM4Cx31Iy.dll	false		high
http://so.bbs.qihoo.com/index.html?kw=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://data.alexa.com/data/gWjM61Z9yy83rr?cli=10&dat=snba&ver=7.2&cdt=alx_vw%3D20%26wid%3D11092%26ac	rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false		high
http://mp3.baidu.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://d.sogou.com/music.so?pf=&query=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.blogcn.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://bt.fkee.com/search.aspx?q=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://download.pchome.net/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://bbs.iesuper.com	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s	rundll32.exe	false	Avira URL Cloud: safe	unknown
http://search.tvsou.com/?KeyWords=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.btchina.net/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://download.pcpop.com/List.html?printing=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.tuotu.com/?key=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://search.sogua.com/	rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.iciba.com/	rcM4Cx31Iy.dll	false		high
http://search.sogua.com/search.asp?key=	rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll	false	Avira URL Cloud: safe	unknown
http://www.google.com/	rcM4Cx31Iy.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567176
Start date and time:	2024-12-03 08:44:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rcM4Cx31Iy.dll renamed because original name is a hash value
Original Sample Name:	5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211.dll
Detection:	MAL
Classification:	mal60.winDLL@15/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 193
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: rcM4Cx31Iy.dll

Simulations

Behavior and APIs

Time	Type	Description
02:45:06	API Interceptor	1x Sleep call for process: loaddll32.exe modified
02:45:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9bba6880298fd69bbd62a2e3ccc3e1353d16d6bf_7522e4b5_bd184202-64a7-4a1b-9a9d-c8d614e36535\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8915423059555531
Encrypted:	false
SSDEEP:	192:lWiheOsD0BU/wjeTiQzuiFNZ24IO8dci:YipswBU/wjeHzuiFNY4IO8dci
MD5:	F0944D8CB633A0D2021F87016BC9F958
SHA1:	134B2ED48695DBC3448B3C1946F7E343214C2003
SHA-256:	7529ED680B0E1D398B287F80F961EF6450731B568C39A3077E864A08790D59CA
SHA-512:	8E3B0EE76515F4F4DBFAA3C7F9CE4809474391E2C046C7E1B466B7A3EA661E3E563988F432774F0EE760A2F1E7E5B7FDECEB7377A5474352EC8E1AD7B4B93512
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.6.8.5.5.0.1.1.9.7.6.2.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.6.8.5.5.0.1.5.7.2.6.3.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.1.8.4.2.0.2.-.6.4.a.7.-.4.a.1.b.-.9.a.9.d.-.c.8.d.6.1.4.e.3.6.5.3.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.9.f.7.2.5.c.-.8.2.1.3.-.4.7.6.c.-.9.b.1.8.-.5.d.9.2.c.2.e.b.0.a.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.4.c.-.0.0.0.1.-.0.0.1.4.-.b.0.1.7.-.e.a.4.1.5.7.4.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC00F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 3 07:45:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43404
Entropy (8bit):	2.0248619818294804
Encrypted:	false
SSDEEP:	192:+4wuwmfwXd6kO5H4pnahkCu9jwOEWCQ0e4JN:GBIw6r5H2n7tjwOEyYN
MD5:	857693E2BEFB0023FD6C7F6C5C274509
SHA1:	0685E3834823EA3C6CF7512595DE8F4790E4B5CF
SHA-256:	BD8960A4428680567D24A24D6C526768A076CD086158ACB8D5DF79D12C94E529
SHA-512:	A0CA2B9294FD4EA2F382089DD61E45C592124448EE4437CD2D2F51A2ECC8151C9D6D046DE8D726E73EFE0D1286028C1CE20043AA32146227941AA5265AACE412
Malicious:	false
Preview:	MDMP..a..... .........Ng.........................................+..........T.......8...........T...........(...d...........X...........D...............................................................................eJ..............GenuineIntel............T.......L.....Ng.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0BC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	3.6929409204552255
Encrypted:	false
SSDEEP:	192:R6l7wVeJni6IzCOqe6YZq6egmfTl0prQ89bBgsfeLm:R6lXJi6Iz7D6YE6egmfTlcBzfD
MD5:	944BA534BDA16A95BAAD8947B3D05B9D
SHA1:	AAA32B78E5EAEFC45CF25C6B7BCE599C182310A8
SHA-256:	A137343A8B20792A932DF0EDCD58EF258DDAA5734EFBFFD75F1FBE05C2453803
SHA-512:	EDF08AFDB10140E3A5EB42D257D373A9C1BFE976AC967E06A05088858CABF53A9273922F8C7A016237F9F478DB96BC8BD079E35E4C8902D9BAA8C61B0FDD1DC0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0EC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.459397997681426
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZ7oJg77aI91CXWpW8VYjYm8M4JCdPkFcT+q8/AOGScSbd:uIjfgI7Wm7VfJyTmJ3bd
MD5:	CF992A04F34CEB3E69AB5D43FF4E0501
SHA1:	1E8A48D86549500D30351E6A29379A5EB23FF164
SHA-256:	404189D3810C16C2E9CFFC8C42F45BC7500C778D43CB47118E51BD05AE7DDC4A
SHA-512:	36D67C38BB4473DF90ED5AD22E1AE628327D8E8512C3B66789A8D501DA7674365F9D89E57303FB9A365A5C66FC341628A8CB5FFDCC8021A6A479CC159EC9DC21
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="614807" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4662360420326666
Encrypted:	false
SSDEEP:	6144:hIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:iXD94+WlLZMM6YFHT+G
MD5:	2B9F614887258A06737D1D83FE0402FA
SHA1:	A08490C3E63522F1690B2290D5237557134F043F
SHA-256:	0CE1F9CF5364FD0E10139550B90257CC75BD010237401D14C2817D844D6D3319
SHA-512:	15641CF66955E6F5096F5F74B38ED11D5A37C74EE3547C45EEA6190A1A9936E7881201A7C4D72D48FE1D774CA3F1A1BEEFD9F1827737AB7F9BA5BCBF5DCD11F8
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*..BWE.................................................................................................................................................................................................................................................................................................................................................v........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.363986200938899
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 75.67% DirectShow filter (201580/2) 15.22% Windows ActiveX control (116523/4) 8.80% Generic Win/DOS Executable (2004/3) 0.15% DOS Executable Generic (2002/1) 0.15%
File name:	rcM4Cx31Iy.dll
File size:	249'856 bytes
MD5:	da2334af47d1daf91c6a7921875f9526
SHA1:	acc6e16ec59360157741fd0d72497d83f40dd355
SHA256:	5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211
SHA512:	2d36a2242d1d22ef92c054dbe155859e770b7d0da138358a130eaf3870daa3c646442634fea662402cf432124b6e77d8364f5b7a4f3352ce3c4b9dca74282a94
SSDEEP:	6144:vBXaVUF2oFT195r9/WHlGdh2towFk25/:JKUF/FTxr1zi
TLSH:	9C348F0137E44016EAFB103C55346E79EA7FA975CC31C88A7B1C2D4FABB4906C93A766
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./8..kY..kY..kY...Es.oY...Eq.nY...Fu.oY...F{.iY...Ft.iY..5{t.iY...Q .zY..kY~..X...Q".vY..].t.GY..._y.jY...y{.jY..RichkY.........

File Icon


Icon Hash:	1c9b732e8d951b1f

Static PE Info

General

Entrypoint:	0x1001823d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x4726A924 [Tue Oct 30 03:46:44 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	220f284c834d1823fcf5f8e8c2e44389

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F5D899E5E2Bh
cmp dword ptr [100D6A6Ch], 00000000h
jmp 00007F5D899E5E48h
cmp esi, 01h
je 00007F5D899E5E27h
cmp esi, 02h
jne 00007F5D899E5E44h
mov eax, dword ptr [100D6AB0h]
test eax, eax
je 00007F5D899E5E2Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F5D899E5E2Eh
push edi
push esi
push ebx
call 00007F5D899E5D3Ah
test eax, eax
jne 00007F5D899E5E26h
xor eax, eax
jmp 00007F5D899E5E70h
push edi
push esi
push ebx
call 00007F5D899D1E73h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F5D899E5E2Eh
test eax, eax
jne 00007F5D899E5E59h
push edi
push eax
push ebx
call 00007F5D899E5D16h
test esi, esi
je 00007F5D899E5E27h
cmp esi, 03h
jne 00007F5D899E5E48h
push edi
push esi
push ebx
call 00007F5D899E5D05h
test eax, eax
jne 00007F5D899E5E25h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F5D899E5E33h
mov eax, dword ptr [100D6AB0h]
test eax, eax
je 00007F5D899E5E2Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
push esi
mov esi, ecx
call 00007F5D899E5E4Bh
test byte ptr [esp+08h], 00000001h
je 00007F5D899E5E29h
push esi
call 00007F5D899E5ABBh
pop ecx
mov eax, esi
pop esi
retn 0004h
jmp dword ptr [10019288h]
jmp dword ptr [1001928Ch]
jmp dword ptr [00000094h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1d670	0xbe	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1bc20	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x15f30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0x1c60	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x518	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1795d	0x18000	e7a731e86f123a0edef44c6125e9a562	False	0.5604349772135416	data	6.495852189440418	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x472e	0x5000	dffd785d65bc3f7e8bb543eff14422db	False	0.356005859375	data	5.0090202991925885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0xb8abc	0x4000	50ef63672a45e914ffcbb95f770a03f1	False	0.25616455078125	data	3.06742684716763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.phoenix	0xd7000	0x348	0x1000	1013a7050bbfd4695c73560b0c17d466	False	0.04443359375	data	0.3245434367285017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd8000	0x15f30	0x16000	23c2f98e985c019bd77282511c29ae84	False	0.3353604403409091	data	6.447801457543815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0x3256	0x4000	1c772a7a079484d0b5d9fb9cdb7fe34d	False	0.36700439453125	data	3.887464777926258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMG	0xeb910	0x1cf	GIF image data, version 89a, 34 x 18	English	United States	1.019438444924406
IMG	0xebae0	0x462	GIF image data, version 89a, 72 x 18	English	United States	1.0098039215686274
IMG	0xebf48	0x33e	GIF image data, version 89a, 36 x 18	English	United States	0.9120481927710843
IMG	0xec288	0x273	GIF image data, version 89a, 72 x 18	English	United States	0.9776714513556619
IMG	0xec500	0x28e	GIF image data, version 89a, 16 x 16	English	United States	1.0168195718654434
IMG	0xec790	0x25e	GIF image data, version 89a, 16 x 16	English	United States	0.9488448844884488
IMG	0xec9f0	0x175	GIF image data, version 89a, 16 x 16	English	United States	0.9222520107238605
IMG	0xecb68	0x173	GIF image data, version 89a, 16 x 16	English	United States	0.9245283018867925
IMG	0xecce0	0x178	GIF image data, version 89a, 16 x 16	English	United States	0.9707446808510638
IMG	0xece58	0x178	GIF image data, version 89a, 16 x 16	English	United States	0.976063829787234
IMG	0xecfd0	0x172	GIF image data, version 89a, 16 x 16	English	United States	0.9324324324324325
IMG	0xed148	0x26b	GIF image data, version 89a, 16 x 16	English	United States	0.9870759289176091
REGISTRY	0xea3b8	0x4bc	ASCII text, with CRLF line terminators	English	United States	0.2764026402640264
SCRIPT	0xe93e8	0x2fb	ASCII text, with CRLF line terminators	Chinese	China	0.418086500655308
TYPELIB	0xed3b8	0x684	data	English	United States	0.3207434052757794
RT_BITMAP	0xeab00	0xe0e	Device independent bitmap graphic, 192 x 16 x 8, image size 3074, resolution 2834 x 2834 px/m, 121 important colors	English	United States	0.3507504168982768
RT_ICON	0xe9790	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Chinese	China	0.7030685920577617
RT_MENU	0xd8e00	0x6a	data	Chinese	China	0.7735849056603774
RT_DIALOG	0xe96e8	0xa6	data	Chinese	China	0.7469879518072289
RT_STRING	0xeddb8	0x60	data	Chinese	China	0.75
RT_STRING	0xedc80	0x136	data	Chinese	China	0.8516129032258064
RT_STRING	0xede18	0x114	data	Chinese	China	0.5398550724637681
RT_STRING	0xeda40	0x48	data	Chinese	China	0.7361111111111112
RT_STRING	0xeda88	0x7a	Matlab v4 mat-file (little endian) \250R\O, numeric, rows 0, columns 0	Chinese	China	0.5245901639344263
RT_STRING	0xedb08	0x174	data	Chinese	China	0.793010752688172
RT_GROUP_ICON	0xea038	0x14	data	Chinese	China	1.15
RT_VERSION	0xea050	0x364	data	English	United States	0.4573732718894009
RT_HTML	0xe6978	0x92	GIF image data, version 89a, 12 x 12	Chinese	China	1.0753424657534247
RT_HTML	0xe7650	0x176	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x41, components 3	Chinese	China	0.7058823529411765
RT_HTML	0xe7940	0x1e9	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x41, components 3	Chinese	China	0.7914110429447853
RT_HTML	0xe77c8	0x176	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x41, components 3	Chinese	China	0.7112299465240641
RT_HTML	0xe6b90	0xabe	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 154x41, components 3	Chinese	China	0.9367272727272727
RT_HTML	0xe6a10	0x17b	GIF image data, version 89a, 315 x 1	Chinese	China	0.9445910290237467
RT_HTML	0xe8968	0xcd	GIF image data, version 89a, 16 x 16	Chinese	China	0.926829268292683
RT_HTML	0xe8a38	0xcc	GIF image data, version 89a, 16 x 16	Chinese	China	0.9215686274509803
RT_HTML	0xe8b08	0xc9	GIF image data, version 89a, 16 x 16	Chinese	China	0.9253731343283582
RT_HTML	0xe8bd8	0xc9	GIF image data, version 89a, 16 x 16	Chinese	China	0.9253731343283582
RT_HTML	0xe8ca8	0xdc	GIF image data, version 89a, 16 x 16	Chinese	China	1.05
RT_HTML	0xe8d88	0xdd	GIF image data, version 89a, 16 x 16	Chinese	China	1.0497737556561086
RT_HTML	0xe8e68	0xde	GIF image data, version 89a, 16 x 16	Chinese	China	1.0495495495495495
RT_HTML	0xe8f48	0xde	GIF image data, version 89a, 16 x 16	Chinese	China	1.0495495495495495
RT_HTML	0xe9028	0xee	GIF image data, version 89a, 16 x 16	Chinese	China	1.046218487394958
RT_HTML	0xe9118	0xee	GIF image data, version 89a, 16 x 16	Chinese	China	1.046218487394958
RT_HTML	0xe9208	0xee	GIF image data, version 89a, 16 x 16	Chinese	China	1.046218487394958
RT_HTML	0xe92f8	0xec	GIF image data, version 89a, 16 x 16	Chinese	China	1.0466101694915255
RT_HTML	0xe7f70	0x9f6	MS Windows icon resource - 2 icons, 16x16, 8 bits/pixel, 16x16, 32 bits/pixel	Chinese	China	0.20509803921568628
RT_HTML	0xd8e70	0xbb3	HTML document, ISO-8859 text, with CRLF line terminators	Chinese	China	0.3298831385642738
RT_HTML	0xdce38	0x7e4f	ASCII text, with very long lines (634), with CRLF line terminators	Chinese	China	0.1866707901654554
RT_HTML	0xe64c0	0x4b2	ASCII text, with CRLF line terminators	Chinese	China	0.39933444259567386
RT_HTML	0xe4c88	0x1833	ISO-8859 text, with CRLF line terminators	Chinese	China	0.3549636803874092
RT_HTML	0xd9a28	0x340d	HTML document, ISO-8859 text, with CRLF line terminators	Chinese	China	0.21193245778611633
RT_HTML	0xe7b30	0x16e	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x26, components 3	Chinese	China	0.7021857923497268
RT_HTML	0xe7ca0	0x151	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x26, components 3	Chinese	China	0.655786350148368
RT_HTML	0xe7df8	0x176	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 12x26, components 3	Chinese	China	0.7085561497326203
RT_MANIFEST	0xea878	0x283	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.505443234836703

Imports

DLL	Import
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
urlmon.dll	CoInternetCombineUrl, ObtainUserAgentString
WININET.dll	InternetCrackUrlW, InternetSetOptionW, InternetQueryOptionW, FtpCommandW, InternetGetLastResponseInfoW, FtpOpenFileW, HttpEndRequestW, InternetReadFile, InternetGetConnectedState, GetUrlCacheEntryInfoW, CreateUrlCacheEntryW, CommitUrlCacheEntryW, HttpQueryInfoW, FtpGetFileSize, HttpOpenRequestW, HttpSendRequestExW, InternetOpenW, InternetConnectW, InternetSetOptionA, InternetSetStatusCallbackW, InternetCloseHandle, InternetReadFileExA
SHLWAPI.dll	PathFindFileNameW, SHSetValueW, SHGetValueW, UrlCanonicalizeW, PathGetDriveNumberW, PathIsRootW, PathIsDirectoryW, SHDeleteKeyW, StrRetToBufW, PathCombineW
KERNEL32.dll	LocalFree, GetWindowsDirectoryW, MoveFileExW, SetUnhandledExceptionFilter, ExitProcess, lstrlenW, GetModuleFileNameW, lstrcpyW, GetShortPathNameW, InterlockedIncrement, InterlockedDecrement, lstrlenA, GetTempPathW, GetTickCount, DeleteFileW, RemoveDirectoryW, CloseHandle, DisableThreadLibraryCalls, MultiByteToWideChar, GetCurrentThreadId, GetPrivateProfileStringW, WideCharToMultiByte, SetLastError, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetFileAttributesW, GetVersion, OutputDebugStringA, LoadLibraryW, lstrcatW, GetCurrentProcess, FreeLibrary, SetErrorMode, LoadLibraryExA, CreateEventW, SetEvent, WaitForSingleObject, TlsSetValue, IsBadWritePtr, IsBadReadPtr, CancelWaitableTimer, WaitForMultipleObjects, ResetEvent, GetTempFileNameW, SetWaitableTimer, CreateWaitableTimerW, SystemTimeToFileTime, CreateFileW, GetDiskFreeSpaceExW, SetFileTime, SetEndOfFile, ReadFile, SetFilePointer, WriteFile, GlobalUnlock, GlobalLock, FindClose, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetFileSize, CreateDirectoryW, LoadLibraryA, WriteProcessMemory, ReadProcessMemory, VirtualProtect, GetSystemTime, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetVersionExW, DeviceIoControl, CopyFileW, Sleep, GlobalFree, GlobalAlloc, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceW, MulDiv
USER32.dll	SendMessageTimeoutW, UnhookWindowsHookEx, SetWindowsHookExW, InvalidateRect, GetAncestor, IsChild, GetParent, GetSystemMetrics, SetWindowPos, DialogBoxParamW, LoadMenuW, GetSubMenu, CopyRect, TrackPopupMenuEx, DestroyIcon, ReleaseCapture, SetCapture, LoadBitmapW, DestroyMenu, EndDialog, SetDlgItemTextW, BeginPaint, GetDesktopWindow, GetClientRect, LoadIconW, DrawIcon, EndPaint, EnumWindows, EnumChildWindows, GetMessagePos, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, CreateWindowExW, RegisterClassExW, GetSysColor, GetClassNameW, GetWindowRect, MapWindowPoints, SendMessageW, FindWindowExW, IsWindow, GetWindowLongW, SetWindowLongW, DestroyWindow, GetWindowTextW, SetWindowTextW, CallWindowProcW, PostMessageW, CallNextHookEx, GetMessageW, LoadStringW, GetForegroundWindow, MessageBoxW, PostThreadMessageW, CharNextW, GetKeyState, GetCursorPos, ScreenToClient, GetPropW, SetPropW, wsprintfW, ReleaseDC, GetDC, DefWindowProcW, FillRect, IsWindowVisible, InflateRect, OffsetRect, DrawTextA, SetTimer, PtInRect, LoadCursorW, SetCursor, TrackMouseEvent, GetDlgItem
GDI32.dll	CreateCompatibleDC, BitBlt, CreateCompatibleBitmap, DeleteDC, GetDeviceCaps, CreateSolidBrush, SetTextColor, CreateFontIndirectW, SelectObject, DeleteObject, SetBkMode, GetStockObject
ADVAPI32.dll	RegQueryValueExW, RegCreateKeyW, RegOpenKeyExW, RegEnumKeyExW, RegCreateKeyExW, RegSetValueExW, RegCloseKey, RegDeleteValueW
SHELL32.dll	SHGetSpecialFolderPathW, SHBrowseForFolderW, SHGetDesktopFolder, SHGetMalloc, DragQueryFileW, ShellExecuteW
ole32.dll	CoCreateGuid, StringFromCLSID, CoInitialize, CoTaskMemFree, CoCreateInstance, CoUninitialize, StringFromIID, RevokeDragDrop, CreateStreamOnHGlobal, ReleaseStgMedium, RegisterDragDrop
OLEAUT32.dll	LoadTypeLib, RegisterTypeLib, OleLoadPicture, SysAllocString, SysFreeString
MSVCRT.dll	strcpy, sprintf, isalnum, _ui64tow, _wtol, wcsncat, _wtoi64, _ui64toa, wcschr, wcspbrk, strstr, strcmp, strncpy, swscanf, strlen, _wcsicmp, memcmp, _beginthreadex, wcsrchr, wcsncpy, wcscmp, wcscpy, time, wcscat, wcsstr, memmove, iswdigit, swprintf, vswprintf, ??2@YAPAXI@Z, memcpy, memset, wcsncmp, _ftol, _except_handler3, _wtoi, wcslen, _snwprintf, __CxxFrameHandler, iswspace, strrchr, free, fwrite, malloc, _wfopen, _wcsnicmp, wcstod, abs, fwprintf, _strlwr, strncat, fprintf, _strnicmp, rewind, _CxxThrowException, __dllonexit, _onexit, _initterm, _adjust_fdiv, ??1type_info@@UAE@XZ, strchr, strcat, _snprintf, fclose, fgets, fopen, fread, ftell, fseek
SETUPAPI.dll	SetupIterateCabinetW
NETAPI32.dll	Netbios

Exports

Name	Ordinal	Address
DllCanUnloadNow	1	0x1000430a
DllGetClassObject	2	0x10004316
DllRegisterServer	3	0x100044d1
DllUnregisterServer	4	0x100045cc
Rundll32_Update	5	0x1000465b

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Target ID:	0
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll"
Imagebase:	0xa50000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll
Imagebase:	0x500000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Imagebase:	0x1d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:44:57
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow
Imagebase:	0x1d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:45:00
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject
Imagebase:	0x1d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:45:01
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656
Imagebase:	0xd50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:45:03
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer
Imagebase:	0x1d0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Executed Functions

Function 10004316 Relevance: 3.8, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcmp.MSVCRT(?,100195E8,00000010), ref: 1000432C
memcmp.MSVCRT(?,100195F8,00000010), ref: 10004340
??2@YAPAXI@Z.MSVCRT(00000018), ref: 10004355

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memcmp$??2@
String ID:
API String ID: 4254110423-0
Opcode ID: c162d5a19bf3283fc4c4a0da82f3c55bbdc28b7c6fa53336b55c05385d4bf9da
Instruction ID: d0a2813baf0b4e3f2dd5bff614205c1db07550af0418b6490b1c51c524869a6f
Opcode Fuzzy Hash: c162d5a19bf3283fc4c4a0da82f3c55bbdc28b7c6fa53336b55c05385d4bf9da
Instruction Fuzzy Hash: 9B012472609611ABE362DA144C01F4F63C8DF892E1F120425FE80EF209DBA4EF4483EA

Non-executed Functions

Function 10013F56 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 196
clipboardkeyboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32(00000011), ref: 10013F73
GetKeyState.USER32(00000012), ref: 10013F7D
GetMessagePos.USER32 ref: 10013FBB
ScreenToClient.USER32(?,?), ref: 10013FDA
wcslen.MSVCRT ref: 10014017
OpenClipboard.USER32(00000000), ref: 1001401F
EmptyClipboard.USER32 ref: 1001402D
lstrlenW.KERNEL32(?), ref: 1001403E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 10014063
strlen.MSVCRT ref: 1001406C
GlobalAlloc.KERNEL32(00002002,00000001), ref: 1001407B
GlobalLock.KERNEL32(00000000), ref: 10014086
memcpy.MSVCRT(00000000), ref: 1001408D
GlobalUnlock.KERNEL32(00000000), ref: 10014096
SetClipboardData.USER32(00000001,00000000), ref: 1001409F
CloseClipboard.USER32 ref: 100140A5
GlobalFree.KERNEL32(00000000), ref: 100140AC
LoadStringW.USER32(00000BCE,?,00000104), ref: 100140E7
GetForegroundWindow.USER32(?,00000000,00000040), ref: 100140FF
MessageBoxW.USER32(00000000), ref: 10014106
LoadStringW.USER32(00000BCD,?,00000103,?), ref: 10014161
_snwprintf.MSVCRT ref: 1001417D
SysAllocString.OLEAUT32(?), ref: 1001418D
SysFreeString.OLEAUT32(00000000), ref: 100141A6
Sleep.KERNEL32(00000064), ref: 100141AE

Strings

`<u, xrefs: 100141A6

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardGlobalString$AllocFreeLoadMessageState$ByteCharClientCloseDataEmptyForegroundLockMultiOpenScreenSleepUnlockWideWindow_snwprintflstrlenmemcpystrlenwcslen
String ID: `<u
API String ID: 2432606060-3367579956
Opcode ID: cf52d2a4a569d1077253f782098fe2e3727ce157e3e27136e2751cbd845ea189
Instruction ID: 31b37c958da2e371cc7f275cd23d33a7b1dcfaf7843513c9150cf1d47390433b
Opcode Fuzzy Hash: cf52d2a4a569d1077253f782098fe2e3727ce157e3e27136e2751cbd845ea189
Instruction Fuzzy Hash: 10618172900229BFEB50DBA4CCC89EEB7B8EB44355F01846AFA05D7160CB70DAC5CB61

Function 1000BA33 Relevance: 42.4, APIs: 14, Strings: 10, Instructions: 355
commemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 1000BA4E
CoCreateInstance.OLE32(1001AED4,00000000,00000001,1001AEE4,?,?,1000A49C), ref: 1000BA68
SysAllocString.OLEAUT32 ref: 1000BA8C
SysFreeString.OLEAUT32(?), ref: 1000BAB7

Part of subcall function 1001736F: _wcsicmp.MSVCRT ref: 100173C0
Part of subcall function 1001736F: SysFreeString.OLEAUT32(?), ref: 100173CF

Part of subcall function 1001736F: SysFreeString.OLEAUT32(?), ref: 100173F0

_wcsicmp.MSVCRT ref: 1000BBC7
_snwprintf.MSVCRT ref: 1000BC37
_wcsicmp.MSVCRT ref: 1000BCCB
_wcsicmp.MSVCRT ref: 1000BD11
_wcsicmp.MSVCRT ref: 1000BD21
memset.MSVCRT ref: 1000BD57
SysFreeString.OLEAUT32(?), ref: 1000BD8E
SysFreeString.OLEAUT32(?), ref: 1000BDC0
CoUninitialize.OLE32(?,1000A49C), ref: 1000BE2A
DeleteFileW.KERNEL32(?,?,1000A49C), ref: 1000BE37

Strings

type, xrefs: 1000BCDB
url, xrefs: 1000BCC3
`<u, xrefs: 1000BAB7, 1000BD8E, 1000BDC0
files, xrefs: 1000BB23
resources, xrefs: 1000BC40
name, xrefs: 1000BBF8
ftp, xrefs: 1000BD19
file, xrefs: 1000BBBF
metalink, xrefs: 1000BAE9
http, xrefs: 1000BD09

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: String$Free_wcsicmp$AllocCreateDeleteFileInitializeInstanceUninitialize_snwprintfmemset
String ID: `<u$file$files$ftp$http$metalink$name$resources$type$url
API String ID: 2092109141-1808187254
Opcode ID: 484cbb720324a9971a4e5f9ef4e5464164a0e9bd6f7f27bb5216dbd08cc03fb9
Instruction ID: a36625fde354aeeee6f749cdbdac92e7604fe3b7d345383af1d592f19532db70
Opcode Fuzzy Hash: 484cbb720324a9971a4e5f9ef4e5464164a0e9bd6f7f27bb5216dbd08cc03fb9
Instruction Fuzzy Hash: AFD10871D0060AAFEB00DFA5CC889EEB7F9FF48345B11406AE505EB265DB31AE46CB50

Function 10001EF3 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 289keyboardmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10001EF8
GetKeyState.USER32(00000001), ref: 10001F3A
GetKeyState.USER32(00000011), ref: 10001F4D

Part of subcall function 10002839: GetKeyState.USER32(00000010), ref: 10002849
Part of subcall function 10002839: GetKeyState.USER32(0000000D), ref: 10002858
Part of subcall function 10002839: GetKeyState.USER32(00000020), ref: 10002867
Part of subcall function 10002839: GetKeyState.USER32(00000011), ref: 10002876

SysAllocString.OLEAUT32(TheWorldAttributeBlocked), ref: 10001F70
_wtoi.MSVCRT(?,?,00000000,?), ref: 10001FC8
SysFreeString.OLEAUT32(?), ref: 10001FD4
_wcsicmp.MSVCRT ref: 1000201B
SysFreeString.OLEAUT32(?), ref: 10002228
SysFreeString.OLEAUT32(?), ref: 10002236
SysFreeString.OLEAUT32(?), ref: 10002244

Part of subcall function 100026F2: __EH_prolog.LIBCMT ref: 100026F7

Strings

TheWorldAttributeTop, xrefs: 10002082
hidden, xrefs: 100021DC
TheWorldAttributeLeft, xrefs: 1000207B
`<u, xrefs: 10001FD4, 10002228, 10002236, 10002244
absolute, xrefs: 10002013
TheWorldAttributeBlocked, xrefs: 10001F6B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: State$String$Free$H_prolog$Alloc_wcsicmp_wtoi
String ID: TheWorldAttributeBlocked$TheWorldAttributeLeft$TheWorldAttributeTop$`<u$absolute$hidden
API String ID: 706166822-3567940827
Opcode ID: 733fd642387a7efe978b9368989aa365faf4172f7ad5e9920e43d6fbbfd27a7c
Instruction ID: e05b21001a3940841e4a3eab293ae48875e76253df8503a70e4beb32c2c2a781
Opcode Fuzzy Hash: 733fd642387a7efe978b9368989aa365faf4172f7ad5e9920e43d6fbbfd27a7c
Instruction Fuzzy Hash: DDA15C3190024AEFEF10DFA4CD84AEEBBB9FF44391F21412AF915A61A5DB719D81CB50

Function 1000381A Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 210windowfilethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 1000908F: SetEvent.KERNEL32(?,10003854), ref: 1000909A

Part of subcall function 1000929B: WaitForSingleObject.KERNEL32(?,000000FF,1007B388,00000001,1000EB98,?,?,00000001), ref: 100092A9
Part of subcall function 1000929B: CloseHandle.KERNEL32(?,1007B388,00000001,1000EB98,?,?,00000001), ref: 100092B8
Part of subcall function 1000929B: CloseHandle.KERNEL32(?,?,00000001), ref: 100092CA

_snwprintf.MSVCRT ref: 10003898
wcsrchr.MSVCRT ref: 100038CF
wcsncpy.MSVCRT ref: 100038ED

Part of subcall function 100082D8: SetupIterateCabinetW.SETUPAPI(00000000,00000000,10008327,?), ref: 100082F4

Part of subcall function 1000C553: memset.MSVCRT ref: 1000C56C
Part of subcall function 1000C553: FindFirstFileW.KERNEL32(?,?,?,?,00000103), ref: 1000C57E

DeleteFileW.KERNEL32(?), ref: 10003987
LoadStringW.USER32(0000007F,?,00000104,?), ref: 100039EE
GetForegroundWindow.USER32(?,00000000,00000024), ref: 10003A06
MessageBoxW.USER32(00000000), ref: 10003A0D
GetModuleFileNameW.KERNEL32(?,00000104,?), ref: 10003A77
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 10003A8C
_snwprintf.MSVCRT ref: 10003ACC
ShellExecuteW.SHELL32(00000000,1001E56C,Rundll32.exe,?,00000000,00000005), ref: 10003AEA
PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 10003AFA

Strings

Rundll32.exe, xrefs: 10003AE1
rename, xrefs: 1000396B
runas, xrefs: 10003A2C
%s%s, xrefs: 10003887
%s,Rundll32_Update %s, xrefs: 10003ABB
Update.ini, xrefs: 10003881

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseHandleMessageName_snwprintf$CabinetDeleteEventExecuteFindFirstForegroundIterateLoadModuleObjectPathPostSetupShellShortSingleStringThreadWaitWindowmemsetwcsncpywcsrchr
String ID: %s%s$%s,Rundll32_Update %s$Rundll32.exe$Update.ini$rename$runas
API String ID: 4016039360-2049735650
Opcode ID: db25a0ce88ea03ddce314280cddaf5696201eafcb0d4cbe41f290f11a4049405
Instruction ID: 2995bf00bd82f1533901a08430b78f7418ba298c7631cbcd4ebb67dd61007378
Opcode Fuzzy Hash: db25a0ce88ea03ddce314280cddaf5696201eafcb0d4cbe41f290f11a4049405
Instruction Fuzzy Hash: 9971B3B6900618ABEF11DB60CC88BDF77BDEB48355F008079F609D6191EB70EA85CB91

Function 1001715A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 118fileCOMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 100171AB
FindFirstFileW.KERNEL32(?,?), ref: 100171BE
wcscmp.MSVCRT ref: 100171E5
wcscmp.MSVCRT ref: 100171FD
_snwprintf.MSVCRT ref: 10017247
FindNextFileW.KERNEL32(?,?), ref: 100172B7
FindClose.KERNEL32(?), ref: 100172C8
RemoveDirectoryW.KERNEL32(?), ref: 100172DD

Strings

*.*, xrefs: 10017188
%s%s, xrefs: 10017197, 10017285
%s%s\, xrefs: 10017240

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File_snwprintfwcscmp$CloseDirectoryFirstNextRemove
String ID: %s%s$%s%s\$*.*
API String ID: 1477019690-4093207852
Opcode ID: 5e68d1411c0ffa750e871efd6600b66490e0b5c6a65d81313caada8e9867c259
Instruction ID: b0d5710228b784a7fe6d2b604dd987fcff64f3a63259d402a4e91883ed43fd83
Opcode Fuzzy Hash: 5e68d1411c0ffa750e871efd6600b66490e0b5c6a65d81313caada8e9867c259
Instruction Fuzzy Hash: 7941077680011DBAEF11DBA4CC48ADA7BB9FF48355F1081A6F609A7150EB31DAC6CF51

Function 10010ADA Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 126stringfileCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 10010AF8
lstrlenA.KERNEL32(?), ref: 10010B16
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10010B3E
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000001), ref: 10010B51
memset.MSVCRT ref: 10010B6C
DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 10010B87
memset.MSVCRT ref: 10010BAC
memset.MSVCRT ref: 10010BBD
strcat.MSVCRT(100D49A0,00000000,?,0000000A,00000013), ref: 10010C0F
CloseHandle.KERNEL32(00000000,?,00000001), ref: 10010C1F

Strings

\\.\PhysicalDrive%d, xrefs: 10010AEF

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$ByteCharCloseControlCreateDeviceFileHandleMultiWidelstrlensprintfstrcat
String ID: \\.\PhysicalDrive%d
API String ID: 1582757480-2935326385
Opcode ID: d5842e3be490aa3916ca4b8c3ae193df1ef0ab6d3bc6f9eca18a602dd2ec3b49
Instruction ID: de56629fcb83c68dbb552c18d5358ea884e3affdbebd3f9bd01cc3d16e96f5d0
Opcode Fuzzy Hash: d5842e3be490aa3916ca4b8c3ae193df1ef0ab6d3bc6f9eca18a602dd2ec3b49
Instruction Fuzzy Hash: 664170B294021CBFEB11DBA49C86EEF77BCEB05348F004065F945E6181EA74DF898B61

Function 10005095 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 83keyboardCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,EDIT_CLASSPROC), ref: 100050AA
GetKeyState.USER32(00000011), ref: 100050DC
GetKeyState.USER32(00000010), ref: 100050EF
GetKeyState.USER32(00000012), ref: 10005102
GetWindowTextW.USER32(?,?,00000823), ref: 1000513B

Part of subcall function 10017DC5: wcslen.MSVCRT ref: 10017DCC

_snwprintf.MSVCRT ref: 10005189
SetWindowTextW.USER32(?,?), ref: 1000519C
CallWindowProcW.USER32(?,?,00000100,?,?), ref: 100051B1

Strings

EDIT_CLASSPROC, xrefs: 100050A2
http://www.baidu.com/baidu?word=%s&tn=sper_3_dg, xrefs: 1000517C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: StateWindow$Text$CallProcProp_snwprintfwcslen
String ID: EDIT_CLASSPROC$http://www.baidu.com/baidu?word=%s&tn=sper_3_dg
API String ID: 968589025-3304716643
Opcode ID: 957e84cfd7951aa039e205f8326ecb6f59661dae23221ee50cff3b22e1a72e90
Instruction ID: 505fe47d6d44f5c9a72089668075abbe06ae85a988219b5299292e75f94122ef
Opcode Fuzzy Hash: 957e84cfd7951aa039e205f8326ecb6f59661dae23221ee50cff3b22e1a72e90
Instruction Fuzzy Hash: FC21917980126DABFF11CFA4CC48AEE77B9EB04381F4080A5FA49E2051D775DAC1CBA1

Function 10007B74 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(10019650,00000000,100D6AA8,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007B8E
GetFileAttributesW.KERNEL32(???.???,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007B9C
GetModuleHandleA.KERNEL32(Unicows.dll,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007BA7
GetProcAddress.KERNEL32(?,100D6AA8), ref: 10007BCF
GetVersion.KERNEL32(10019650,00000000,100D6AA8,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007BE1
GetProcAddress.KERNEL32(?,100D6AA8), ref: 10007C04

Strings

???.???, xrefs: 10007B97
Unicows.dll, xrefs: 10007BA2

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProcVersion$AttributesFileHandleModule
String ID: ???.???$Unicows.dll
API String ID: 3183861727-2162356649
Opcode ID: 69ea879896801c0755ef644bb47e86ef2526abcdf8a51a499f016541a663db94
Instruction ID: 36ada01938c02b0853c9db8c2dcc5ce5bf8b5aa996c5e6a44f04ced8e8fe5ddd
Opcode Fuzzy Hash: 69ea879896801c0755ef644bb47e86ef2526abcdf8a51a499f016541a663db94
Instruction Fuzzy Hash: 3A11A471900216EFEB41DFA9CC84B9A7BA8FB082A5F218059ED09D7120D735E950CB61

Function 10006D83 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000104), ref: 10006D9C
wcscmp.MSVCRT ref: 10006DB2
EnumChildWindows.USER32(?,Function_00006D35,?), ref: 10006DD2
FindWindowExW.USER32(?,00000000,msctls_statusbar32,00000000), ref: 10006DEC
FindWindowExW.USER32(00000000,00000000,IESuperWnd,00000000), ref: 10006DFC

Strings

IESuperWnd, xrefs: 10006DF4
msctls_statusbar32, xrefs: 10006DE2
IEFrame, xrefs: 10006DAC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FindWindow$ChildClassEnumNameWindowswcscmp
String ID: IEFrame$IESuperWnd$msctls_statusbar32
API String ID: 3674380715-333112653
Opcode ID: b7cd887949bee22ef57325bbd94f0a30acf87fa6bf871c11f4c56134818e399e
Instruction ID: fff8f997af27d3e16ccd2a156380269ad518e1af3b7378419e9f281b2cec1af9
Opcode Fuzzy Hash: b7cd887949bee22ef57325bbd94f0a30acf87fa6bf871c11f4c56134818e399e
Instruction Fuzzy Hash: 43014436504315BAFF109FA0DC49F9A3BA9EF047D1F208416FA10E90D4DBB0EA80CB90

Function 1000ADD3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158fileCOMMON

Download Yara Rule

APIs

PathGetDriveNumberW.SHLWAPI(?,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,?,?,10009E11), ref: 1000ADF6
GetDiskFreeSpaceExW.KERNEL32(?,?,00000000,00000000), ref: 1000AE1D
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,?,00000020,00000000), ref: 1000AE6D
__aulldiv.LIBCMT ref: 1000AEE0

Strings

\, xrefs: 1000AE13
:, xrefs: 1000AE0C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CreateDiskDriveFileFreeNumberPathSpace__aulldiv
String ID: :$\
API String ID: 2557304986-1166558509
Opcode ID: 10028d88b28e1f63bac81b0a1f87c598220c24b0cc81d418730d813a386a53f9
Instruction ID: 2a991bc16aad9059fc8f77110cbcba32cee342fa4e9789222d6ff37250ba4c94
Opcode Fuzzy Hash: 10028d88b28e1f63bac81b0a1f87c598220c24b0cc81d418730d813a386a53f9
Instruction Fuzzy Hash: 6C5132B190070ADFEB10CFA4C888AAEF7F5FF06395F10862EE566A7244D77469858B50

Function 1000A13F Relevance: 10.6, APIs: 7, Instructions: 87networkfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000A164
memset.MSVCRT ref: 1000A177
ResetEvent.KERNEL32(00000002,?,?,?,?,?,74DF23A0,?,?,?), ref: 1000A1C7
InternetReadFileExA.WININET(?,?,00000001,?), ref: 1000A1EB
SetEvent.KERNEL32(00000002,?,?,?,?,?,74DF23A0,?,?,?), ref: 1000A1F8
InternetReadFile.WININET(?,?,?,?), ref: 1000A20C
GetLastError.KERNEL32(?,?,?,?,?,74DF23A0,?,?,?), ref: 1000A214

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: EventFileInternetReadmemset$ErrorLastReset
String ID:
API String ID: 272531352-0
Opcode ID: 34750ba032f6ee5bb834cb050abfed6eda633ab0ecf4959b310e9f74a92d992c
Instruction ID: 1132d25de125887a8a30beacc89a1e3603bada286934a3542dc92d21463f411f
Opcode Fuzzy Hash: 34750ba032f6ee5bb834cb050abfed6eda633ab0ecf4959b310e9f74a92d992c
Instruction Fuzzy Hash: 1631B431100604EFE721DF69CC84F8ABBF9FF45380F118669E58A8B265DB31E989CB50

Function 1000C553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000C56C
FindFirstFileW.KERNEL32(?,?,?,?,00000103), ref: 1000C57E
FindClose.KERNEL32(00000000,?,?,00000103), ref: 1000C5B0

Strings

., xrefs: 1000C58D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Find$CloseFileFirstmemset
String ID: .
API String ID: 2611062832-248832578
Opcode ID: dda6a262d2e9516848d1ce299b276994e535345d72e240c6a8439c559fede5f0
Instruction ID: 322ee34f10050229a9e2b5df2c8aa757a436b5a2b56f9ba1271f3f3af98ea240
Opcode Fuzzy Hash: dda6a262d2e9516848d1ce299b276994e535345d72e240c6a8439c559fede5f0
Instruction Fuzzy Hash: 28F09674800B2DA6EB20DB629C8CFDA3BA8EF047E2F004251FD14D50C4D370AAC4CA96

Function 1000CF69 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,00000000,IEFrame,00000000), ref: 1000CF7F
FindWindowExW.USER32(00000000,00000000,IEFrame,00000000), ref: 1000CF8F
PostMessageW.USER32(00000000,00000112,0000F060,00000000), ref: 1000CFA2

Strings

IEFrame, xrefs: 1000CF76, 1000CF7C, 1000CF88

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FindWindow$MessagePost
String ID: IEFrame
API String ID: 3193530299-2708574431
Opcode ID: 2f4e049f056f42e40250a06e72d001597c175d080a0e2d0a489b9df64051d550
Instruction ID: ac2e3b41cc3538158080822e537ae6f65a262074a09f8cbe46d97d0618dbc812
Opcode Fuzzy Hash: 2f4e049f056f42e40250a06e72d001597c175d080a0e2d0a489b9df64051d550
Instruction Fuzzy Hash: E4E0D87250822D3FF2206B17DC84C7BFF9DEB826E9713022AF511931908A727D0055B1

Function 10016972 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?), ref: 10016982
LoadResource.KERNEL32(?,00000000), ref: 10016992
SizeofResource.KERNEL32(?,00000000), ref: 100169AA
LockResource.KERNEL32(00000000), ref: 100169B3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ec8d2ee7759e69958f5e8e96e65e5ab6526e599b91e73a01467f4aa667a68c2e
Instruction ID: 59ef8c6dbf433a6aeab805aa761cca1597655be740b432db7867a10cab627421
Opcode Fuzzy Hash: ec8d2ee7759e69958f5e8e96e65e5ab6526e599b91e73a01467f4aa667a68c2e
Instruction Fuzzy Hash: B4F01236101256FFEB115F65EC48CAB3BADEF89B557104029FD4496221D732CC90D760

Function 10002839 Relevance: 6.0, APIs: 4, Instructions: 34keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 10002849
GetKeyState.USER32(0000000D), ref: 10002858
GetKeyState.USER32(00000020), ref: 10002867
GetKeyState.USER32(00000011), ref: 10002876

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 362aa4c9e3f0dd0dfce549f4d4bc08c1e66721f56c13e27928972268ac004afd
Instruction ID: 6e3ada50fccee97f55ee7628fffb4d9a47ef867bb9d928fac1160b02d217bdca
Opcode Fuzzy Hash: 362aa4c9e3f0dd0dfce549f4d4bc08c1e66721f56c13e27928972268ac004afd
Instruction Fuzzy Hash: FEE06D2D6202BB22F908A19C6C407BD21DCCB84AE1FC141A3EB80E7095EEE0998346A0

Function 10007C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,00000104,1000D6EA,00000000,00000000,00000104,00000000,000000FF,?,10016123,advapi32.dll,?,10001342,80000002,?), ref: 10007C23
GetLastError.KERNEL32(00000104,00000104,1000D6EA,00000000,00000000,00000104,00000000,000000FF,?,10016123,advapi32.dll,?,10001342,80000002,?), ref: 10007C5A

Part of subcall function 10007CB1: GetModuleFileNameW.KERNEL32(10018030,?,00000105), ref: 10007D97
Part of subcall function 10007CB1: SetLastError.KERNEL32(0000006F), ref: 10007DAD

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 10007C1E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$DebugFileModuleNameOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 3265401609-2690750368
Opcode ID: 2b25b6df9d1837db1740cf188726e3c463bd66104e9100efd8fe8f64d45a750b
Instruction ID: 07a78126dab223b0adaabb0879e0b11a14e8b2f4f752df7a62d98e88b0d3352c
Opcode Fuzzy Hash: 2b25b6df9d1837db1740cf188726e3c463bd66104e9100efd8fe8f64d45a750b
Instruction Fuzzy Hash: FCF05835D406719BF726DB909DC4D9977A4F759BC1B21862EF249E0028CA7C88C0CFE1

Function 1000E992 Relevance: 4.5, APIs: 3, Instructions: 33timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 1000E9A2
SystemTimeToFileTime.KERNEL32(?,?), ref: 1000E9B0
CommitUrlCacheEntryW.WININET(?,?,?,?,?,?,00000001,00000000,00000000,00000000,00000000), ref: 1000E9DA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Time$System$CacheCommitEntryFile
String ID:
API String ID: 3849914144-0
Opcode ID: a9e34f5b2655be543f5377d7756fb242ff67369cd7a057d68c65b60a533e0086
Instruction ID: 7178e3d5375f3e03f25484c59758f18dc836cbcff4fb0c9400661ab445f929b5
Opcode Fuzzy Hash: a9e34f5b2655be543f5377d7756fb242ff67369cd7a057d68c65b60a533e0086
Instruction Fuzzy Hash: B9F0DAB691010AFFEF019BE0CC4ADEF7BBCEB08305F008555FA01D6051D675DA959BA0

Function 1000A074 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

InternetSetOptionW.WININET(?,00000006,?,?), ref: 1000A117

Part of subcall function 1000ACAB: HttpQueryInfoW.WININET(CE8B5300,20000013,00000004,00000000,74DF23A0), ref: 1000ACDB

Strings

N, xrefs: 1000A110

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: HttpInfoInternetOptionQuery
String ID: N
API String ID: 922708144-1161386698
Opcode ID: 298f9ab5469445437dbf881d55c8f08f59fab9fa7ecc4fe358799ed22b2d2050
Instruction ID: 89c876021ce15d5bfd2e335d06567a34a970b58de464eb0aaf13b6f611c7a40c
Opcode Fuzzy Hash: 298f9ab5469445437dbf881d55c8f08f59fab9fa7ecc4fe358799ed22b2d2050
Instruction Fuzzy Hash: 7721AC75200705AFFB20CF50C884AAAB7E5FB463D8F00472DE6829B284D7B0ADC5DB51

Function 10014ED8 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(10014E8C,00000000,?,?,?,?,10014FEF,80000000,?,1000F3E0,?,1000F3E0,?), ref: 10014EE4
SetUnhandledExceptionFilter.KERNEL32(00000005,?,?,10014FEF,80000000,?,1000F3E0,?,1000F3E0,?), ref: 10014F44

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 10b9f3794cb563057866daa71b9a8c780915be1fdf25a0f7dfc64222bfafedbd
Instruction ID: 3b4b6869e6b03000b2b6161c17195b906c94f225dcea60532b9045e26c0192d4
Opcode Fuzzy Hash: 10b9f3794cb563057866daa71b9a8c780915be1fdf25a0f7dfc64222bfafedbd
Instruction Fuzzy Hash: 6C018C38100324ABEB01DF98DCC0AA9B7B5FF89321B118095ED008F365D773A840C765

Function 10012267 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fbea6abfb286f729729dcd6326b195f84a64df0fac015053587db27b56a862
Instruction ID: 9542e38f324dbff8f4bff9f198682d9940a3907cd6260ff9f6b5f517a22b7046
Opcode Fuzzy Hash: b5fbea6abfb286f729729dcd6326b195f84a64df0fac015053587db27b56a862
Instruction Fuzzy Hash: 80528136B4060A9BEB0CCE9ACCD15DCB7A3ABC835471DC23CD915D7745DAB8A907CA90

Function 1000A9BE Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ui64tow.MSVCRT ref: 1000AA2F
_snwprintf.MSVCRT ref: 1000AA50
wcslen.MSVCRT ref: 1000AA55
wcslen.MSVCRT ref: 1000AA63
wcslen.MSVCRT ref: 1000AA6F
wcslen.MSVCRT ref: 1000AA80
wcsncat.MSVCRT ref: 1000AA90
wcslen.MSVCRT ref: 1000AAA3
memset.MSVCRT ref: 1000AAB8
_snwprintf.MSVCRT ref: 1000AAD2
wcslen.MSVCRT ref: 1000AAD7
wcslen.MSVCRT ref: 1000AAE5
wcslen.MSVCRT ref: 1000AAF1
wcslen.MSVCRT ref: 1000AB02
wcsncat.MSVCRT ref: 1000AB12
wcslen.MSVCRT ref: 1000AB25
memset.MSVCRT ref: 1000AB3A
_snwprintf.MSVCRT ref: 1000AB54
wcslen.MSVCRT ref: 1000AB59
wcslen.MSVCRT ref: 1000AB67
wcslen.MSVCRT ref: 1000AB73
wcslen.MSVCRT ref: 1000AB84
wcsncat.MSVCRT ref: 1000AB94
wcslen.MSVCRT ref: 1000ABAB
wcslen.MSVCRT ref: 1000ABB3
wcslen.MSVCRT ref: 1000ABBE
wcslen.MSVCRT ref: 1000ABCB
wcsncat.MSVCRT ref: 1000ABD3

Strings

User-Agent: %s, xrefs: 1000AB49
Referer: %s, xrefs: 1000AAC7
Pragma: no-cacheCache-Control: no-cacheConnection: close, xrefs: 1000AB9D, 1000ABB0, 1000ABCA, 1000ABCF
Range: bytes=%s-, xrefs: 1000AA3F

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$wcsncat$_snwprintf$memset$_ui64tow
String ID: Pragma: no-cacheCache-Control: no-cacheConnection: close$Range: bytes=%s-$Referer: %s$User-Agent: %s
API String ID: 588169089-1773194648
Opcode ID: 8f7f0703525e24235ad4a7e115a7db5e1c306e2e8178a84c11e5b631d0696d32
Instruction ID: 22086464a23f41f18a7dabdfd7dbb5ff4dc01ea7747ca3122468b43b72d6fd24
Opcode Fuzzy Hash: 8f7f0703525e24235ad4a7e115a7db5e1c306e2e8178a84c11e5b631d0696d32
Instruction Fuzzy Hash: 6D517E72A0025DAFEF00DFA8DD84CDE77A9EF04350F1085BAF609D6151EB759A948FA0

Function 100130CF Relevance: 49.3, APIs: 15, Strings: 13, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 100130D4

Part of subcall function 1000FD91: __EH_prolog.LIBCMT ref: 1000FD96

_wcsicmp.MSVCRT ref: 10013130
_wcsicmp.MSVCRT ref: 1001314C
_wcsicmp.MSVCRT ref: 100131A5
SysFreeString.OLEAUT32(?), ref: 10013222
SysFreeString.OLEAUT32(?), ref: 10013424

Strings

02BF25D5-8C17-4B23-BC80-D3488ABDDC6B, xrefs: 100131D6
CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA, xrefs: 100131B9
img, xrefs: 10013124
div, xrefs: 1001325E
embed, xrefs: 10013242
22d6f312-b0f6-11d0-94ab-0080c74c7e95, xrefs: 100131F3
hidden, xrefs: 100132CC
background, xrefs: 10013351, 1001335A, 100133B3
6BF52A52-394A-11d3-B153-00C04F79FAA6, xrefs: 10013207
`<u, xrefs: 10013222, 1001330F, 10013376, 100133F2, 10013424
inherit, xrefs: 10013328
object, xrefs: 10013144
D27CDB6E-AE6D-11cf-96B8-444553540000, xrefs: 1001319C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _wcsicmp$FreeH_prologString
String ID: 02BF25D5-8C17-4B23-BC80-D3488ABDDC6B$22d6f312-b0f6-11d0-94ab-0080c74c7e95$6BF52A52-394A-11d3-B153-00C04F79FAA6$CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA$D27CDB6E-AE6D-11cf-96B8-444553540000$`<u$background$div$embed$hidden$img$inherit$object
API String ID: 1058554325-883279896
Opcode ID: 913eff2595c1c074bf6a9e993b45f8a0a1605bfca46c26a3a0e050c67a05c6d3
Instruction ID: 80fda2f91939b9c2b9f723238f3fb4dfbb0c65f29d64e3860824f5143ce5b254
Opcode Fuzzy Hash: 913eff2595c1c074bf6a9e993b45f8a0a1605bfca46c26a3a0e050c67a05c6d3
Instruction Fuzzy Hash: 88C1397190021AEFDB05DFA4C888A9EBBB9FF04355F108569F615AF251CB30EE85CB91

Function 10015006 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 248
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10015031
memset.MSVCRT ref: 10015046
wcslen.MSVCRT ref: 10015067
strlen.MSVCRT ref: 10015086
malloc.MSVCRT ref: 10015093
memset.MSVCRT ref: 1001509E
memset.MSVCRT ref: 100150D5
wcsstr.MSVCRT ref: 100150E0
wcsncpy.MSVCRT ref: 10015108
wcslen.MSVCRT ref: 10015120
wcsncpy.MSVCRT ref: 1001513D
wcslen.MSVCRT ref: 1001515D
_wcsicmp.MSVCRT ref: 1001519C
malloc.MSVCRT ref: 100151BA
memset.MSVCRT ref: 100151C6
wcslen.MSVCRT ref: 100151D2
malloc.MSVCRT ref: 100151DC
memcpy.MSVCRT(00000000,0000005B,?), ref: 100151EB
free.MSVCRT ref: 1001529A

Strings

[, xrefs: 10015169
], xrefs: 10015177

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: mallocmemsetwcslen$wcsncpy$_wcsicmpfreememcpystrlenwcsstr
String ID: [$]
API String ID: 387209979-2073744556
Opcode ID: 7dd73c652246c321ea05a49d78b60a56882a473e152963e70829a93e273b12f2
Instruction ID: 12f59a54a5026b3f82b5c201b22fd546996d023b83833aa752ca32d2348f5ee0
Opcode Fuzzy Hash: 7dd73c652246c321ea05a49d78b60a56882a473e152963e70829a93e273b12f2
Instruction Fuzzy Hash: B1918C72900209EFDB15CFA4CC84AAEB7F8EF48351F2580AAE5189F252D775DA80CF50

Function 100157C1 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 1001580D
_snwprintf.MSVCRT ref: 10015844
wcslen.MSVCRT ref: 10015853
_wcsicmp.MSVCRT ref: 1001586E
_wcsnicmp.MSVCRT ref: 1001589A
malloc.MSVCRT ref: 100158E4
memset.MSVCRT ref: 100158ED
wcslen.MSVCRT ref: 100158F9
malloc.MSVCRT ref: 10015903
memcpy.MSVCRT(00000000,?,00000000), ref: 10015912
malloc.MSVCRT ref: 10015923
memset.MSVCRT ref: 1001592D
wcslen.MSVCRT ref: 10015935
wcslen.MSVCRT ref: 1001593F
malloc.MSVCRT ref: 1001594B
memset.MSVCRT ref: 10015956
_snwprintf.MSVCRT ref: 1001596F
wcslen.MSVCRT ref: 1001598A
wcslen.MSVCRT ref: 10015991
malloc.MSVCRT ref: 1001599A
memset.MSVCRT ref: 100159A6
_snwprintf.MSVCRT ref: 100159BE
free.MSVCRT ref: 100159C9

Strings

[%s], xrefs: 1001582F
%s=%s, xrefs: 10015967, 100159B7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$malloc$memset$_snwprintf$_wcsicmp_wcsnicmpfreememcpy
String ID: %s=%s$[%s]
API String ID: 223515-2317939226
Opcode ID: 1a66fbb0bb4cf32de6a9f14735d57ebb8880aecce53f21307f58b4265b4b76b3
Instruction ID: ef03ba7d905eb058dad0d780740a961947bfefce9e83d07ca0a20edb42f0238e
Opcode Fuzzy Hash: 1a66fbb0bb4cf32de6a9f14735d57ebb8880aecce53f21307f58b4265b4b76b3
Instruction Fuzzy Hash: FA71A871900209EFDB11CF54CC84A9ABBB5FF44390F18812AF9189F251EB72DA90CF91

Function 10006EC4 Relevance: 42.4, APIs: 13, Strings: 11, Instructions: 385
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\TabbedBrowsing,00000000,000F003F,?), ref: 100070DD
RegCreateKeyW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\TabbedBrowsing,?), ref: 100070F5

Strings

ShortcutBehavior, xrefs: 100072A5, 100073C4
4, xrefs: 1000703B
ShowTabsWelcome, xrefs: 1000726C
.\Download, xrefs: 100071D3, 10007320, 1000732B, 10007335, 10007336
Software\Microsoft\Internet Explorer\TabbedBrowsing, xrefs: 100070D7, 100070EF, 10007378, 100073C9, 100073F2
3, xrefs: 10007027
UseHomepageForNewTab, xrefs: 10007255, 1000739E
PopupsUseNewWindow, xrefs: 100072C1, 100073ED
OpenInForeground, xrefs: 1000728A, 100073B1
8, xrefs: 1000704F
WarnOnClose, xrefs: 10007236, 10007373

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CreateOpen
String ID: .\Download$3$4$8$OpenInForeground$PopupsUseNewWindow$ShortcutBehavior$ShowTabsWelcome$Software\Microsoft\Internet Explorer\TabbedBrowsing$UseHomepageForNewTab$WarnOnClose
API String ID: 436179556-3167918331
Opcode ID: 0700cbaba8e79dd7436370f3c9e9000c39f1dc153f50f67ba707b43ce3006a7a
Instruction ID: d7109ada15d989d0d6acb2e796a9e2cea77e21f9cade2dee6f499572070f84d8
Opcode Fuzzy Hash: 0700cbaba8e79dd7436370f3c9e9000c39f1dc153f50f67ba707b43ce3006a7a
Instruction Fuzzy Hash: 71E15C71D00259EFEB11CF94CC84ADE7BB9FB08780F50456AFA09AB254D7759A80DFA0

Function 1000ECF5 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1000ECFA
GetTempPathW.KERNEL32(00000104,?), ref: 1000ED25
wcscat.MSVCRT ref: 1000ED37
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 1000ED57
EnterCriticalSection.KERNEL32(?), ref: 1000ED7E
LeaveCriticalSection.KERNEL32(?,?), ref: 1000EDAF
lstrlenW.KERNEL32(?), ref: 1000EDC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 1000EDEC
lstrlenA.KERNEL32(?,?,?,00000000,00000000), ref: 1000EE20
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?,00000000,00000000), ref: 1000EE47
_snwprintf.MSVCRT ref: 1000EE65
IsWindow.USER32(?), ref: 1000EE94
lstrlenW.KERNEL32(?), ref: 1000EEC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 1000EEF0
wcscpy.MSVCRT ref: 1000EF14
wcscat.MSVCRT ref: 1000EF24
IsWindow.USER32(?), ref: 1000EF58
lstrlenW.KERNEL32(?), ref: 1000EF7B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 1000EFA7
SetEvent.KERNEL32(?), ref: 1000EFC7

Strings

http://data.alexa.com/data/gWjM61Z9yy83rr?cli=10&dat=snba&ver=7.2&cdt=alx_vw%3D20%26wid%3D11092%26act%3D00400000000%26ss%3D1280x10, xrefs: 1000EF0E
.dat, xrefs: 1000EE7F, 1000EF3F
http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s, xrefs: 1000EE5A
twrank.dat, xrefs: 1000ED31

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$CriticalSectionWindowwcscat$EnterEventH_prologLeaveMultipleObjectsPathTempWait_snwprintfwcscpy
String ID: .dat$http://data.alexa.com/data/gWjM61Z9yy83rr?cli=10&dat=snba&ver=7.2&cdt=alx_vw%3D20%26wid%3D11092%26act%3D00400000000%26ss%3D1280x10$http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s$twrank.dat
API String ID: 1731512307-49810315
Opcode ID: 96238266c83d9284f150d13fdd9f1b6327a68f1f76d5487892a89fb960a36f67
Instruction ID: 28800ce6f17d64abeeac06d37f016d1b31ca20b9b35b20a469bc6ea4e43742f3
Opcode Fuzzy Hash: 96238266c83d9284f150d13fdd9f1b6327a68f1f76d5487892a89fb960a36f67
Instruction Fuzzy Hash: E4916E7190025EAFEF11CFA4CC85DEEBBB8FB08394B104569F515E6250EB31EA55CB60

Function 1000DC5C Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 249
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000400,00000000,00000000,00000001,00000000,?,?,100056C2,?,00000000), ref: 1000DCF3

Part of subcall function 100087C5: strlen.MSVCRT ref: 100087D4
Part of subcall function 100087C5: isalnum.MSVCRT ref: 100087FB

SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\SearchScopes,DefaultScope,?,?,?), ref: 1000DD47
_snwprintf.MSVCRT ref: 1000DD6E
SHGetValueW.SHLWAPI(80000001,?,URL,00000001,?,?), ref: 1000DDAC
SHGetValueW.SHLWAPI(80000001,?,codepage,00000001,?,00000208), ref: 1000DDDF
wcslen.MSVCRT ref: 1000DDE7
wcsstr.MSVCRT ref: 1000DDF8
wcsncpy.MSVCRT ref: 1000DE28
WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 1000DE7B

Part of subcall function 100087C5: strlen.MSVCRT ref: 10008869
Part of subcall function 100087C5: strcpy.MSVCRT(?,?), ref: 10008883
Part of subcall function 100087C5: strlen.MSVCRT ref: 1000889A

lstrlenA.KERNEL32(?), ref: 1000DEB3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 1000DEDB
lstrlenA.KERNEL32(?), ref: 1000DEF5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 1000DF1D
wcscat.MSVCRT ref: 1000DF29
wcscat.MSVCRT ref: 1000DF3E
_snwprintf.MSVCRT ref: 1000DF59

Strings

{searchTerms}, xrefs: 1000DDE1, 1000DDE6, 1000DDF6
codepage, xrefs: 1000DDD4
DefaultScope, xrefs: 1000DD38
URL, xrefs: 1000DD9A
%s\%s, xrefs: 1000DD5D
http://www.baidu.com/baidu?word=%s&tn=sper_2_dg, xrefs: 1000DF4E
Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 1000DD3D, 1000DD58

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$Valuestrlen$_snwprintflstrlenwcscat$isalnumstrcpywcslenwcsncpywcsstr
String ID: %s\%s$DefaultScope$Software\Microsoft\Internet Explorer\SearchScopes$URL$codepage$http://www.baidu.com/baidu?word=%s&tn=sper_2_dg${searchTerms}
API String ID: 1712787066-1793455270
Opcode ID: fca8cce6937e5d73ab9ff536b0255d7ea8b8af787039cbf63bcfb053fcf95f5c
Instruction ID: 0f5718793d0f310e20fd21f9ffdbe6d018fba3b6349f9a393faef8d419693087
Opcode Fuzzy Hash: fca8cce6937e5d73ab9ff536b0255d7ea8b8af787039cbf63bcfb053fcf95f5c
Instruction Fuzzy Hash: E7913072900119BFEB11DBA4CC84EDEB7BDEB48354F1085A6F615E7250EA71AB448FA0

Function 10016EF5 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100170D4: GetWindowsDirectoryW.KERNEL32(?,00000207,00000208), ref: 100170EB
Part of subcall function 100170D4: wcslen.MSVCRT ref: 10017100
Part of subcall function 100170D4: wcscat.MSVCRT ref: 1001711E
Part of subcall function 100170D4: _snwprintf.MSVCRT ref: 10017140

_wfopen.MSVCRT ref: 10016F23
GetShortPathNameW.KERNEL32(00000000,?,00000104), ref: 10016F5B
memset.MSVCRT ref: 10016F73
_snwprintf.MSVCRT ref: 10016F8B
GetShortPathNameW.KERNEL32(00000000,?,00000104), ref: 10016FA5
memset.MSVCRT ref: 10016FBD
_snwprintf.MSVCRT ref: 10016FD5
rewind.MSVCRT ref: 10016FE1
fgets.MSVCRT ref: 10016FFE
_strnicmp.MSVCRT ref: 1001701C
fgets.MSVCRT ref: 10017032
fseek.MSVCRT ref: 10017043
fprintf.MSVCRT ref: 10017063
fprintf.MSVCRT ref: 10017081
wcslen.MSVCRT ref: 10017088
fprintf.MSVCRT ref: 100170BF
fclose.MSVCRT ref: 100170C5

Strings

\, xrefs: 1001708E
%s, xrefs: 1001705D
NUL=%s, xrefs: 100170B9
[rename], xrefs: 10017017, 10017058
DIRNUL=%s, xrefs: 100170AB
%s=%s, xrefs: 1001707B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintffprintf$NamePathShortfgetsmemsetwcslen$DirectoryWindows_strnicmp_wfopenfclosefseekrewindwcscat
String ID: %s$%s=%s$DIRNUL=%s$NUL=%s$[rename]$\
API String ID: 3938049909-3023969181
Opcode ID: 16a40d263ac63e66ab96877aa7e978888092b18158a99feee3fc9dbbd972834d
Instruction ID: d266152c450db00a0e15846a35481bafefa00a1d340bb1efd598463ee0ab9fb8
Opcode Fuzzy Hash: 16a40d263ac63e66ab96877aa7e978888092b18158a99feee3fc9dbbd972834d
Instruction Fuzzy Hash: E35153B5800218BAEB11DB94DC84FDA77BCFB48354F1484A6F909D6141E774DBC4CB61

Function 10013A06 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 289
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10013A0B
_snwprintf.MSVCRT ref: 10013A61
GetUrlCacheEntryInfoW.WININET(00000004,00000000,?), ref: 10013A79
malloc.MSVCRT ref: 10013A7E
memset.MSVCRT ref: 10013A8B
GetUrlCacheEntryInfoW.WININET(?,00000000,?), ref: 10013A9F
_wcsnicmp.MSVCRT ref: 10013AB6
wcslen.MSVCRT ref: 10013AE3
lstrlenW.KERNEL32(?), ref: 10013AFA

Part of subcall function 1001390B: wcsncpy.MSVCRT ref: 1001395B
Part of subcall function 1001390B: wcsncpy.MSVCRT ref: 1001397A

free.MSVCRT ref: 10013B0F
wcsrchr.MSVCRT ref: 10013B5C
wcsrchr.MSVCRT ref: 10013B6C
wcslen.MSVCRT ref: 10013B7A
_snwprintf.MSVCRT ref: 10013B9D
lstrlenW.KERNEL32(?), ref: 10013D1C
CopyFileW.KERNEL32(?,?,00000000), ref: 10013D4F
lstrlenW.KERNEL32(?), ref: 10013D6E

Part of subcall function 1000871C: wcslen.MSVCRT ref: 1000872B

Strings

file:///, xrefs: 10013AB0
%s%s, xrefs: 10013C03

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlenwcslen$CacheEntryInfo_snwprintfwcsncpywcsrchr$CopyFileH_prolog_wcsnicmpfreemallocmemset
String ID: %s%s$file:///
API String ID: 3991802175-4099778811
Opcode ID: c5b47f5078b7de0eba5de6eee6cc6939551447d4fd8232ce4daced9ed83d0410
Instruction ID: 70af17b27fadee453dc6d6cbdff1dc1271e9ac7f1ba51c8ab214b3af662eb808
Opcode Fuzzy Hash: c5b47f5078b7de0eba5de6eee6cc6939551447d4fd8232ce4daced9ed83d0410
Instruction Fuzzy Hash: 2AA12F72900129ABEF11DFA4DC95AEEB7B9FB48340F1044A9E605E7150DB35EF85CB60

Function 1000F151 Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 135
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 1000F183
fseek.MSVCRT ref: 1000F19B
ftell.MSVCRT ref: 1000F19E
fseek.MSVCRT ref: 1000F1AA
fread.MSVCRT ref: 1000F1C7
fclose.MSVCRT ref: 1000F1CE
strlen.MSVCRT ref: 1000F1DE
IsWindow.USER32(?), ref: 1000F1F8
strlen.MSVCRT ref: 1000F20C
strstr.MSVCRT ref: 1000F222
strlen.MSVCRT ref: 1000F238
strstr.MSVCRT ref: 1000F24A
strstr.MSVCRT ref: 1000F25E
_snprintf.MSVCRT ref: 1000F276
GetParent.USER32(?), ref: 1000F286
GetWindowRect.USER32(?,?), ref: 1000F295
GetDesktopWindow.USER32 ref: 1000F2A2
MapWindowPoints.USER32(00000000), ref: 1000F2A9
InvalidateRect.USER32(00000000,?,00000001), ref: 1000F2BC
InvalidateRect.USER32(?,00000000,00000001), ref: 1000F2C4

Strings

<POPULARITY URL=, xrefs: 1000F206, 1000F20B, 1000F21A
TEXT=", xrefs: 1000F232, 1000F237, 1000F246

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rectstrlenstrstr$Invalidatefseek$DesktopParentPoints_snprintffclosefopenfreadftell
String ID: <POPULARITY URL=$TEXT="
API String ID: 911241460-1276152696
Opcode ID: ae9ed3755ab5cdeeee73a83c046bf92053dbdce7410283599328174c70c0bd02
Instruction ID: 8950720848de2fe61496d3d358c50af25b93efd00f299282abf7cc4ca813c790
Opcode Fuzzy Hash: ae9ed3755ab5cdeeee73a83c046bf92053dbdce7410283599328174c70c0bd02
Instruction Fuzzy Hash: 30418032900159BFEB11DFA4CCC99EE7BACEF44790F01806AFA09E7150D675DA849BA1

Function 100077F2 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetBkMode.GDI32(?,00000001), ref: 1000781B
GetStockObject.GDI32(00000000), ref: 10007823
EndDialog.USER32(?,00000001), ref: 10007840
_snwprintf.MSVCRT ref: 1000786A
SetDlgItemTextW.USER32(?,000000ED,?), ref: 10007882
BeginPaint.USER32(?,?), ref: 1000789A
GetDlgItem.USER32(?,000000EB), ref: 100078B1
GetWindowRect.USER32(00000000,?), ref: 100078BE
GetDesktopWindow.USER32 ref: 100078CF
MapWindowPoints.USER32(00000000), ref: 100078D2
GetClientRect.USER32(?,?), ref: 100078DF
GetStockObject.GDI32(00000000), ref: 100078ED
FillRect.USER32(?,?,00000000), ref: 100078FB
LoadIconW.USER32(000000EB), ref: 1000790C
GetDlgItem.USER32(?,000000EC), ref: 1000791D
GetWindowRect.USER32(00000000,?), ref: 10007924
GetDesktopWindow.USER32 ref: 1000792F
MapWindowPoints.USER32(00000000), ref: 10007932
DrawIcon.USER32(?,?,?,?), ref: 10007944
EndPaint.USER32(?,?), ref: 10007951

Strings

1.0.1.4, xrefs: 1000784D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$Item$DesktopIconObjectPaintPointsStock$BeginClientDialogDrawFillLoadModeText_snwprintf
String ID: 1.0.1.4
API String ID: 2957959949-1074268011
Opcode ID: 343c34483f7edb25dd65ba061924e189f510bef11ecb0dcdf2b453f91663714b
Instruction ID: ae14b286c870b7dfe219e57cf7cf0aa7f3918ed53287049f6207860b9069cce3
Opcode Fuzzy Hash: 343c34483f7edb25dd65ba061924e189f510bef11ecb0dcdf2b453f91663714b
Instruction Fuzzy Hash: A641CA7194022ABFEF119FA0CC89EEE7B79FB04781F008515FA19A60A0D6B5DA51DB60

Function 1001686D Relevance: 36.8, APIs: 9, Strings: 12, Instructions: 99windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 100160B6: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,00000000,0000007E,?,100168A5,80000000,http\shell,10021B38), ref: 100160CF
Part of subcall function 100160B6: RegDeleteValueW.ADVAPI32(00000000,?,?,100168A5,80000000,http\shell,10021B38), ref: 100160E5
Part of subcall function 100160B6: RegCloseKey.ADVAPI32(00000000,?,100168A5,80000000,http\shell,10021B38), ref: 100160EE

wcscpy.MSVCRT ref: 100168D3
wcslen.MSVCRT ref: 100168E4
SHSetValueW.SHLWAPI(80000000,http\DefaultIcon,10021B38,00000002,?,00000000), ref: 100168FE
wcslen.MSVCRT ref: 10016905
SHSetValueW.SHLWAPI(80000000,https\DefaultIcon,10021B38,00000002,?,00000000), ref: 10016917
wcslen.MSVCRT ref: 1001691E
SHSetValueW.SHLWAPI(80000000,ftp\DefaultIcon,10021B38,00000002,?,00000000), ref: 10016930
SHSetValueW.SHLWAPI(80000002,SOFTWARE\Clients\StartMenuInternet,10021B38,00000001,IEXPLORE.EXE,00000018), ref: 10016946
SendMessageTimeoutW.USER32(0000FFFF,0000001A,00000000,Software\Clients\StartMenuInternet,00000002,0000000A,?), ref: 1001695F

Strings

SOFTWARE\Clients\StartMenuInternet, xrefs: 1001693C
https\DefaultIcon, xrefs: 10016911
htmlfile\shell, xrefs: 100168BE
%SystemRoot%\system32\url.dll,0, xrefs: 100168CD
http\shell, xrefs: 1001689A
http\DefaultIcon, xrefs: 100168F8
opennew, xrefs: 10016879
https\shell, xrefs: 100168B2
Software\Clients\StartMenuInternet, xrefs: 10016951
IEXPLORE.EXE, xrefs: 10016934
ftp\shell, xrefs: 100168A6
ftp\DefaultIcon, xrefs: 1001692A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$wcslen$CloseDeleteMessageOpenSendTimeoutwcscpy
String ID: %SystemRoot%\system32\url.dll,0$IEXPLORE.EXE$SOFTWARE\Clients\StartMenuInternet$Software\Clients\StartMenuInternet$ftp\DefaultIcon$ftp\shell$htmlfile\shell$http\DefaultIcon$http\shell$https\DefaultIcon$https\shell$opennew
API String ID: 1300745356-3518104673
Opcode ID: be9d517d1ad30c013c733ba647c98dcd8abdfdc44be20891a0bf4fc90fdab418
Instruction ID: 6b34120af94e0fc8fbc38e56fe3bd515274a56c7452e914d592546ededda3ddd
Opcode Fuzzy Hash: be9d517d1ad30c013c733ba647c98dcd8abdfdc44be20891a0bf4fc90fdab418
Instruction Fuzzy Hash: 6421CB7A14431476E321DA50AC8AFFF7BACDFAA751F840425FB04A6082D764E90542B7

Function 10009372 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 174networkCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00008060), ref: 1000938B
IsBadWritePtr.KERNEL32(?,00008060), ref: 1000939B
memset.MSVCRT ref: 100093F4
wcslen.MSVCRT ref: 10009402
wcslen.MSVCRT ref: 10009417
wcsncpy.MSVCRT ref: 10009421
SetEvent.KERNEL32(?), ref: 10009454
InternetGetLastResponseInfoW.WININET(?,?,?), ref: 100094A4
wcsstr.MSVCRT ref: 100094D4
wcsstr.MSVCRT ref: 100094F4
memset.MSVCRT ref: 1000952C
_ui64tow.MSVCRT ref: 1000954D
_snwprintf.MSVCRT ref: 10009573
wcscpy.MSVCRT ref: 1000958A
FtpCommandW.WININET(00000001,00000000,00000001,?,00000000,00000000), ref: 100095A4
TlsSetValue.KERNEL32(FFFFFFFF,000007BC), ref: 100095BC

Strings

REST %d, xrefs: 10009568
200 PORT, xrefs: 100094EE
REST 0, xrefs: 10009584
350, xrefs: 100094CE

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memsetwcslenwcsstr$CommandEventInfoInternetLastReadResponseValueWrite_snwprintf_ui64towwcscpywcsncpy
String ID: 200 PORT$350$REST %d$REST 0
API String ID: 2297657178-1907610716
Opcode ID: 96886731d3763283ee39fd626adcf1ef149f5fc5553fc32ff2e4db2fd52a5d0f
Instruction ID: 1ced3fcea820fc99f7d80d6fcca7f9f6a596a0c7619e422e47d3b134a422e029
Opcode Fuzzy Hash: 96886731d3763283ee39fd626adcf1ef149f5fc5553fc32ff2e4db2fd52a5d0f
Instruction Fuzzy Hash: CA51AD71600B15AFEB21CF61CC88B9A73E8FF44381F018469F956E71A0D730EE948B64

Function 100165C1 Relevance: 35.1, APIs: 4, Strings: 16, Instructions: 141COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 100165E1
SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Main,Start Page,00000001,?,00000000,?,?,00000000,100079E8,00000029,00000000,00000000), ref: 10016605
wcslen.MSVCRT ref: 1001660C
SHSetValueW.SHLWAPI(80000002,Software\Microsoft\Internet Explorer\Main,Start Page,00000001,?,00000000,?,00000000,100079E8,00000029,00000000,00000000), ref: 10016625

Part of subcall function 100160B6: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,00000000,0000007E,?,100168A5,80000000,http\shell,10021B38), ref: 100160CF
Part of subcall function 100160B6: RegDeleteValueW.ADVAPI32(00000000,?,?,100168A5,80000000,http\shell,10021B38), ref: 100160E5
Part of subcall function 100160B6: RegCloseKey.ADVAPI32(00000000,?,100168A5,80000000,http\shell,10021B38), ref: 100160EE

Strings

Search Bar, xrefs: 1001666C, 100166A9, 100166F1
First Home Page, xrefs: 1001663C, 10016641, 10016649
.Default\Software\Microsoft\Internet Explorer, xrefs: 100166E6
Default_Page_URL, xrefs: 100166B8
Search Page, xrefs: 10016651, 10016691
about:blank, xrefs: 100165D5
Software\Microsoft\Internet Explorer, xrefs: 10016686
Default_Search_URL, xrefs: 100166C4, 100166FD
.DEFAULT\Software\Microsoft\Internet Explorer\Main, xrefs: 100166D6, 1001672A
SearchURL, xrefs: 10016678, 1001667D, 10016685, 100166D0, 100166E1
Secondary Start Pages, xrefs: 10016627, 1001662C, 10016634
Start Page, xrefs: 100165F9, 1001661E
Software\Microsoft\Internet Explorer\Main\SEARCH, xrefs: 10016712, 1001671E
SearchAssistant, xrefs: 1001670C, 10016711, 1001671D, 10016729
Local Page, xrefs: 1001665D, 1001669D
Software\Microsoft\Internet Explorer\Main, xrefs: 100165F4, 10016603, 10016623, 1001662D, 10016635, 10016642, 1001664A, 10016656, 10016662, 10016671, 1001667E, 10016696, 100166A2, 100166AE, 100166BD, 100166C9, 100166F6, 10016702

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$wcslen$CloseDeleteOpen
String ID: .DEFAULT\Software\Microsoft\Internet Explorer\Main$.Default\Software\Microsoft\Internet Explorer$Default_Page_URL$Default_Search_URL$First Home Page$Local Page$Search Bar$Search Page$SearchAssistant$SearchURL$Secondary Start Pages$Software\Microsoft\Internet Explorer$Software\Microsoft\Internet Explorer\Main$Software\Microsoft\Internet Explorer\Main\SEARCH$Start Page$about:blank
API String ID: 440403318-684355820
Opcode ID: 8b10dcd642e2bf12adde9c897556071d454062042af9d6c09fb9fb875f1471a5
Instruction ID: 76de785800c3872ec15d437740ba0b620832775dafd86e4fd353c8c470dd78f3
Opcode Fuzzy Hash: 8b10dcd642e2bf12adde9c897556071d454062042af9d6c09fb9fb875f1471a5
Instruction Fuzzy Hash: 49317E6D85127836D232F6226D86DEB3D5CCF6E5E0B804514BF08B91039A39F19581B7

Function 10002B11 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 306stringCOMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,?,?,?,1001E2B4,?), ref: 10002B45
CharNextW.USER32(00000000,?,?,1001E2B4,?), ref: 10002B98
_wtoi.MSVCRT(00000000,?,?,1001E2B4,?), ref: 10002BAA
iswdigit.MSVCRT ref: 10002BBD
CharNextW.USER32(00000000), ref: 10002BC9
CharNextW.USER32(00000000,?,1001E2B4,?), ref: 10002BD8
CharNextW.USER32(00000000), ref: 10002BF1
_wtoi.MSVCRT(00000000), ref: 10002C21
iswdigit.MSVCRT ref: 10002C33
CharNextW.USER32(00000000), ref: 10002C3F
CharNextW.USER32(00000000,?,1001E2B4), ref: 10002C75
lstrlenW.KERNEL32(?), ref: 10002D1F
wcslen.MSVCRT ref: 10002D53
lstrlenA.KERNEL32(?), ref: 10002D79
swprintf.MSVCRT(?,%*.*f,?,-00000006), ref: 10002DE6
wcslen.MSVCRT ref: 10002DED
CharNextW.USER32(?,00000000,?,?,?,1001E2B4,?), ref: 10002E4F
vswprintf.MSVCRT(1001E2B4,?,?,?,00000000,?,?,?,1001E2B4,?), ref: 10002E75

Strings

%*.*f, xrefs: 10002DE0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CharNext$_wtoiiswdigitlstrlenwcslen$swprintfvswprintf
String ID: %*.*f
API String ID: 2794742940-4192566172
Opcode ID: f051d7196789ecda07c872afc8bfa7892070372c36bf6a0fb7e7a17bf91b6d7b
Instruction ID: ce291b13e4d401a4cd620e39db3a541457c8b1453a7b440a133a1ad392dd47b2
Opcode Fuzzy Hash: f051d7196789ecda07c872afc8bfa7892070372c36bf6a0fb7e7a17bf91b6d7b
Instruction Fuzzy Hash: 4EA1DF76900256ABFB91DF68C888AADBBF4EF047E0F518126E801E725CD734DE81DB51

Function 10011B64 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10011B69
IsWindowVisible.USER32(?), ref: 10011B93
wcslen.MSVCRT ref: 10011BAF
wcscmp.MSVCRT ref: 10011BD9
strcmp.MSVCRT ref: 10011BEF
strcpy.MSVCRT(?,...), ref: 10011C3B
strcpy.MSVCRT(?,1007AD3C,?,...), ref: 10011C4C
lstrlenW.KERNEL32(?), ref: 10011C63
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000), ref: 10011C8B
strcpy.MSVCRT(?,...), ref: 10011CDE
strcpy.MSVCRT(?,1007AD3C,?,...), ref: 10011CEC
GetParent.USER32(?), ref: 10011CF7
GetWindowRect.USER32(?,?), ref: 10011D06
GetDesktopWindow.USER32 ref: 10011D13
MapWindowPoints.USER32(00000000), ref: 10011D1A
InvalidateRect.USER32(00000000,?,00000001), ref: 10011D2D
InvalidateRect.USER32(?,00000000,00000001), ref: 10011D36
lstrlenW.KERNEL32(?), ref: 10011D42

Strings

..., xrefs: 10011BE0, 10011BED, 10011C36, 10011CDC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Windowstrcpy$Rect$Invalidatelstrlen$ByteCharDesktopH_prologMultiParentPointsVisibleWidestrcmpwcscmpwcslen
String ID: ...
API String ID: 179043487-440645147
Opcode ID: d97da788a313dcfb239f351a188f70de86917012da8662ecc5680334601e4ae0
Instruction ID: 6ca494ce9bf0b7b7f569351e99176acf8c29ce4cc84c0e77d984d2cc73c17215
Opcode Fuzzy Hash: d97da788a313dcfb239f351a188f70de86917012da8662ecc5680334601e4ae0
Instruction Fuzzy Hash: CC515971900219AFEB15DBA0DC85AAEBBFDFF08350F108829F555E6191EB35EA44CB60

Function 10017DC5 Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 84COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10017DCC
wcscmp.MSVCRT ref: 10017DE4
wcsstr.MSVCRT ref: 10017DFC
_wcsnicmp.MSVCRT ref: 10017E12
_wcsnicmp.MSVCRT ref: 10017E23
_wcsnicmp.MSVCRT ref: 10017E34
_wcsnicmp.MSVCRT ref: 10017E45
_wcsnicmp.MSVCRT ref: 10017E56
wcspbrk.MSVCRT ref: 10017E83

Strings

javascript:, xrefs: 10017E3F
localhost, xrefs: 10017DDE
:/|\., xrefs: 10017E7D
vbscript:, xrefs: 10017E50
https://, xrefs: 10017E1D
http://, xrefs: 10017E0C
ftp://, xrefs: 10017E2E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _wcsnicmp$wcscmpwcslenwcspbrkwcsstr
String ID: :/|\.$ftp://$http://$https://$javascript:$localhost$vbscript:
API String ID: 3160192141-1711445859
Opcode ID: 6a7debb504c7e993a951f729c3ab25f8b39055983d04f8b957294800688daba9
Instruction ID: f194edb22434267654494b889f6efc74f2bd22c525861fb9fbdc07d205e64b4f
Opcode Fuzzy Hash: 6a7debb504c7e993a951f729c3ab25f8b39055983d04f8b957294800688daba9
Instruction Fuzzy Hash: C711E732A4421635F610D2A07C80FBB37F9EF45A61F52006AFF49F94C2EB34C8818551

Function 10009768 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 219timeCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 10009780
wcslen.MSVCRT ref: 10009793
_wtol.MSVCRT ref: 1000979D
memset.MSVCRT ref: 100097B6
GetTickCount.KERNEL32 ref: 100097EC
GetTickCount.KERNEL32 ref: 1000981E
GetTickCount.KERNEL32 ref: 10009826
WaitForMultipleObjects.KERNEL32(00000000,00000000,00000000,000003E8,00000000,0000000B,00000000), ref: 1000986F
GetTickCount.KERNEL32 ref: 10009878
_ftol.MSVCRT ref: 100098AE
GetTickCount.KERNEL32 ref: 100098EE
GetTickCount.KERNEL32 ref: 10009902
GetTickCount.KERNEL32 ref: 10009933
CancelWaitableTimer.KERNEL32(?), ref: 10009943
CloseHandle.KERNEL32(?), ref: 1000994C

Part of subcall function 10009A81: ResetEvent.KERNEL32(00000002,?,?,?,74DF23A0,10009973,?), ref: 10009A9D
Part of subcall function 10009A81: SetEvent.KERNEL32(00000002,?), ref: 10009AD3

Strings

#MetalinkFile, xrefs: 10009772, 10009778, 10009792

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$Event$CancelCloseHandleMultipleObjectsResetTimerWaitWaitable_ftol_wtolmemsetwcslenwcsstr
String ID: #MetalinkFile
API String ID: 1985365525-1923780446
Opcode ID: 6f71cc2a9b6d373f039912b02bb6367e810c9892d2b72053574ace3a0ad65764
Instruction ID: 630fc4b9c01b40567c9530745384ca80ec1dcf58cbbde26ea8ef9319da5b4daa
Opcode Fuzzy Hash: 6f71cc2a9b6d373f039912b02bb6367e810c9892d2b72053574ace3a0ad65764
Instruction Fuzzy Hash: 6181BE31A00B05DBEB25CB74C889B9EB7F5FF45381F20441EE45A93299DB34BA45DB82

Function 1000690A Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000690F
wcscmp.MSVCRT ref: 1000693B

Part of subcall function 100029C4: InterlockedDecrement.KERNEL32(-000000F4), ref: 100029D8

UrlCanonicalizeW.SHLWAPI(?,?,?,06000000), ref: 100069C8
wcscmp.MSVCRT ref: 100069DA
wcscmp.MSVCRT ref: 100069F0
memset.MSVCRT ref: 10006A0A
memset.MSVCRT ref: 10006A1D
UrlCanonicalizeW.SHLWAPI(?,?,00001047,06000000), ref: 10006A55
wcscmp.MSVCRT ref: 10006A61
wcscmp.MSVCRT ref: 10006A73
wcslen.MSVCRT ref: 10006A8D

Strings

http://www.iesuper.com/, xrefs: 10006A84, 10006A8C, 10006A9C, 10006AA1
OPTIONS.HTM, xrefs: 10006A2A
TWHOME.HTM, xrefs: 10006997

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcscmp$Canonicalizememset$DecrementH_prologInterlockedwcslen
String ID: OPTIONS.HTM$TWHOME.HTM$http://www.iesuper.com/
API String ID: 3304165883-4163634160
Opcode ID: 62566cbfe10e190bebe8ffab763d4d00584f576bdd423808337f4602c31a6a8c
Instruction ID: cb39d408bf088b0951aad50313677c5ed264b629dcd18b1806f2de7eb3a75e07
Opcode Fuzzy Hash: 62566cbfe10e190bebe8ffab763d4d00584f576bdd423808337f4602c31a6a8c
Instruction Fuzzy Hash: D4519376600158ABEB11DB90DC44ADEB7B9EF08350F208566F909E7190DB75EFC88F61

Function 1000D9C1 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 79registryCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 1000D9D7
wcscat.MSVCRT ref: 1000D9E7
RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000DA0C
wcslen.MSVCRT ref: 1000DA21
RegSetValueExW.ADVAPI32(?,URL,00000000,00000001,1000708A,00000000), ref: 1000DA3B
wcslen.MSVCRT ref: 1000DA40
RegSetValueExW.ADVAPI32(?,DisplayName,00000000,00000001,?,00000000), ref: 1000DA54
_wtoi.MSVCRT(00000000), ref: 1000DA59
RegDeleteValueW.ADVAPI32(?,Codepage), ref: 1000DA6F
RegSetValueExW.ADVAPI32(?,Codepage,00000000,?,?,?), ref: 1000DA88
RegCloseKey.ADVAPI32(?), ref: 1000DA8D

Strings

baidu, xrefs: 1000DA16
URL, xrefs: 1000DA33
DisplayName, xrefs: 1000DA4C
Software\Microsoft\Internet Explorer\SearchScopes\, xrefs: 1000D9D1
Codepage, xrefs: 1000DA67, 1000DA80

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$wcslen$CloseCreateDelete_wtoiwcscatwcscpy
String ID: Codepage$DisplayName$Software\Microsoft\Internet Explorer\SearchScopes\$URL$baidu
API String ID: 405284123-1939896357
Opcode ID: ac1e7036bd7902e3292f357635d340270893e0b5acaf481b97a725cffa3a7cc0
Instruction ID: 571854ecd1b8e36ca2e0bb57c719ce73a3ddfe35739df98d9e4bb78370771671
Opcode Fuzzy Hash: ac1e7036bd7902e3292f357635d340270893e0b5acaf481b97a725cffa3a7cc0
Instruction Fuzzy Hash: BB21E5B190011CBFEF11EFA4DC89EEE7B3EEB04395F104466FA14A2060D771CE54AA60

Function 10001000 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105registrystringCOMMON

Download Yara Rule

APIs

StringFromIID.OLE32(?,100044F6,?,100195E8,IESuper), ref: 10001014
lstrcpyW.KERNEL32(?,100044F6,?,100195E8,IESuper), ref: 1000102B
CoTaskMemFree.OLE32(100044F6,?,100195E8,IESuper), ref: 10001034
GetModuleFileNameW.KERNEL32(?,00000104,?,100195E8,IESuper), ref: 1000104C
wsprintfW.USER32 ref: 100010BE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 100010DE
wsprintfW.USER32 ref: 100010F8
lstrlenW.KERNEL32(?), ref: 10001104
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 1000111D
RegCloseKey.ADVAPI32(?), ref: 10001126

Strings

ThreadingModel, xrefs: 1000108D
CLSID\%s\InprocServer32, xrefs: 10001063
IESuper, xrefs: 10001009
Apartment, xrefs: 10001094
CLSID\%s, xrefs: 10001071

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CloseCreateFileFreeFromModuleNameStringTaskValuelstrcpylstrlen
String ID: Apartment$CLSID\%s$CLSID\%s\InprocServer32$IESuper$ThreadingModel
API String ID: 3066030196-877039199
Opcode ID: d9663307bc1479b76ee1fb5d1262ec25d633ac761b2c19709b5f5973d08f50d1
Instruction ID: 7411339d7e0291c689bf617d571bf96f231ddd9c12cd75736d3b12e80c7ec098
Opcode Fuzzy Hash: d9663307bc1479b76ee1fb5d1262ec25d633ac761b2c19709b5f5973d08f50d1
Instruction Fuzzy Hash: 6541D2B1D0022DAFEB11CF95DC84ADEBBB9FB48344F50446AE649E2210D7759A858FA0

Function 10003310 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 187COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 10003340

Part of subcall function 10015636: _snwprintf.MSVCRT ref: 100156A3
Part of subcall function 10015636: wcslen.MSVCRT ref: 100156A8
Part of subcall function 10015636: _wcsicmp.MSVCRT ref: 100156CB
Part of subcall function 10015636: _wcsnicmp.MSVCRT ref: 100156E6
Part of subcall function 10015636: wcsstr.MSVCRT ref: 10015720
Part of subcall function 10015636: _snwprintf.MSVCRT ref: 1001573D

Part of subcall function 1000C5BB: GetModuleFileNameW.KERNEL32(?,?,00000104,759A5720), ref: 1000C5D5
Part of subcall function 1000C5BB: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000C5F2
Part of subcall function 1000C5BB: wcslen.MSVCRT ref: 1000C5FF
Part of subcall function 1000C5BB: _snwprintf.MSVCRT ref: 1000C647

_snwprintf.MSVCRT ref: 10003412
_snwprintf.MSVCRT ref: 1000346A
_snwprintf.MSVCRT ref: 10003479
_snwprintf.MSVCRT ref: 100034A1
_snwprintf.MSVCRT ref: 100034C4

Part of subcall function 10008F8A: memset.MSVCRT ref: 10008F99
Part of subcall function 10008F8A: memset.MSVCRT ref: 10008FA9
Part of subcall function 10008F8A: wcslen.MSVCRT ref: 10009009
Part of subcall function 10008F8A: InternetCrackUrlW.WININET(00000001,00000000), ref: 10009014

PathFindFileNameW.SHLWAPI(?), ref: 100034F0
_snwprintf.MSVCRT ref: 1000350E
wcscmp.MSVCRT ref: 1000357E

Strings

type, xrefs: 1000334E
url, xrefs: 1000343E
path, xrefs: 100033D8
%s%s%s, xrefs: 10003401, 10003494, 100034B7, 10003507
needfile, xrefs: 10003512

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintf$Namewcslen$FilePathmemset$CrackFindInternetModuleShort_wcsicmp_wcsnicmpwcscmpwcsstr
String ID: %s%s%s$needfile$path$type$url
API String ID: 262568120-1278291327
Opcode ID: 7387156db1fd7326e9f0e75549ed9a3fd860f970252634ab18af79514d29ee2a
Instruction ID: ec76fd4279573d5ed6b637c342c6532a97677fcdacc19617b863dc655d13e8f4
Opcode Fuzzy Hash: 7387156db1fd7326e9f0e75549ed9a3fd860f970252634ab18af79514d29ee2a
Instruction Fuzzy Hash: 276163B690021CBBEB11CB50CC45EDA77ADFF48300F0484B1FA18AA151EB71EB908FA5

Function 10016183 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 138stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10016188
_snprintf.MSVCRT ref: 100161E9
strlen.MSVCRT ref: 100161F2
memset.MSVCRT ref: 1001623F
memset.MSVCRT ref: 10016251
_snprintf.MSVCRT ref: 1001626D
strlen.MSVCRT ref: 10016273
strlen.MSVCRT ref: 10016281
strlen.MSVCRT ref: 10016295
strncat.MSVCRT ref: 100162A4
memset.MSVCRT ref: 100162C3
_snprintf.MSVCRT ref: 100162D9
_strlwr.MSVCRT ref: 100162DE

Strings

%02x, xrefs: 10016262

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_snprintfmemset$H_prolog_strlwrstrncat
String ID: %02x
API String ID: 2003772880-560843007
Opcode ID: 8a0b7160fcbcbb94f822e18b8a447ac1e5b81c0595e10dc75416f5d1510abeb0
Instruction ID: 4b15a6d1c2ffd24b15c861279d0faaae1b81aa9cb3b8418a1794f11c7f680ff9
Opcode Fuzzy Hash: 8a0b7160fcbcbb94f822e18b8a447ac1e5b81c0595e10dc75416f5d1510abeb0
Instruction Fuzzy Hash: 044170B290025CBEDF51DBA4DD45ADE7B78EB58340F104465F709AB142DA30EB88CF61

Function 10005382 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 10005390
FindWindowExW.USER32(?,00000000,Shell DocObject View,00000000), ref: 100053B0
FindWindowExW.USER32(00000000,00000000,Internet Explorer_Server,00000000), ref: 100053BE
IsWindow.USER32(?), ref: 100053C6
RevokeDragDrop.OLE32(?), ref: 100053E7
FindWindowExW.USER32(Edit,00000000,WorkerW,00000000), ref: 1000544B
FindWindowExW.USER32(1001F460,00000000,ToolbarWindow32,00000000), ref: 10005475

Strings

ReBarWindow32, xrefs: 10005426
ToolbarWindow32, xrefs: 10005469
Edit, xrefs: 10005411, 1000544A
Internet Explorer_Server, xrefs: 100053B7
InstallDone, xrefs: 10005499
WorkerW, xrefs: 10005416, 10005448
Shell DocObject View, xrefs: 100053A7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Find$DragDropRevoke
String ID: Edit$InstallDone$Internet Explorer_Server$ReBarWindow32$Shell DocObject View$ToolbarWindow32$WorkerW
API String ID: 4254147786-525609979
Opcode ID: d643c0971917190508fe8f04a425256b77bb766474f137a422aa59a996db6cda
Instruction ID: 37b61a569b177c693c955738744928b7ea65ec7c25e141400b18a16501be2e68
Opcode Fuzzy Hash: d643c0971917190508fe8f04a425256b77bb766474f137a422aa59a996db6cda
Instruction Fuzzy Hash: F0319DB0900319AFEB20DF64CC808ABBBF9FF48286750492DE556A7151D731EE84CF60

Function 1001790C Relevance: 24.2, APIs: 16, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 1001791A
CopyRect.USER32(?,?), ref: 10017931
CreateCompatibleDC.GDI32(?), ref: 1001794A
CreateCompatibleBitmap.GDI32(?,?,?), ref: 10017964
SelectObject.GDI32(00000000,00000000), ref: 10017971
CopyRect.USER32(?,?), ref: 10017982
OffsetRect.USER32(?,?,?), ref: 1001799A
OffsetRect.USER32(?,00000000,00000001), ref: 100179C6
CopyRect.USER32(?,?), ref: 100179D0
InflateRect.USER32(?,?,00000000), ref: 100179E6
OffsetRect.USER32(?,?,?), ref: 100179FC
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 10017A7B
SelectObject.GDI32(?,00000002), ref: 10017A85
DeleteObject.GDI32(?), ref: 10017A8E
DeleteDC.GDI32(?), ref: 10017A95
ReleaseDC.USER32(?,?), ref: 10017AA1

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$CopyObjectOffset$CompatibleCreateDeleteSelect$BitmapInflateRelease
String ID:
API String ID: 578126261-0
Opcode ID: 9113f9c909a386bddc41870b322101b889e4e11eb70e6855f36f02d0653ffaaa
Instruction ID: 36c6ef6249fa92ce660fe1c7c9a5fadf03c6f4e1d29603deddb15b1cc72293df
Opcode Fuzzy Hash: 9113f9c909a386bddc41870b322101b889e4e11eb70e6855f36f02d0653ffaaa
Instruction Fuzzy Hash: 6B51B172900219AFDF11DFA5CD89DEEBBBDFF4C210B108519F616E2260DA35EA54CB60

Function 1000D2F7 Relevance: 24.1, APIs: 13, Strings: 3, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 1000D30E
_strnicmp.MSVCRT ref: 1000D327
memset.MSVCRT ref: 1000D33F
strncpy.MSVCRT ref: 1000D350
strcat.MSVCRT(?,tn=sper_3_dg), ref: 1000D35F
strlen.MSVCRT ref: 1000D365
strstr.MSVCRT ref: 1000D378
strcat.MSVCRT(?,00000000), ref: 1000D387
strchr.MSVCRT ref: 1000D392
strcat.MSVCRT(?,00000000), ref: 1000D3A4
strlen.MSVCRT ref: 1000D3AA
strlen.MSVCRT ref: 1000D3B7
memcpy.MSVCRT(?,?,?,?), ref: 1000D3C8

Strings

tn=sper_3_dg, xrefs: 1000D356, 1000D35B, 1000D364
tn=baidu, xrefs: 1000D321
tn=, xrefs: 1000D304

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strcatstrlen$strstr$_strnicmpmemcpymemsetstrchrstrncpy
String ID: tn=$tn=baidu$tn=sper_3_dg
API String ID: 1454370496-837465332
Opcode ID: b5ff8ca7c869f4f42a6f4accb6fdf1dbce91c6734673cad0b62f26835b74fe3d
Instruction ID: 8442be85d0204b65fc6943ac3f35a0828b34024cb11d667fdd5da4a74e8a4c0b
Opcode Fuzzy Hash: b5ff8ca7c869f4f42a6f4accb6fdf1dbce91c6734673cad0b62f26835b74fe3d
Instruction Fuzzy Hash: 00213737500208BBDF42DF51EC45D9E3B6AEF852A0F118120FE0866111DB31EF65DBA1

Function 100111C0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 100111D9
memset.MSVCRT ref: 100111E5
Netbios.NETAPI32(?), ref: 10011204
memset.MSVCRT ref: 10011220
Netbios.NETAPI32(00000037), ref: 10011233
memset.MSVCRT ref: 1001123F
strcpy.MSVCRT(?,* ,00000032,00000000,00000040,00000037,?,?,00000040,?,?,?,?,?), ref: 10011254
Netbios.NETAPI32(00000033), ref: 1001126D
_snprintf.MSVCRT ref: 100112C2
strcat.MSVCRT(100D49A0,?,?,?,?,?,00000037,?,?,00000040,?,?,?,?,?), ref: 100112CD

Strings

3, xrefs: 1001124D
%02X%02X%02X%02X%02X%02X, xrefs: 100112B7
* , xrefs: 10011247

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$Netbios$_snprintfstrcatstrcpy
String ID: %02X%02X%02X%02X%02X%02X$* $3
API String ID: 4206019237-3860363367
Opcode ID: 8865ebdfef01d3c0db6da997edaf4cadb5cab0e94b368b99f4fd53c0a0094c80
Instruction ID: 1657400e57d9d52ef90c8ef2a30d491ca62edc1a9d83f23fd0c53b293bd51e2d
Opcode Fuzzy Hash: 8865ebdfef01d3c0db6da997edaf4cadb5cab0e94b368b99f4fd53c0a0094c80
Instruction Fuzzy Hash: 0431CFB2D042ACBADB11D7E9DC49EEF7BBCAB49200F040055FA44EB142D77897098B71

Function 100152C1 Relevance: 22.6, APIs: 15, Instructions: 130COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 100152D6
memset.MSVCRT ref: 100152EC
wcslen.MSVCRT ref: 10015307
wcsncpy.MSVCRT ref: 10015323
_wfopen.MSVCRT ref: 1001533E
fclose.MSVCRT ref: 1001535B
_wfopen.MSVCRT ref: 1001536F
fseek.MSVCRT ref: 10015394
ftell.MSVCRT ref: 10015397
fseek.MSVCRT ref: 100153A4
malloc.MSVCRT ref: 100153B1
memset.MSVCRT ref: 100153C2
fread.MSVCRT ref: 100153CE
free.MSVCRT ref: 100153E1

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _wfopenfseekmallocmemset$fclosefreadfreeftellwcslenwcsncpy
String ID:
API String ID: 1646207902-0
Opcode ID: b4869c71ed4ca35a17ca5570705a3006f231d294be589e53c5440fec012ef646
Instruction ID: f7e3cdf901614cc1aa896df95f9e2d6d89523c2b888d84198bcb6af51d1148d4
Opcode Fuzzy Hash: b4869c71ed4ca35a17ca5570705a3006f231d294be589e53c5440fec012ef646
Instruction Fuzzy Hash: F741C332900215FFEB10CF95DC89A9E7BB8EF45392F24405AF910AB250D7B1DB80CA90

Function 1000DFFB Relevance: 21.2, APIs: 14, Instructions: 208stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000E000
memset.MSVCRT ref: 1000E02B
??2@YAPAXI@Z.MSVCRT(00058328,?,?,?,?,00000000), ref: 1000E064
ObtainUserAgentString.URLMON(00000000,?,00000824), ref: 1000E0BD
lstrlenA.KERNEL32(?,?,?,00000000,?,00000824,?,?,?,?,00000000), ref: 1000E0F4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?,?,?,00000000), ref: 1000E11E
GetUrlCacheEntryInfoW.WININET(?,00000000,00000001), ref: 1000E15B
GetLastError.KERNEL32 ref: 1000E165
??2@YAPAXI@Z.MSVCRT(00000001), ref: 1000E177
memset.MSVCRT ref: 1000E189
GetUrlCacheEntryInfoW.WININET(?,00000000,00000001), ref: 1000E19E
_snwprintf.MSVCRT ref: 1000E1CF
CreateUrlCacheEntryW.WININET(?,00000000,?,?,00000000), ref: 1000E22E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CacheEntry$??2@Infomemset$AgentByteCharCreateErrorH_prologLastMultiObtainStringUserWide_snwprintflstrlen
String ID:
API String ID: 3255960256-0
Opcode ID: 9171001e7009ff2accbee7a398e37cea6d8a03e7a6978c644b23164bd9a80296
Instruction ID: 4e1ff2b20ad6cb44fb07c355b61c51348481639505e9b91331eb8b4d13c3da01
Opcode Fuzzy Hash: 9171001e7009ff2accbee7a398e37cea6d8a03e7a6978c644b23164bd9a80296
Instruction Fuzzy Hash: 0A71BF7590026AAFEF11DFA0CC85ADE7BB9EF09390F000069F905A6255DB70DE94CBA1

Function 1000580B Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10005810
LoadStringW.USER32(0000007C,?,00000104), ref: 10005869
wcslen.MSVCRT ref: 10005876
_wcsnicmp.MSVCRT ref: 10005887
wcslen.MSVCRT ref: 100058B8
wcscmp.MSVCRT ref: 100058D3

Part of subcall function 1000D75E: memset.MSVCRT ref: 1000D798
Part of subcall function 1000D75E: memset.MSVCRT ref: 1000D7B1
Part of subcall function 1000D75E: wcsncmp.MSVCRT ref: 1000D7C0
Part of subcall function 1000D75E: wcslen.MSVCRT ref: 1000D7D9
Part of subcall function 1000D75E: InternetCrackUrlW.WININET(?,00000000), ref: 1000D7EA
Part of subcall function 1000D75E: _snwprintf.MSVCRT ref: 1000D824
Part of subcall function 1000D75E: wcslen.MSVCRT ref: 1000D835
Part of subcall function 1000D75E: InternetCrackUrlW.WININET(?,00000000), ref: 1000D844
Part of subcall function 1000D75E: _snwprintf.MSVCRT ref: 1000D85E

_snwprintf.MSVCRT ref: 1000592E
SysAllocString.OLEAUT32(?), ref: 1000593E
SysFreeString.OLEAUT32(00000000), ref: 100059C8

Strings

none, xrefs: 100058CD
`<u, xrefs: 100059C8
%s?url=%s&domain=%s, xrefs: 1000591D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$String_snwprintf$CrackInternetmemset$AllocFreeH_prologLoad_wcsnicmpwcscmpwcsncmp
String ID: %s?url=%s&domain=%s$`<u$none
API String ID: 1672485501-2019379728
Opcode ID: 1a53644df23af9466bcd51bda2b099258a13530d6edb1217004ac25bab85e7cc
Instruction ID: 93f096ff27659a06d718732913a21536b84a988f42cf6aefa9a8764f8e6615ca
Opcode Fuzzy Hash: 1a53644df23af9466bcd51bda2b099258a13530d6edb1217004ac25bab85e7cc
Instruction Fuzzy Hash: 99511975900218EFEB10CFA4CC88AEA7BB9FF48395F1084A9F949DB251DB35DA45CB50

Function 10007641 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\Main,00000000,000F003F,?), ref: 10007685
RegQueryValueExW.ADVAPI32(?,CompatibilityFlags,00000000,?,?,?), ref: 100076C2
RegSetValueExW.ADVAPI32(?,CompatibilityFlags,00000000,?,?,?), ref: 100076DD
RegQueryValueExW.ADVAPI32(?,CompatibilityFlags,00000000,?,00000000,?), ref: 100076F9
RegSetValueExW.ADVAPI32(?,CompatibilityFlags,00000000,?,?,?), ref: 10007716
RegCloseKey.ADVAPI32(?), ref: 1000771F
ShellExecuteW.SHELL32(?,runas,?,?,00000000,00000005), ref: 100077B8

Strings

OptionLast, xrefs: 10007765
runas, xrefs: 100077B0
Software\Microsoft\Internet Explorer\Main, xrefs: 10007678
OPTIONS.HTM, xrefs: 1000773C
CompatibilityFlags, xrefs: 100076B3, 100076B8, 100076D9, 100076F5, 10007712

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$Query$CloseExecuteOpenShell
String ID: CompatibilityFlags$OPTIONS.HTM$OptionLast$Software\Microsoft\Internet Explorer\Main$runas
API String ID: 436762794-183350741
Opcode ID: 9e0f315fce0674b66a1efda5da5a895381583be5035e6984e30a64e46faa16d1
Instruction ID: db13cf486ebbd513a20f96ce0beb7af4ca289bc42e8b889d4e30b4579b3ddc4b
Opcode Fuzzy Hash: 9e0f315fce0674b66a1efda5da5a895381583be5035e6984e30a64e46faa16d1
Instruction Fuzzy Hash: 2941F976900129BBEB11DB94CD85FDFBBB8EF08780F104066F608E6150D7749B94DBA1

Function 1000D75E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 105networkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000D798
memset.MSVCRT ref: 1000D7B1
wcsncmp.MSVCRT ref: 1000D7C0
wcslen.MSVCRT ref: 1000D7D9
InternetCrackUrlW.WININET(?,00000000), ref: 1000D7EA
_snwprintf.MSVCRT ref: 1000D824
wcslen.MSVCRT ref: 1000D835
InternetCrackUrlW.WININET(?,00000000), ref: 1000D844
_snwprintf.MSVCRT ref: 1000D85E
wcslen.MSVCRT ref: 1000D892

Strings

http://%s, xrefs: 1000D80D
http://, xrefs: 1000D7B8

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$CrackInternet_snwprintfmemset$wcsncmp
String ID: http://$http://%s
API String ID: 1371497538-3906578142
Opcode ID: 92350155014ea76997e477135f906ba70b0d9eadca8c60ac97c50ae85c306951
Instruction ID: b1d00828ed0e6bd2a71709e1be81bf8901634fbe84eb1280c760825859f30c93
Opcode Fuzzy Hash: 92350155014ea76997e477135f906ba70b0d9eadca8c60ac97c50ae85c306951
Instruction Fuzzy Hash: 14313D71900159FFEB14DFA4CD45EEE7BB8FB48390F108126F919E7291D774AA808B60

Function 1000439A Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(80000001,Software\IESuper,OEMID,00000001,00000000,?,?,00000000,?), ref: 100043EC
wcslen.MSVCRT ref: 100043FF
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000000,?), ref: 10004431
wcsrchr.MSVCRT ref: 10004446
wcsrchr.MSVCRT ref: 1000445A
wcsncpy.MSVCRT ref: 1000447A
wcslen.MSVCRT ref: 1000448A
wcscpy.MSVCRT ref: 1000449D
wcslen.MSVCRT ref: 100044AC
SHSetValueW.SHLWAPI(80000001,Software\IESuper,OEMID,00000001,00000000,00000000), ref: 100044C6

Strings

Software\IESuper, xrefs: 100043DF, 100044C0
OEMID, xrefs: 100043DA, 100044BB

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$Valuewcsrchr$FileModuleNamewcscpywcsncpy
String ID: OEMID$Software\IESuper
API String ID: 878708928-3125539565
Opcode ID: c9000a34d1b28cfee9711dd435bcb09c8129d510a9977c025d127bc12e29f2d7
Instruction ID: 65c09d6c9c9dd2522e41e026c12c94e6c9402e0bbab6f8ed115d301352d94bd1
Opcode Fuzzy Hash: c9000a34d1b28cfee9711dd435bcb09c8129d510a9977c025d127bc12e29f2d7
Instruction Fuzzy Hash: 08316AB294011EBAEB14DBA4DC88FDE77BCEB44315F1045A6E605E2080EB74DA898F65

Function 1000B87A Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 1000B894
wcsstr.MSVCRT ref: 1000B8A0
wcslen.MSVCRT ref: 1000B8B5
wcsstr.MSVCRT ref: 1000B8CD
wcslen.MSVCRT ref: 1000B8E0
wcsncpy.MSVCRT ref: 1000B8E9
_snwprintf.MSVCRT ref: 1000B92A
wcslen.MSVCRT ref: 1000B94F
wcslen.MSVCRT ref: 1000B965
wcsncpy.MSVCRT ref: 1000B973

Strings

http://127.0.0.1/%s, xrefs: 1000B919
filename=, xrefs: 1000B896, 1000B89E, 1000B8B4, 1000B8CC, 1000B8DF, 1000B8E4

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$wcsncpywcsstr$_snwprintf
String ID: filename=$http://127.0.0.1/%s
API String ID: 2711214754-1057669832
Opcode ID: f8414632bd9383f32ea1601cf84152086d66556a1653ff23507061652ef9881a
Instruction ID: 8e1e9d0e2da328834bcdb5bc3c51e871054118b8077ee1a76f2fa13ba3d44b55
Opcode Fuzzy Hash: f8414632bd9383f32ea1601cf84152086d66556a1653ff23507061652ef9881a
Instruction Fuzzy Hash: 19319372900129BBEB21CFA4CC8499E77BCEB44390F104466FA05D7151DB74EF858BA0

Function 1000D3DA Relevance: 19.7, APIs: 7, Strings: 6, Instructions: 164stringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,GET ,?), ref: 1000D427
memcmp.MSVCRT(00000000,/baidu?,00000007), ref: 1000D442
memcmp.MSVCRT(00000000,/s?,00000003), ref: 1000D456
strcmp.MSVCRT ref: 1000D4ED

Strings

Host:, xrefs: 1000D4AD
GET , xrefs: 1000D421
baidu.com, xrefs: 1000D404, 1000D4D3, 1000D4E5, 1000D569
/baidu?, xrefs: 1000D43C
Referer:, xrefs: 1000D48C
/s?, xrefs: 1000D450

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memcmp$strcmp
String ID: /baidu?$/s?$GET $Host:$Referer:$baidu.com
API String ID: 3880856002-23847835
Opcode ID: ef516140d27bd30e0fe45a033b4d347a783353c5b346cdb7d85dd74fd3e43c75
Instruction ID: 8859337cac950374e956588c5a9ce78731c6bfde67263febe9541adf2059016d
Opcode Fuzzy Hash: ef516140d27bd30e0fe45a033b4d347a783353c5b346cdb7d85dd74fd3e43c75
Instruction Fuzzy Hash: C351C272900259BBEB11EEA49C41F9F37ACEF45294F404466FE05EA146EB34EF54CBA0

Function 10010275 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144filestringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001027A

Part of subcall function 1000C553: memset.MSVCRT ref: 1000C56C
Part of subcall function 1000C553: FindFirstFileW.KERNEL32(?,?,?,?,00000103), ref: 1000C57E

_snwprintf.MSVCRT ref: 100102E7
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000), ref: 1001031D
GetFileSize.KERNEL32(00000000,00000000), ref: 1001032B
CloseHandle.KERNEL32(?), ref: 1001033B

Part of subcall function 1000C5BB: GetModuleFileNameW.KERNEL32(?,?,00000104,759A5720), ref: 1000C5D5
Part of subcall function 1000C5BB: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000C5F2
Part of subcall function 1000C5BB: wcslen.MSVCRT ref: 1000C5FF
Part of subcall function 1000C5BB: _snwprintf.MSVCRT ref: 1000C647

??2@YAPAXI@Z.MSVCRT(00000001), ref: 1001034C
memset.MSVCRT ref: 1001035A
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 10010370
lstrlenW.KERNEL32(00000002), ref: 1001038F
CloseHandle.KERNEL32(?), ref: 100103B4

Strings

script, xrefs: 100103EF

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseHandleName_snwprintfmemset$??2@CreateFindFirstH_prologModulePathReadShortSizelstrlenwcslen
String ID: script
API String ID: 2398544269-478250810
Opcode ID: 20133d6ba9e68795b63ed161432624c4f8c5c82803f3a856133814a9b4f2026d
Instruction ID: 03c846af80812b13f89b20b23e335b0924a1c70251ee21fa04d4dae7cce2b6a7
Opcode Fuzzy Hash: 20133d6ba9e68795b63ed161432624c4f8c5c82803f3a856133814a9b4f2026d
Instruction Fuzzy Hash: 70419175A0025ABFEB10DF64DC899DE7BADFF08350F104529F9A8AA151D770EF808B60

Function 10010FA3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 117stringfileCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 10010FC1
lstrlenA.KERNEL32(?), ref: 10010FDF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10011007
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000001), ref: 1001101A
memset.MSVCRT ref: 1001103D
strncpy.MSVCRT ref: 10011078
DeviceIoControl.KERNEL32(?,0004D008,0000001C,0000003C,0000001C,0000022D,?,00000000), ref: 100110AF
strcat.MSVCRT(100D49A0,00000000,?,0000000A,00000013,?,?,?,00000000,?,00000001), ref: 100110F5
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00000001), ref: 10011114

Strings

\\.\Scsi%d:, xrefs: 10010FB8
SCSIDISK, xrefs: 1001104A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharCloseControlCreateDeviceFileHandleMultiWidelstrlenmemsetsprintfstrcatstrncpy
String ID: SCSIDISK$\\.\Scsi%d:
API String ID: 4135874329-2176293039
Opcode ID: 910175f872d89e2625d35dc20f1fd8b4d318084553eaae1e24ff5539a286ea95
Instruction ID: 4861c6b1dadbe7633f3654895aeac7f99305b5c96ab27be4de6bf117b82b1194
Opcode Fuzzy Hash: 910175f872d89e2625d35dc20f1fd8b4d318084553eaae1e24ff5539a286ea95
Instruction Fuzzy Hash: E7413CB190021DBAEB21DB94CC89BEEBBBCEB05354F1041A5F609EA181D7749B85CF61

Function 10015D1D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,CtrlAltSave), ref: 10015D6B
LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015D87
wcscpy.MSVCRT ref: 10015DA0
wcscat.MSVCRT ref: 10015DBF
wcscat.MSVCRT ref: 10015DCB
RegCreateKeyExW.ADVAPI32(00000000,80000001,00000000,00000000,00000000,000F003F,00000000,80000001,00000000), ref: 10015DEB
wcslen.MSVCRT ref: 10015E07
RegSetValueExW.ADVAPI32(80000001,00000000,00000000,00000001,80000001,?), ref: 10015E21
RegCloseKey.ADVAPI32(80000001), ref: 10015E2A

Strings

Software\Phoenix, xrefs: 10015D9A
CtrlAltSave, xrefs: 10015D26

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSectionwcscat$CloseCreateEnterLeaveValuewcscpywcslen
String ID: CtrlAltSave$Software\Phoenix
API String ID: 3729134675-1647637443
Opcode ID: 48825b5fbf322b3671666b9516b27d916b26fecbc0d22d0d71b63b74e43d1a84
Instruction ID: 3b43f667d6a9f126b262126e154217a2a5e9fb10e4a65542ec25f1ae866040bd
Opcode Fuzzy Hash: 48825b5fbf322b3671666b9516b27d916b26fecbc0d22d0d71b63b74e43d1a84
Instruction Fuzzy Hash: C4318F72800219FFEF10DFA4CC889DE7BB9FB08352F648565FA149A161D732CE909B90

Function 1001150A Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 99timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1001153E
wcscpy.MSVCRT ref: 10011557
CreateFontIndirectW.GDI32(?), ref: 10011564
GetClientRect.USER32(100055D5,?), ref: 100115C7
SetTimer.USER32(100055D5,00000100,000007D0,00000000), ref: 10011646
SetPropW.USER32(100055D5,IESuper_PROP,?), ref: 10011655

Strings

IESuperWnd, xrefs: 10011511
IESuper_PROP, xrefs: 1001164D
IMG, xrefs: 1001156A, 10011575, 1001158D, 100115A5
Tahoma, xrefs: 10011546
TAB, xrefs: 10011524

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ClientCreateFontIndirectPropRectTimermemsetwcscpy
String ID: IESuperWnd$IESuper_PROP$IMG$TAB$Tahoma
API String ID: 3331278637-2701171811
Opcode ID: 8385bc23e2889283a74231325a7dd62cfb6696f81236473ec70de1bc737be438
Instruction ID: 2721c6b1350d66b48c3c9ac8a193c2f1bec391476fa855524e05d1e699397920
Opcode Fuzzy Hash: 8385bc23e2889283a74231325a7dd62cfb6696f81236473ec70de1bc737be438
Instruction Fuzzy Hash: 5A31A431A00744BBEB21DBA0DC4AF9F7BBAFB84754F008519F259BA1A1DBB4E540CB50

Function 10001D89 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 92memorystringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10001D8E

Part of subcall function 1000297E: InterlockedIncrement.KERNEL32(-000000F4), ref: 10002993

Part of subcall function 10002F5A: lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002F78

lstrlenW.KERNEL32(?,?), ref: 10001E12

Part of subcall function 100029F0: memcpy.MSVCRT(?,?,?,?,?,?,00000000,1000F2FD,?,?), ref: 10002A0D

SysFreeString.OLEAUT32(?), ref: 10001E2A

Part of subcall function 10002F5A: wcsstr.MSVCRT ref: 10002FBA
Part of subcall function 10002F5A: lstrlenW.KERNEL32(74DEE0B0,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002FD2

SysAllocString.OLEAUT32(?), ref: 10001E45
SysAllocString.OLEAUT32(JScript), ref: 10001E4E

Part of subcall function 100100CB: __EH_prolog.LIBCMT ref: 100100D0

SysFreeString.OLEAUT32(00000000), ref: 10001E64
SysFreeString.OLEAUT32(00000000), ref: 10001E6C

Strings

%%s, xrefs: 10001DD1
`<u, xrefs: 10001E24
JScript, xrefs: 10001E47
%%id, xrefs: 10001E32

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: String$Freelstrlen$AllocH_prolog$IncrementInterlockedmemcpywcsstr
String ID: %%id$%%s$JScript$`<u
API String ID: 2321788231-2706375262
Opcode ID: 26dbda674a993f3b18adcef2a83ae750e1465798a8a87bdaf3fe1d0e04c2c583
Instruction ID: 0cdca22aecbc00fcb66fe8d19cfa70ae02482bf4dc0d91ede848454dd09ae9b7
Opcode Fuzzy Hash: 26dbda674a993f3b18adcef2a83ae750e1465798a8a87bdaf3fe1d0e04c2c583
Instruction Fuzzy Hash: 6A31887590015AAFDF00DFA0CD91DEEBBB8EF44380F104128F905A71A5DB70AE45CBA1

Function 100044D1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91registryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001000: StringFromIID.OLE32(?,100044F6,?,100195E8,IESuper), ref: 10001014
Part of subcall function 10001000: lstrcpyW.KERNEL32(?,100044F6,?,100195E8,IESuper), ref: 1000102B
Part of subcall function 10001000: CoTaskMemFree.OLE32(100044F6,?,100195E8,IESuper), ref: 10001034
Part of subcall function 10001000: GetModuleFileNameW.KERNEL32(?,00000104,?,100195E8,IESuper), ref: 1000104C
Part of subcall function 10001000: wsprintfW.USER32 ref: 100010BE
Part of subcall function 10001000: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00020006,00000000,?,?), ref: 100010DE
Part of subcall function 10001000: wsprintfW.USER32 ref: 100010F8
Part of subcall function 10001000: lstrlenW.KERNEL32(?), ref: 10001104
Part of subcall function 10001000: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 1000111D
Part of subcall function 10001000: RegCloseKey.ADVAPI32(?), ref: 10001126

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10004518
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000452D
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC1}\iexplore,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 10004580
RegSetValueExW.ADVAPI32(?,Flags,00000000,?,?,?), ref: 100045A4
RegSetValueExW.ADVAPI32(?,Blocked,00000000,?,00000002,?), ref: 100045B5
RegCloseKey.ADVAPI32(?), ref: 100045BA

Strings

{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}, xrefs: 10004549
Blocked, xrefs: 100045AD
IESuper, xrefs: 100044DC, 100044E2, 10004548
Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC1}\iexplore, xrefs: 10004573
Flags, xrefs: 1000459C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: NameValue$CloseCreateFileModulewsprintf$FreeFromPathShortStringTasklstrcpylstrlen
String ID: Blocked$Flags$IESuper$Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC1}\iexplore${1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}
API String ID: 3983472367-722052539
Opcode ID: 204cec492408f80df8fe13e9cc6d840053b8abd4f41450006ef24e4f7ea18217
Instruction ID: c13f6c9e8e8274ddb3120588e8608d43b6f5b14a85ab9e3862a1ec3e9bccbefe
Opcode Fuzzy Hash: 204cec492408f80df8fe13e9cc6d840053b8abd4f41450006ef24e4f7ea18217
Instruction Fuzzy Hash: BC2162B590012CBFFB21EBA18C89EDF7A7CDF057D5F0140A1FA04A6055E6719F84CAA1

Function 100090A1 Relevance: 18.9, APIs: 15, Instructions: 135COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000001,1007B388,?,00000000,1000EA25,00000001,?,00000000,?,1000EE8A,?,.dat,00000000,00002710,?), ref: 100090B7
CloseHandle.KERNEL32(?,00000001,1007B388,?,00000000,1000EA25,00000001,?,00000000,?,1000EE8A,?,.dat,00000000,00002710,?), ref: 100090CD
memset.MSVCRT ref: 1000912E
memset.MSVCRT ref: 10009140
memset.MSVCRT ref: 100091EE
memset.MSVCRT ref: 100091FC
memset.MSVCRT ref: 1000920F
memset.MSVCRT ref: 10009221
memset.MSVCRT ref: 10009236
memset.MSVCRT ref: 10009245
memset.MSVCRT ref: 10009253
memset.MSVCRT ref: 10009261
memset.MSVCRT ref: 1000926F
memset.MSVCRT ref: 1000927D
memset.MSVCRT ref: 1000928E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CloseHandle
String ID:
API String ID: 1628094390-0
Opcode ID: 98ab8599f700ef7522c03588a1d75f8939073ea91cbd80c50f32c526eca2e19e
Instruction ID: ff02a58d6fbc1e4265e5b38cef25a72597a7ec170033bf7006bcc3e7343e22b1
Opcode Fuzzy Hash: 98ab8599f700ef7522c03588a1d75f8939073ea91cbd80c50f32c526eca2e19e
Instruction Fuzzy Hash: 955107B1400B44AAC635DF76CC89CC7FBECFF99741B00491EB5AA96152D771B249CB20

Function 1000F05B Relevance: 18.1, APIs: 12, Instructions: 85filestringCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 1000F08C
fgets.MSVCRT ref: 1000F0B8
strlen.MSVCRT ref: 1000F0C5
fclose.MSVCRT ref: 1000F0D3
IsWindow.USER32(?), ref: 1000F0E5
_snprintf.MSVCRT ref: 1000F100
GetParent.USER32(?), ref: 1000F10F
GetWindowRect.USER32(?,?), ref: 1000F11C
GetDesktopWindow.USER32 ref: 1000F129
MapWindowPoints.USER32(00000000,?,?,00000000), ref: 1000F130
InvalidateRect.USER32(00000000,?,00000001,?,?,00000000,00000000), ref: 1000F143
InvalidateRect.USER32(?,00000000,00000001,?,?,00000000,00000000), ref: 1000F14A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$Invalidate$DesktopParentPoints_snprintffclosefgetsfopenstrlen
String ID:
API String ID: 2354076619-0
Opcode ID: ff8ac7cd55449e6335657e47621336b2347caaa16744b763af299328b6a10bf9
Instruction ID: d5e92bf50daefda93c59b761fc84fd7300559553c97b7b1df5ad1a280656323f
Opcode Fuzzy Hash: ff8ac7cd55449e6335657e47621336b2347caaa16744b763af299328b6a10bf9
Instruction Fuzzy Hash: BF21EA7290027A7BEB21D760CC88BEB7BACFF04391F054855FA55E3185D7B4EA448B90

Function 100119A2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,IESuper_PROP), ref: 100119B2
PtInRect.USER32(0000014C,00000201,?), ref: 10011A5B
IsWindow.USER32(00000000), ref: 10011AD1
GetParent.USER32(00000000), ref: 10011AEB
SendMessageW.USER32(00000000), ref: 10011AF2
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000040), ref: 10011B11
GetClientRect.USER32(00000000,?), ref: 10011B1C
InvalidateRect.USER32(00000000,00000000,00000001,?), ref: 10011B42

Part of subcall function 10011B64: __EH_prolog.LIBCMT ref: 10011B69
Part of subcall function 10011B64: IsWindowVisible.USER32(?), ref: 10011B93
Part of subcall function 10011B64: wcslen.MSVCRT ref: 10011BAF
Part of subcall function 10011B64: wcscmp.MSVCRT ref: 10011BD9
Part of subcall function 10011B64: strcmp.MSVCRT ref: 10011BEF
Part of subcall function 10011B64: strcpy.MSVCRT(?,...), ref: 10011C3B
Part of subcall function 10011B64: strcpy.MSVCRT(?,1007AD3C,?,...), ref: 10011C4C

DefWindowProcW.USER32(?,?,?,?), ref: 10011B58

Strings

IESuper_PROP, xrefs: 100119AA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Rect$strcpy$ClientH_prologInvalidateMessageParentProcPropSendVisiblestrcmpwcscmpwcslen
String ID: IESuper_PROP
API String ID: 898197232-2833232946
Opcode ID: 717e8e8ebdc6cb105f52c3d7a3a870b0ff1bcf02f79262612c0216710f822bc9
Instruction ID: 241bc694b061ed1df34ef25eb05e713a3cbe8fc192728943c823c046f2f139a9
Opcode Fuzzy Hash: 717e8e8ebdc6cb105f52c3d7a3a870b0ff1bcf02f79262612c0216710f822bc9
Instruction Fuzzy Hash: A541A47160421AABDF19CFA4CD88EEE7BA9FF04340F404415F916DA191DB35DE90DB62

Function 10007CB1 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 147libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(10018030,?,00000105), ref: 10007D97
GetLastError.KERNEL32(00000020), ref: 10007DFF
SetLastError.KERNEL32(0000006F), ref: 10007DAD

Part of subcall function 10007B74: GetVersion.KERNEL32(10019650,00000000,100D6AA8,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007B8E
Part of subcall function 10007B74: GetFileAttributesW.KERNEL32(???.???,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007B9C
Part of subcall function 10007B74: GetModuleHandleA.KERNEL32(Unicows.dll,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007BA7
Part of subcall function 10007B74: GetProcAddress.KERNEL32(?,100D6AA8), ref: 10007BCF
Part of subcall function 10007B74: GetVersion.KERNEL32(10019650,00000000,100D6AA8,?,?,10007E6F,10019650,100D6AA8,FindActCtxSectionStringW,000000FF), ref: 10007BE1
Part of subcall function 10007B74: GetProcAddress.KERNEL32(?,100D6AA8), ref: 10007C04

LoadLibraryW.KERNEL32(Comctl32.dll), ref: 10007EAB

Strings

GetModuleHandleExW, xrefs: 10007D57
FindActCtxSectionStringW, xrefs: 10007E63
, xrefs: 10007DB8
QueryActCtxW, xrefs: 10007D01
Comctl32.dll, xrefs: 10007E87, 10007EA6
@, xrefs: 10007E4A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressErrorFileLastModuleProcVersion$AttributesHandleLibraryLoadName
String ID: $@$Comctl32.dll$FindActCtxSectionStringW$GetModuleHandleExW$QueryActCtxW
API String ID: 461998284-181649860
Opcode ID: c2660fc6220dddfd26a4e75448796f4a3421a6b4bc09388150eaa4e02d6bde7f
Instruction ID: 262674a30757ed6720d4f9153f58614eb5bdbee653c3820f8d7384bc79e4d6d5
Opcode Fuzzy Hash: c2660fc6220dddfd26a4e75448796f4a3421a6b4bc09388150eaa4e02d6bde7f
Instruction Fuzzy Hash: 13519270D012A89BEB51CB94CC88BEE7BB8FB0C7D0F20459AE509E6185D7789D81CF61

Function 1000B249 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 1000B28B
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 1000B2AA
ReadFile.KERNEL32(00000001,00000000,00000000,?,00000000), ref: 1000B2C3
wcscmp.MSVCRT ref: 1000B2DD
SetFilePointer.KERNEL32(00000001,?,00000000,00000001), ref: 1000B2FA
ReadFile.KERNEL32(00000001,?,?,?,00000000), ref: 1000B30B
SetFilePointer.KERNEL32(00000001,?,00000000,00000001), ref: 1000B31F
ReadFile.KERNEL32(00000001,1000AEA6,?,?,00000000), ref: 1000B331
ReadFile.KERNEL32(00000001,?,0000001C,?,00000000), ref: 1000B350

Strings

546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D, xrefs: 1000B275, 1000B2D7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$Read$Pointer$wcscmpwcslen
String ID: 546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D
API String ID: 2325216279-3524894893
Opcode ID: e106047a3323c5373c07eaf145cd9d31755cdd68cf57e1a120e58faea56fec01
Instruction ID: 2751594dc2eee26935c860ebe78387cc4884a4def531c2420c06edab76461af0
Opcode Fuzzy Hash: e106047a3323c5373c07eaf145cd9d31755cdd68cf57e1a120e58faea56fec01
Instruction Fuzzy Hash: 89513D71900219EFEB10DFA8CD85EEEBBB9FF44700F14456AEA05E7295D770AA44CB90

Function 1000741A Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 10015C34: EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,CtrlAltSave), ref: 10015C88
Part of subcall function 10015C34: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015CA7

wcscmp.MSVCRT ref: 10007477
wcscpy.MSVCRT ref: 100074BF
_snwprintf.MSVCRT ref: 100074FE
_wcsnicmp.MSVCRT ref: 10007532

Strings

http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s, xrefs: 100074ED
1.0.1.4, xrefs: 10007466, 10007475, 1000748A, 100074EB
about:, xrefs: 1000752A
InstallDone, xrefs: 10007557
OEMID, xrefs: 100074A1
Version, xrefs: 1000744B, 10007451, 1000748B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave_snwprintf_wcsnicmpwcscmpwcscpy
String ID: 1.0.1.4$InstallDone$OEMID$Version$about:$http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s
API String ID: 2182573750-116621938
Opcode ID: 2009adcab1a2f9165ea30276d99772769cdf9e1283c72bf40d6a52ebe3a29c4b
Instruction ID: c3dc4d0e86574aa862e40507dbab883597ee998fdb63e7eb0b4617acc2441f95
Opcode Fuzzy Hash: 2009adcab1a2f9165ea30276d99772769cdf9e1283c72bf40d6a52ebe3a29c4b
Instruction Fuzzy Hash: E731A275940219BBEB10DB948CC9FDEB7BCEF44391F1040A9FA09EA181E775DE908B61

Function 10015F70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 10015FD9
EnterCriticalSection.KERNEL32(100D51D0), ref: 10015FF7
LeaveCriticalSection.KERNEL32(100D51D0), ref: 10016017
wcscpy.MSVCRT ref: 10016031
wcscat.MSVCRT ref: 10016050
wcscat.MSVCRT ref: 1001605C
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1001607C
RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 1001609C
RegCloseKey.ADVAPI32(?), ref: 100160A5

Strings

Software\Phoenix, xrefs: 1001602B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSectionwcscat$CloseCreateEnterLeaveValue_snwprintfwcscpy
String ID: Software\Phoenix
API String ID: 1743565553-1254586771
Opcode ID: a2c8d786c8e757818be632aa8997f0776de83900ccd4cd8e417b57960978e5e7
Instruction ID: d7cb7911b7161f5158ff374c9c3e073410d93a27de11a1cb387b2ecfecb2aab6
Opcode Fuzzy Hash: a2c8d786c8e757818be632aa8997f0776de83900ccd4cd8e417b57960978e5e7
Instruction Fuzzy Hash: AD31BEB6901229FFDF11DFA4CC489DE7BBAEF48740F108461FA05AA151D731CA91CBA1

Function 1000E89B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

ObtainUserAgentString.URLMON(00000000,?,00000001), ref: 1000E8F7
strstr.MSVCRT ref: 1000E910
strchr.MSVCRT ref: 1000E92A
strlen.MSVCRT ref: 1000E939
_snprintf.MSVCRT ref: 1000E95E
_snprintf.MSVCRT ref: 1000E982

Strings

User-Agent: , xrefs: 1000E8A7
%s%s; %s), xrefs: 1000E957
%s%s, xrefs: 1000E97B
Alexa Toolbar, xrefs: 1000E90A, 1000E94D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snprintf$AgentObtainStringUserstrchrstrlenstrstr
String ID: %s%s$%s%s; %s)$Alexa Toolbar$User-Agent:
API String ID: 2908084725-3491158473
Opcode ID: 7eda7acf70df89888af6dad51f14cae7136b7c597e12f4828a2c94a8cb8a91af
Instruction ID: 792dc2e78a255ea71f3ecc3c945c74fba86e47d910bdbc12d32dfa3f0aadc070
Opcode Fuzzy Hash: 7eda7acf70df89888af6dad51f14cae7136b7c597e12f4828a2c94a8cb8a91af
Instruction Fuzzy Hash: F321F176400359EAE750E754CC84BDBBBADFB45391F5080A2FA45F2152EE709F88CBA1

Function 10001271 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 77registryCOMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 100012AF
RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,000F003F,00000000,00000001,00000000), ref: 100012DA
wcslen.MSVCRT ref: 100012ED
RegSetValueExW.ADVAPI32(00000001,10021B38,00000000,00000001,00000001,00000000), ref: 1000130D
RegSetValueExW.ADVAPI32(00000001,NoExplorer,00000000,?,?,?), ref: 10001323
RegCloseKey.ADVAPI32(00000001), ref: 10001328

Strings

NoExplorer, xrefs: 10001318
IESuper, xrefs: 1000127A
%s\%s, xrefs: 1000129E
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, xrefs: 10001299

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$CloseCreate_snwprintfwcslen
String ID: %s\%s$IESuper$NoExplorer$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
API String ID: 3688209380-1152752314
Opcode ID: c23351bdd4ab3505e4951cd31d4c6e0ccb80728303b04ca3657e4f73897d1dc1
Instruction ID: e72ab39629c25fa501e117f32195636787e00f3124eba527bb11e83de44ffcb3
Opcode Fuzzy Hash: c23351bdd4ab3505e4951cd31d4c6e0ccb80728303b04ca3657e4f73897d1dc1
Instruction Fuzzy Hash: 87214AB5500218BFEB218F54DC89EEE3B6CEB48394F108066FA18AA051D771DF949B61

Function 10015A13 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(10015409,00000000), ref: 10015A22
SetFileAttributesW.KERNEL32(10015409,00000080), ref: 10015A35
_wfopen.MSVCRT ref: 10015A41
fwrite.MSVCRT ref: 10015A65
fwprintf.MSVCRT ref: 10015A89
fwprintf.MSVCRT ref: 10015A9F
fclose.MSVCRT ref: 10015AB7
SetFileAttributesW.KERNEL32(10015409,?), ref: 10015AC2

Strings

%s, xrefs: 10015A97
%s, xrefs: 10015A81

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AttributesFile$fwprintf$_wfopenfclosefwrite
String ID: %s$%s
API String ID: 3084314073-1034283145
Opcode ID: f37075ef6bb02d8a883bfe5a24665bdde7d22ac156bfa28337958422527dc9fb
Instruction ID: 6d6b312b85caf28c44908223d0d2ae6ef43f492e14a8e106597987d8e91fcee9
Opcode Fuzzy Hash: f37075ef6bb02d8a883bfe5a24665bdde7d22ac156bfa28337958422527dc9fb
Instruction Fuzzy Hash: 9021CD32940225FFEB01DB54DC84A8E7BB8FF08711F998154FD05BB151E732EA909B81

Function 10002F5A Relevance: 16.7, APIs: 11, Instructions: 157stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002F78
lstrlenW.KERNEL32(?,?,?,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002F95
wcsstr.MSVCRT ref: 10002FBA
lstrlenW.KERNEL32(74DEE0B0,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002FD2
memcpy.MSVCRT(?,?,00000001,00000000,?,?,?,10001DDB,%%s), ref: 1000303A
InterlockedDecrement.KERNEL32(?), ref: 1000304E

Part of subcall function 10017F85: free.MSVCRT ref: 10017F89

wcsstr.MSVCRT ref: 10003076
memmove.MSVCRT(?,10021B40,00000000,?,00000000,?,?,?,10001DDB,%%s), ref: 100030AC
memcpy.MSVCRT(00000000,?,?,?,00000000,?,?,?,10001DDB,%%s), ref: 100030B9
wcsstr.MSVCRT ref: 100030D0
lstrlenW.KERNEL32(?,?,00000000,?,?,?,10001DDB,%%s), ref: 100030E3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$wcsstr$memcpy$DecrementInterlockedfreememmove
String ID:
API String ID: 847128442-0
Opcode ID: 6d5efb2402bd9b856868ebe720075f9829beb4bb3f54ae8abb1505e58f53c1a6
Instruction ID: b2f17ea5e205cc9f332a867d5bf79394d763587bb4bb3863110206697801a40c
Opcode Fuzzy Hash: 6d5efb2402bd9b856868ebe720075f9829beb4bb3f54ae8abb1505e58f53c1a6
Instruction Fuzzy Hash: F0517135E0121BEFDF12CF98C9848AEBBB9FF48390B118529E901A7214D730AA51CF90

Function 1000A65A Relevance: 16.6, APIs: 11, Instructions: 140networkstringCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,10000000), ref: 1000A672
wcslen.MSVCRT ref: 1000A6A4
wcslen.MSVCRT ref: 1000A6BE
wcslen.MSVCRT ref: 1000A6DD
wcslen.MSVCRT ref: 1000A6F7
InternetSetStatusCallbackW.WININET(1BE85000,10009372), ref: 1000A717
InternetConnectW.WININET(1BE85000,55FFDEF7,?,00000000,00000000,00000003,00000000,10009749), ref: 1000A739
wcslen.MSVCRT ref: 1000A753
lstrlenW.KERNEL32(00056064,00000000,00000000,00000003,00000000,10009749), ref: 1000A76A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000002,00000000,00000000), ref: 1000A791
InternetSetOptionA.WININET(1BE85000,00000026,00000000,0000000C), ref: 1000A7AC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcslen$Internet$ByteCallbackCharConnectMultiOpenOptionStatusWidelstrlen
String ID:
API String ID: 3074031220-0
Opcode ID: da8807fcc53b3e7d26aade6c4de52572b3b524a7bd0c0df054048714a3877b7c
Instruction ID: 37e1e7f0be21ef02731ed74112cd410c3b292f2b9af27fdc501fb5ea2f93a1a3
Opcode Fuzzy Hash: da8807fcc53b3e7d26aade6c4de52572b3b524a7bd0c0df054048714a3877b7c
Instruction Fuzzy Hash: D5416FB2900209AFEB20DFA5CC84F9ABBF8EF44395F108529E905D7250D771EA85CB60

Function 10011841 Relevance: 16.6, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 10011852
GetClientRect.USER32(?,?), ref: 10011870
EndPaint.USER32(?,?), ref: 10011998

Part of subcall function 10011E73: GetSysColor.USER32(0000000F), ref: 10011E76
Part of subcall function 10011E73: CreateSolidBrush.GDI32(00000000), ref: 10011E7D
Part of subcall function 10011E73: FillRect.USER32(?,?,00000000), ref: 10011E92
Part of subcall function 10011E73: DeleteObject.GDI32(00000000), ref: 10011E99

Part of subcall function 10014DE5: GetDesktopWindow.USER32 ref: 10014E0C
Part of subcall function 10014DE5: GetDC.USER32(00000000), ref: 10014E15
Part of subcall function 10014DE5: GetDeviceCaps.GDI32(00000000,00000058), ref: 10014E26
Part of subcall function 10014DE5: GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014E2E
Part of subcall function 10014DE5: ReleaseDC.USER32(00000000,00000000), ref: 10014E34
Part of subcall function 10014DE5: MulDiv.KERNEL32(00001000,00000000,000009EC), ref: 10014E4A
Part of subcall function 10014DE5: MulDiv.KERNEL32(00001000,00000065,000009EC), ref: 10014E56

InflateRect.USER32(?,00000000,?), ref: 100118EA

Part of subcall function 10014C35: GetDeviceCaps.GDI32(?,00000058), ref: 10014C99
Part of subcall function 10014C35: GetDeviceCaps.GDI32(?,0000005A), ref: 10014CA3
Part of subcall function 10014C35: MulDiv.KERNEL32(?,00000000,000009EC), ref: 10014CB5
Part of subcall function 10014C35: MulDiv.KERNEL32(?,?,000009EC), ref: 10014CC1

CopyRect.USER32(?,?), ref: 1001191E
SelectObject.GDI32(?,?), ref: 10011929
SetBkMode.GDI32(?,00000001), ref: 10011937
InflateRect.USER32(?,000000FF,000000FF), ref: 10011945
CopyRect.USER32(?,?), ref: 1001194F

Part of subcall function 100117DB: CopyRect.USER32(?,?), ref: 100117EB
Part of subcall function 100117DB: SetTextColor.GDI32(?,00000000), ref: 100117F6
Part of subcall function 100117DB: strrchr.MSVCRT ref: 10011802
Part of subcall function 100117DB: DrawTextA.USER32(?,00000001,000000FF,?,00008025), ref: 1001181E

OffsetRect.USER32(?,00000010,00000000), ref: 10011970

Part of subcall function 1001172E: SetTextColor.GDI32(?,00000000), ref: 1001173F
Part of subcall function 1001172E: strlen.MSVCRT ref: 10011749

SelectObject.GDI32(?,?), ref: 1001198A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$CapsDevice$ColorCopyObjectText$InflatePaintSelect$BeginBrushClientCreateDeleteDesktopDrawFillModeOffsetReleaseSolidWindowstrlenstrrchr
String ID:
API String ID: 138720359-0
Opcode ID: 6bc168d3b454dd054c990810defab10e784f9ae2a5dc7a00f0ce03add5036c5d
Instruction ID: 5477f09a8fa13247e38320470a56978fba10315a5634d6f95764bf28e66d5ce6
Opcode Fuzzy Hash: 6bc168d3b454dd054c990810defab10e784f9ae2a5dc7a00f0ce03add5036c5d
Instruction Fuzzy Hash: E941C67690022CAFDF01DFE4CD85DEEBBB9FB08314F14452AE551A2260DB35AA549B60

Function 10012DE3 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 252COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012DE8
CoInternetCombineUrl.URLMON(?,?,00000000,?,00000824,?,00000000), ref: 10012F2E

Strings

`<u, xrefs: 10012FD1, 10012FFC, 1001302C
none, xrefs: 1001306C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CombineH_prologInternet
String ID: `<u$none
API String ID: 846079668-2033039441
Opcode ID: fa3c9f7e94ceec167a09dbf0be3b138a64f1ec8145d66f16c5ec53991eec5527
Instruction ID: 9283e103065fb5242d3d55d2629bf4603cec208effc82b596654512e82227f78
Opcode Fuzzy Hash: fa3c9f7e94ceec167a09dbf0be3b138a64f1ec8145d66f16c5ec53991eec5527
Instruction Fuzzy Hash: 76A1D57590024AEFDF01DFA4C8949AEBBF9FF48244F10846DE509AB251C735EE85CB61

Function 100051BD Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100051C2
IsWindow.USER32(00000000), ref: 100052E5
GetPropW.USER32(00000000,EDIT_CLASSPROC), ref: 100052F6
GetWindowLongW.USER32(00000000,000000FC), ref: 10005303
SetPropW.USER32(00000000,EDIT_CLASSPROC,00000000), ref: 1000530C
SetWindowLongW.USER32(00000000,000000FC,Function_00005095), ref: 1000531A
DestroyWindow.USER32(?,?,?,00000000), ref: 1000533B
RevokeDragDrop.OLE32(00000000), ref: 10005357

Part of subcall function 100049B8: SHGetValueW.SHLWAPI(80000002,Software\Microsoft\Internet Explorer,Version,?,?,?), ref: 100049ED

Strings

EDIT_CLASSPROC, xrefs: 100052EF, 100052F4, 1000530A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$LongProp$DestroyDragDropH_prologRevokeValue
String ID: EDIT_CLASSPROC
API String ID: 2933101563-4141746711
Opcode ID: ba55ef09d3dd67c40e8e00e8d1476fb980f114a742426f17d8594d958cd2491c
Instruction ID: 2fcabe81f7afa31ee6257b13942f98ea085c36c191ef97c013a31877390e713e
Opcode Fuzzy Hash: ba55ef09d3dd67c40e8e00e8d1476fb980f114a742426f17d8594d958cd2491c
Instruction Fuzzy Hash: 2D516C75600606AFEB00DBA0CC89EAFB7F8EF45396B104518F516EB195DB35EE41CB60

Function 1000465B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10004693
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 100046B7
_snwprintf.MSVCRT ref: 100046D0
memset.MSVCRT ref: 100047A7
memset.MSVCRT ref: 100047B9

Part of subcall function 10015571: wcschr.MSVCRT ref: 100155B2
Part of subcall function 10015571: _snwprintf.MSVCRT ref: 100155E3
Part of subcall function 10015571: wcslen.MSVCRT ref: 100155F4
Part of subcall function 10015571: _snwprintf.MSVCRT ref: 10015615
Part of subcall function 10015571: wcslen.MSVCRT ref: 10015623

Part of subcall function 10015413: free.MSVCRT ref: 10015458
Part of subcall function 10015413: free.MSVCRT ref: 1001545B
Part of subcall function 10015413: free.MSVCRT ref: 1001546A
Part of subcall function 10015413: free.MSVCRT ref: 1001546D
Part of subcall function 10015413: free.MSVCRT ref: 10015479

LoadStringW.USER32(00000080,?,00000104), ref: 10004836

Part of subcall function 100169C2: memset.MSVCRT ref: 100169D0
Part of subcall function 100169C2: LoadStringW.USER32(?,100D55FC,00000808,10004845), ref: 100169E8

GetForegroundWindow.USER32(?,00000000,00000040), ref: 1000484E
MessageBoxW.USER32(00000000), ref: 10004855

Strings

rename, xrefs: 10004757, 1000476F, 100047D7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: free$_snwprintfmemset$LoadStringwcslen$ByteCharForegroundMessageMultiWideWindowlstrlenwcschr
String ID: rename
API String ID: 3345917827-3650966606
Opcode ID: 61c17cbd3f8f3f0797bdfadf80c89ca614718cd36e353b7427c88971a0147cf2
Instruction ID: 2e7df9d5ca348340b6ace4491b1211ebf1bae5670c5fdcb29735b6521ca33eb5
Opcode Fuzzy Hash: 61c17cbd3f8f3f0797bdfadf80c89ca614718cd36e353b7427c88971a0147cf2
Instruction Fuzzy Hash: 94515EB680025DABEB10DFA0CC84EDB77BDEB58340F0045A6F619E6150EB71AB958B61

Function 100163E8 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 100163F6

Part of subcall function 10016305: __EH_prolog.LIBCMT ref: 1001630A
Part of subcall function 10016305: _snprintf.MSVCRT ref: 1001635C
Part of subcall function 10016305: strlen.MSVCRT ref: 10016373
Part of subcall function 10016305: _snprintf.MSVCRT ref: 10016398
Part of subcall function 10016305: strlen.MSVCRT ref: 100163BA

time.MSVCRT(100054B3,?,00000103,75BFA9E0,?,00000000), ref: 10016454
sprintf.MSVCRT ref: 10016472
sprintf.MSVCRT ref: 100164AB

Part of subcall function 10016183: __EH_prolog.LIBCMT ref: 10016188
Part of subcall function 10016183: _snprintf.MSVCRT ref: 100161E9
Part of subcall function 10016183: strlen.MSVCRT ref: 100161F2
Part of subcall function 10016183: memset.MSVCRT ref: 1001623F
Part of subcall function 10016183: memset.MSVCRT ref: 10016251
Part of subcall function 10016183: _snprintf.MSVCRT ref: 1001626D
Part of subcall function 10016183: strlen.MSVCRT ref: 10016273
Part of subcall function 10016183: strlen.MSVCRT ref: 10016281

memset.MSVCRT ref: 100164EB
strcat.MSVCRT(?,?), ref: 10016530
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,100D53F4,00000104), ref: 1001654A

Strings

%010d, xrefs: 1001646C
%s%s, xrefs: 100164A5

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$_snprintf$memset$H_prologsprintf$ByteCharMultiWidestrcattimewcslen
String ID: %010d$%s%s
API String ID: 3563286978-3259706221
Opcode ID: 9a034cfb2dece5bd9101b85ee98e209b3bf651a8fa39b2a4316428543956fcca
Instruction ID: 50fa30f9a303f6958c7129615a0342eba5a65ce557ac8a8b3d5a6dfe264c6ea2
Opcode Fuzzy Hash: 9a034cfb2dece5bd9101b85ee98e209b3bf651a8fa39b2a4316428543956fcca
Instruction Fuzzy Hash: 9D41E97690426CBADF11C7A8CC44BDA7B7CEB4D200F1449F6E695E3142D9709BC98FA1

Function 10015E3C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,?), ref: 10015EAF
LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015ED4
wcslen.MSVCRT ref: 10015EE5
_wtoi.MSVCRT(00000000), ref: 10015EF7
wcscpy.MSVCRT ref: 10015F18
wcscat.MSVCRT ref: 10015F37
wcscat.MSVCRT ref: 10015F43
SHGetValueW.SHLWAPI(?,?,00000000,100D7010,1000CCAA,?), ref: 10015F60

Strings

Software\Phoenix, xrefs: 10015F12

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSectionwcscat$EnterLeaveValue_wtoiwcscpywcslen
String ID: Software\Phoenix
API String ID: 2042871727-1254586771
Opcode ID: 78c4e484f15843590b2e3963bb8cdefe866adc528ac008706ec74dea7ebb0544
Instruction ID: 430309ff03f6844c4a571d4883ba351433d4d4f10e0557e914896dfc4882fc61
Opcode Fuzzy Hash: 78c4e484f15843590b2e3963bb8cdefe866adc528ac008706ec74dea7ebb0544
Instruction Fuzzy Hash: BB312C7290022DEBDF10DFA4CC84ADA77A9FB04301F5444BAFA05DA191EB71DAC58B90

Function 1000E430 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 1000E47F
SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,1000E60A,00000103), ref: 1000E4A3
_snwprintf.MSVCRT ref: 1000E4BD
SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,1000E60A,00000103), ref: 1000E4DE
_snwprintf.MSVCRT ref: 1000E516
SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,00000000,00000103), ref: 1000E53F

Strings

CLSID\%s\TreatAs, xrefs: 1000E501
CLSID\%s\InprocServer32, xrefs: 1000E45C
CLSID\%s\LocalServer32, xrefs: 1000E4B2

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value_snwprintf
String ID: CLSID\%s\InprocServer32$CLSID\%s\LocalServer32$CLSID\%s\TreatAs
API String ID: 1829442792-974010182
Opcode ID: 4d37db50f89a6f71a125b548c5694da1969e69eccc5d7473370f8ed9ae322ed1
Instruction ID: 42220924a36aa568aa0cc18fdd0ffb9106da59589720bf6db91707bd294400dc
Opcode Fuzzy Hash: 4d37db50f89a6f71a125b548c5694da1969e69eccc5d7473370f8ed9ae322ed1
Instruction Fuzzy Hash: 2A310C7290021DFAEB11DB94CC94FDE77BCFB08344F1044A6FA14A7150EBB1AB949BA1

Function 100055F2 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 10005626
_wcsicmp.MSVCRT ref: 1000565A
GetPrivateProfileStringW.KERNEL32(InternetShortcut,URL,10021B38,?,00000824,?), ref: 10005682
wcslen.MSVCRT ref: 10005695
wcscmp.MSVCRT ref: 100056EC

Strings

.url, xrefs: 10005654
InternetShortcut, xrefs: 1000567D
URL, xrefs: 10005678
about:blank, xrefs: 100056E0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: PrivateProfileString_wcsicmpwcscmpwcslenwcsrchr
String ID: .url$InternetShortcut$URL$about:blank
API String ID: 2807353217-2247775410
Opcode ID: 56ffe678502d2e7c9963acb65c8d370fdd07778225ec8c66342c7c3a5ae6bbc7
Instruction ID: 3e980aca85b5cf87b09dd2b4bff74a66709968ddb6ef275962bf4dc3f9cff62a
Opcode Fuzzy Hash: 56ffe678502d2e7c9963acb65c8d370fdd07778225ec8c66342c7c3a5ae6bbc7
Instruction Fuzzy Hash: C031F876A00215EBFB10CB659C84BDB73B8EB14792F50446AFA09D7085EB759D81CA60

Function 1000A7C3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 1000A820
HttpOpenRequestW.WININET(000001B4,GET,?,HTTP/1.1,00000000,1001FCD0,8400C300,10009973), ref: 1000A858
memset.MSVCRT ref: 1000A873
wcslen.MSVCRT ref: 1000A8C1
InternetSetOptionW.WININET(75FF62EB,00000002,00000000,?), ref: 1000A8DD
HttpSendRequestExW.WININET(75FF62EB,?,00000000,00000001,10009973), ref: 1000A8EF

Strings

HTTP/1.1, xrefs: 1000A84A
GET, xrefs: 1000A850
%s%s, xrefs: 1000A80F

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: HttpRequest$InternetOpenOptionSend_snwprintfmemsetwcslen
String ID: %s%s$GET$HTTP/1.1
API String ID: 2398291608-839821704
Opcode ID: 34d8367aa34fe2f217338dba1b45b340d54f44469488f3cd6152496bd7ee69f8
Instruction ID: 88d80f576f7775d663daabae34114e470464a7dcadf3b90ebfdc704fc9b8f255
Opcode Fuzzy Hash: 34d8367aa34fe2f217338dba1b45b340d54f44469488f3cd6152496bd7ee69f8
Instruction Fuzzy Hash: 42317975901218ABEB21CF94CD55EDAB7BCEF04740F0081AAFA05E7290D770AB85CBA1

Function 10003201 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 10003B2D: DeleteFileW.KERNEL32(?), ref: 10003B79
Part of subcall function 10003B2D: DeleteFileW.KERNEL32(?), ref: 10003B8C
Part of subcall function 10003B2D: PathCombineW.SHLWAPI(?,?,..\,?,?), ref: 10003BEA
Part of subcall function 10003B2D: RemoveDirectoryW.KERNEL32(?), ref: 10003BF7

memset.MSVCRT ref: 10003226

Part of subcall function 100031A8: time.MSVCRT(?), ref: 100031B5
Part of subcall function 100031A8: GetTickCount.KERNEL32 ref: 100031D3

time.MSVCRT(?), ref: 10003255

Part of subcall function 10015F70: _snwprintf.MSVCRT ref: 10015FD9
Part of subcall function 10015F70: EnterCriticalSection.KERNEL32(100D51D0), ref: 10015FF7
Part of subcall function 10015F70: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10016017

Part of subcall function 10015C05: EnterCriticalSection.KERNEL32(100D51D0,?,80000001,10003274,00000000,LastCheckUpdate,?,80000001), ref: 10015C1C
Part of subcall function 10015C05: LeaveCriticalSection.KERNEL32(100D51D0,?,80000001,10003274,00000000,LastCheckUpdate,?,80000001), ref: 10015C2B

Part of subcall function 10015C34: EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,CtrlAltSave), ref: 10015C88
Part of subcall function 10015C34: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015CA7

wcscpy.MSVCRT ref: 1000329F
_snwprintf.MSVCRT ref: 100032E0

Strings

LastCheckUpdate, xrefs: 10003264
ini, xrefs: 100032FB
http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s, xrefs: 100032CF
1.0.1.4, xrefs: 100032C9
OEMID, xrefs: 10003281

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteFile_snwprintftime$CombineCountDirectoryPathRemoveTickmemsetwcscpy
String ID: 1.0.1.4$LastCheckUpdate$OEMID$http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s$ini
API String ID: 1775599980-757802540
Opcode ID: 745ee946320c47f2ef5e2d472f529d2f80246eba14e6cd3de38a977323aa7136
Instruction ID: 7d42bc31ee3b9d85fa5ee47e6d76bd14f22cf33f29602e7dda6b29437f5fdaf5
Opcode Fuzzy Hash: 745ee946320c47f2ef5e2d472f529d2f80246eba14e6cd3de38a977323aa7136
Instruction Fuzzy Hash: 7321607694021CBBEB01DBA48CC5DDEB7ACEB08381F008466FA05EA150E675EFD08B60

Function 1000B0A0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 1000B0D9
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 1000B0F6
ReadFile.KERNEL32(00000001,00000000,00000000,00000000,00000000), ref: 1000B109
wcscmp.MSVCRT ref: 1000B120
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000001), ref: 1000B13B
ReadFile.KERNEL32(00000001,00000000,?,00000000,00000000), ref: 1000B14B
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000001), ref: 1000B162
SetEndOfFile.KERNEL32(00000001), ref: 1000B167

Strings

546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D, xrefs: 1000B0D0, 1000B11A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pointer$Read$wcscmpwcslen
String ID: 546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D
API String ID: 1967036591-3524894893
Opcode ID: ac25d14ac29bbfbc2440272b6122b4f0922d6c564756a2e6f0ce5c214600a649
Instruction ID: 40bd077d38ec406fd42c60b8de5603268750d82301ff60325134a394b7e5f073
Opcode Fuzzy Hash: ac25d14ac29bbfbc2440272b6122b4f0922d6c564756a2e6f0ce5c214600a649
Instruction Fuzzy Hash: BF21397650021DBFFB10DBA8DC89FEAB7BCEB04754F204565F612E21A0D7B0AE848B10

Function 1000D951 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\SearchScopes,00000000,000F003F,?,?,?,?,1000DAB5,baidu,baidu,baidu,http://www.baidu.com/baidu?word={searchTerms}&tn=sper_dg,936,00000000,1000708A), ref: 1000D96B
wcslen.MSVCRT ref: 1000D979
RegSetValueExW.ADVAPI32(?,DefaultScope,00000000,00000001,?,00000000,?,?,1000DAB5,baidu,baidu,baidu,http://www.baidu.com/baidu?word={searchTerms}&tn=sper_dg,936,00000000,1000708A), ref: 1000D998
RegSetValueExW.ADVAPI32(?,Version,00000000,?,?,?,?,?,1000DAB5,baidu,baidu,baidu,http://www.baidu.com/baidu?word={searchTerms}&tn=sper_dg,936,00000000,1000708A), ref: 1000D9B3
RegCloseKey.ADVAPI32(?,?,?,1000DAB5,baidu,baidu,baidu,http://www.baidu.com/baidu?word={searchTerms}&tn=sper_dg,936,00000000,1000708A), ref: 1000D9B8

Strings

baidu, xrefs: 1000D975
DefaultScope, xrefs: 1000D990
Version, xrefs: 1000D9A4
Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 1000D961

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value$CloseOpenwcslen
String ID: DefaultScope$Software\Microsoft\Internet Explorer\SearchScopes$Version$baidu
API String ID: 408229474-3224644069
Opcode ID: 5acd898d2e7d3a1331839a72aa98d3634645d241053296628396b3ece70b0826
Instruction ID: 041ff5215f9318d7f2bcf55f0b34fdfe0da709ea8d36d09fa40bfdd46573029e
Opcode Fuzzy Hash: 5acd898d2e7d3a1331839a72aa98d3634645d241053296628396b3ece70b0826
Instruction Fuzzy Hash: 14F01D71540218FEFB219B80DC4AFED7F69EB04750F144055FB05B90A1D7B2EB84EAA4

Function 100142B5 Relevance: 15.2, APIs: 10, Instructions: 161windowkeyboardCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 1001431B
SetCursor.USER32(00000000), ref: 10014322
DestroyIcon.USER32(?), ref: 1001432B
ReleaseCapture.USER32 ref: 10014334
SendMessageW.USER32(?,00000204,?,?), ref: 1001438C
GetKeyState.USER32(00000002), ref: 1001440B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Cursor$CaptureDestroyIconLoadMessageReleaseSendState
String ID:
API String ID: 2236583103-0
Opcode ID: 330f49f157f7bbd80458c145b2e14f2f41c9089ccd4ef7afbcd62e317c4c80db
Instruction ID: 61d64a25c4f83d0d78c329bc2ea95db1b35683742148c3f339910fa829cec3c5
Opcode Fuzzy Hash: 330f49f157f7bbd80458c145b2e14f2f41c9089ccd4ef7afbcd62e317c4c80db
Instruction Fuzzy Hash: 7251D4B1504706DFD720CFA5C984A9ABBF5FF08754B12462EE5969B6A1CB30F981CF10

Function 1000E9E7 Relevance: 15.1, APIs: 10, Instructions: 148stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000EA3E
lstrlenA.KERNEL32(00000000,00000001), ref: 1000EA8A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 1000EAB1

Part of subcall function 1000929B: WaitForSingleObject.KERNEL32(?,000000FF,1007B388,00000001,1000EB98,?,?,00000001), ref: 100092A9
Part of subcall function 1000929B: CloseHandle.KERNEL32(?,1007B388,00000001,1000EB98,?,?,00000001), ref: 100092B8
Part of subcall function 1000929B: CloseHandle.KERNEL32(?,?,00000001), ref: 100092CA

GetUrlCacheEntryInfoW.WININET(00000001,00000000,?), ref: 1000EAE6
GetLastError.KERNEL32(?,00000001), ref: 1000EAF0
??2@YAPAXI@Z.MSVCRT(?,?,00000001), ref: 1000EAFE
memset.MSVCRT ref: 1000EB0F
GetUrlCacheEntryInfoW.WININET(00000001,00000000,?), ref: 1000EB24
_snwprintf.MSVCRT ref: 1000EB52
CreateUrlCacheEntryW.WININET(00000001,00000000,?,?,00000000), ref: 1000EB72

Part of subcall function 10008D1B: memset.MSVCRT ref: 10008DC9
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008DDB
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E6D
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E7B
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E8E
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E9C
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008EAD

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CacheEntry$CloseHandleInfo$??2@ByteCharCreateErrorLastMultiObjectSingleWaitWide_snwprintflstrlen
String ID:
API String ID: 1214147213-0
Opcode ID: e87264aef2605b24b9e99a3b1ee1f45da7371a4d57d1b10b988b99638088e18f
Instruction ID: c1962d975449f2a1d9344cba3a3e4b000cb304cf596abcbc8ccd83e3becbab52
Opcode Fuzzy Hash: e87264aef2605b24b9e99a3b1ee1f45da7371a4d57d1b10b988b99638088e18f
Instruction Fuzzy Hash: 8C519C7160025AAFFF01DF64CC85AAE7BA9FF043D4F004029FD05A6255DB35DEA18BA2

Function 10008D1B Relevance: 15.1, APIs: 12, Instructions: 133COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10008DC9
memset.MSVCRT ref: 10008DDB
memset.MSVCRT ref: 10008E6D
memset.MSVCRT ref: 10008E7B
memset.MSVCRT ref: 10008E8E
memset.MSVCRT ref: 10008E9C
memset.MSVCRT ref: 10008EAD
memset.MSVCRT ref: 10008EBF
memset.MSVCRT ref: 10008ED1
memset.MSVCRT ref: 10008EDF
memset.MSVCRT ref: 10008EED
memset.MSVCRT ref: 10008EFB

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9851a4b72cba576664b6b19cbcbb6598462dc8adb75805fe32f2cb54c7c2b05a
Instruction ID: 7b3adab1c3c7a685ba35d06af9880b86c69ef0e99f1814255cf0ada1d53eb115
Opcode Fuzzy Hash: 9851a4b72cba576664b6b19cbcbb6598462dc8adb75805fe32f2cb54c7c2b05a
Instruction Fuzzy Hash: 3051BCB5401B449EC325DF6AC8898C3FFECEF95751B04895FA5AAC7262D674A248CF20

Function 1001457B Relevance: 15.1, APIs: 10, Instructions: 97stringwindowCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 100145DF
strcmp.MSVCRT ref: 100145F3
SetCursor.USER32(10020B58,00000000,?,00000000), ref: 10014637
LoadCursorW.USER32(00000000,00007F00), ref: 10014646
SetCursor.USER32(00000000,?,00000000), ref: 1001464D
DestroyIcon.USER32(10020B58,?,00000000), ref: 10014652
SetCursor.USER32(00000000,10020B5C,00000000,00000001,00000000,?,00000000), ref: 1001466D
LoadCursorW.USER32(00000000,00007F00), ref: 10014686
SetCursor.USER32(00000000,?,00000000), ref: 1001468D
DestroyIcon.USER32(10020B58,?,00000000), ref: 10014692

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Cursor$DestroyIconLoadstrcmp
String ID:
API String ID: 1353087312-0
Opcode ID: c835600c5c6e773bf22387af5db7e8b8e35749f5b108a45f46f61871c80847dc
Instruction ID: 01cb1ad8a4fb792151639ddb52bb88d78a0713511329582cf2d4d0324858e437
Opcode Fuzzy Hash: c835600c5c6e773bf22387af5db7e8b8e35749f5b108a45f46f61871c80847dc
Instruction Fuzzy Hash: 1C318971800348AFCF61DFA0DD8498EBBB9FF05349B92942DF502AA961CB75E580CF55

Function 10014B08 Relevance: 15.1, APIs: 10, Instructions: 79commemoryCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10014B31
memset.MSVCRT ref: 10014B46
GlobalAlloc.KERNEL32(00000002,1001158D,?,000000E0,IMG), ref: 10014B51
GlobalLock.KERNEL32(00000000), ref: 10014B5E
memcpy.MSVCRT(00000000,?,1001158D), ref: 10014B69
GlobalUnlock.KERNEL32(00000000), ref: 10014B72
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 10014B7F
OleLoadPicture.OLEAUT32(?,1001158D,00000000,1001AE54,00000000), ref: 10014B94
FreeResource.KERNEL32(00000000), ref: 10014BAF
free.MSVCRT ref: 10014BBC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Global$AllocCreateFreeLoadLockPictureResourceStreamUnlockfreemallocmemcpymemset
String ID:
API String ID: 826774789-0
Opcode ID: e5be7d76e7c593e3cafe178260c972538e5c971c4afbf86618dad850ddb1fd3b
Instruction ID: 4d3ad8590f7446dae0e15ba72b575f9fe52094a5ce11bbc6a25c07874c5a9576
Opcode Fuzzy Hash: e5be7d76e7c593e3cafe178260c972538e5c971c4afbf86618dad850ddb1fd3b
Instruction Fuzzy Hash: 40214C7190422ABFEB01DF65CCC8E9B37ADEF45654F118054F905D6160DB74CA848B60

Function 10009BD0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 10009BEA

Part of subcall function 1000ACAB: HttpQueryInfoW.WININET(CE8B5300,20000013,00000004,00000000,74DF23A0), ref: 1000ACDB

Part of subcall function 1000B735: HttpQueryInfoW.WININET(?,0000002F,?,74DF23A0,74DF23A0), ref: 1000B76D

Part of subcall function 1000ABE3: HttpQueryInfoW.WININET(0000242C,00000005,?,00000208,10009DB3), ref: 1000AC45
Part of subcall function 1000ABE3: _wtoi64.MSVCRT ref: 1000AC56

Part of subcall function 1000B7A5: HttpQueryInfoW.WININET(?,00000012,?,74DF23A0,00000000), ref: 1000B819
Part of subcall function 1000B7A5: wcscmp.MSVCRT ref: 1000B82B
Part of subcall function 1000B7A5: memset.MSVCRT ref: 1000B840
Part of subcall function 1000B7A5: HttpQueryInfoW.WININET(?,0000002A,?,74DF23A0,00000000), ref: 1000B863

Part of subcall function 1000ACF0: HttpQueryInfoW.WININET(?,4000000B,74DF23A0,74DF23A0,74DF23A0), ref: 1000AD29
Part of subcall function 1000ACF0: SystemTimeToFileTime.KERNEL32(?,?), ref: 1000AD3E

_snwprintf.MSVCRT ref: 10009CE2
memset.MSVCRT ref: 10009CF5
GetTempPathW.KERNEL32(00000103,?,?,74DF23A0,74DF23A0,74DF23A0,74DF23A0,74DF23A0,74DF23A0), ref: 10009D27
GetTickCount.KERNEL32 ref: 10009D34
GetTempFileNameW.KERNEL32(?,1001FCAC,00000000,?,74DF23A0,74DF23A0,74DF23A0,74DF23A0,74DF23A0,74DF23A0), ref: 10009D47
InternetSetOptionW.WININET(?,00000006,?,?), ref: 10009E7C

Strings

N, xrefs: 10009E75

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: HttpInfoQuery$CountFileTempTickTimememset$InternetNameOptionPathSystem_snwprintf_wtoi64wcscmp
String ID: N
API String ID: 2411806375-1161386698
Opcode ID: f9b21416c935fd72921a59e9a8489c0c7be56b8f326805df3cab7e10876c1b6a
Instruction ID: 51eee44b8cd62c6fc8be39f27ded0c3145f9c2974cdd1ac16d276f266803e20b
Opcode Fuzzy Hash: f9b21416c935fd72921a59e9a8489c0c7be56b8f326805df3cab7e10876c1b6a
Instruction Fuzzy Hash: E091D570600B00DFEB11DF34C888A9A77E9FF45780F11451AE95ACB29ADB70E985CF55

Function 1000206D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(TheWorldAttributeTop), ref: 10002087
GetCursorPos.USER32(?), ref: 1000215F
ScreenToClient.USER32(?,?), ref: 1000216C

Strings

TheWorldAttributeLeft, xrefs: 1000207B
`<u, xrefs: 10002228, 10002236, 10002244

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AllocClientCursorScreenString
String ID: TheWorldAttributeLeft$`<u
API String ID: 1441065683-912366966
Opcode ID: 475afde7d3ac2ee1c19272c4e87d99698bcf64c814d7271224b73604d8c0c971
Instruction ID: 94f80880a675eb6d692bd15390044589e482301641c191283574564aca071fd3
Opcode Fuzzy Hash: 475afde7d3ac2ee1c19272c4e87d99698bcf64c814d7271224b73604d8c0c971
Instruction Fuzzy Hash: 7C515C3290020ABBEF51DFA0DD85AEE7BF9FF08390F218129F915A60A5DB359D41DB50

Function 10011D75 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 10011D8A
strcpy.MSVCRT(?,00000001), ref: 10011DBE
strlen.MSVCRT ref: 10011DE4
_snprintf.MSVCRT ref: 10011E05
lstrlenA.KERNEL32(?), ref: 10011E29
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 10011E51
wcscpy.MSVCRT ref: 10011E5E

Strings

Google:%s Alexa:%s, xrefs: 10011DFA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide_snprintflstrlenstrcpystrlenstrrchrwcscpy
String ID: Google:%s Alexa:%s
API String ID: 3971068601-370908538
Opcode ID: e61a882ba708f357a55cc0f670c51e92621bab9532c50317501d5611e1c533bc
Instruction ID: 06e45fc9cc62fe1272a8eae87e1412f65e88f1433bfc8b16b868dba0837ceb1c
Opcode Fuzzy Hash: e61a882ba708f357a55cc0f670c51e92621bab9532c50317501d5611e1c533bc
Instruction Fuzzy Hash: B921D677900228BBDB10CBA4DC85ECB7BACEF49350F1140A5FA49D7141EA30DBC88BA1

Function 1000B172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002,?,?,?,?), ref: 1000B1A5
WriteFile.KERNEL32(00000001,00000000,?,?,00000000,?), ref: 1000B1C9
WriteFile.KERNEL32(00000001,?,0000001C,?,00000000), ref: 1000B1FF
WriteFile.KERNEL32(00000001,00000000,?,?,00000000), ref: 1000B21D
wcslen.MSVCRT ref: 1000B225
WriteFile.KERNEL32(00000001,546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D,00000000,?,00000000), ref: 1000B239
SetEndOfFile.KERNEL32(00000001), ref: 1000B23F

Strings

546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D, xrefs: 1000B21F, 1000B224, 1000B235

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$Write$Pointerwcslen
String ID: 546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D
API String ID: 1802139292-3524894893
Opcode ID: 5b194ba5d04bcb10eb10e17a501d575bea2899ac06db369b04f99c27a4ba6f25
Instruction ID: eb0c6598b99f83ee3a2a602c924a3ebba94a320ed1a3d6d5ea0b8457d33419cb
Opcode Fuzzy Hash: 5b194ba5d04bcb10eb10e17a501d575bea2899ac06db369b04f99c27a4ba6f25
Instruction Fuzzy Hash: C4213B72A00609FFEB24DFA4CD99EDEBBF9EB04744F104469E652A6190DB70AE04DB50

Function 10015C34 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,CtrlAltSave), ref: 10015C88
LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015CA7
wcscpy.MSVCRT ref: 10015CBD
wcscat.MSVCRT ref: 10015CDC
wcscat.MSVCRT ref: 10015CE8
SHGetValueW.SHLWAPI(100D7048,00000000,?,00000001,00000000,100D7008), ref: 10015D0D

Strings

Software\Phoenix, xrefs: 10015CB7
CtrlAltSave, xrefs: 10015C3D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSectionwcscat$EnterLeaveValuewcscpy
String ID: CtrlAltSave$Software\Phoenix
API String ID: 3487831836-1647637443
Opcode ID: 170d40a09c7b0b7963d04a36b41f42fcc87491023b185fd489f62ad31d994a0b
Instruction ID: 95888485814f5608d0d3212534f5acfcb2dec5c760b8aa21c68fbc0af54ce30b
Opcode Fuzzy Hash: 170d40a09c7b0b7963d04a36b41f42fcc87491023b185fd489f62ad31d994a0b
Instruction Fuzzy Hash: 42214A7290021DFFDF01DFA4CC889DA7BB9FF18342F544469FA159A110EB72DA948B90

Function 100160F6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53registrylibraryloaderCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10016106
GetProcAddress.KERNEL32(00000000,RegDeleteTreeW), ref: 10016130
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,10001342,80000002,?), ref: 1001614D
RegCloseKey.ADVAPI32(?,?,10001342,80000002,?), ref: 10016163
FreeLibrary.KERNEL32(00000000,?,10001342,80000002,?), ref: 1001616A
SHDeleteKeyW.SHLWAPI(80000002,10001342,?,10001342,80000002,?), ref: 10016179

Strings

RegDeleteTreeW, xrefs: 1001612A
advapi32.dll, xrefs: 10016119

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressCloseDeleteFreeLibraryOpenProcwcslen
String ID: RegDeleteTreeW$advapi32.dll
API String ID: 3669950677-2428470095
Opcode ID: 5be618db98a24ccce74cf0b9e84fa431dbe3b433da086e3692ed400810e97916
Instruction ID: 431cec41e8287cb61a64acd9e90f83ebdd3fd3e5c591d0ee33c4c456104c23f5
Opcode Fuzzy Hash: 5be618db98a24ccce74cf0b9e84fa431dbe3b433da086e3692ed400810e97916
Instruction Fuzzy Hash: E8010C75500228FFDB12DFA5DC888DE7BB9EB8C6917248125F90966026D772CE80EB50

Function 100087C5 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 100087D4
isalnum.MSVCRT ref: 100087FB
isalnum.MSVCRT ref: 1000883E
sprintf.MSVCRT ref: 10008853
strlen.MSVCRT ref: 10008869
strcpy.MSVCRT(?,?), ref: 10008883
strlen.MSVCRT ref: 1000889A

Strings

%%%2.2X, xrefs: 1000884D
+, xrefs: 10008834

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$isalnum$sprintfstrcpy
String ID: %%%2.2X$+
API String ID: 908544606-1357302092
Opcode ID: b456ce25a1915dcc7ebe37d2769bd6119d73a0349b3ed050f57287828e8caaf2
Instruction ID: 710c75f459aaea68eaa12479642e05d6c462c7fc5382bfb08e1ff96cc2cadfcb
Opcode Fuzzy Hash: b456ce25a1915dcc7ebe37d2769bd6119d73a0349b3ed050f57287828e8caaf2
Instruction Fuzzy Hash: 4A31BC32904619EEEB11CF55D8849DDBBB9FF052A0F91C066FC94A6085DB30EB85DF50

Function 1000DBAF Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 1000DBC8
strstr.MSVCRT ref: 1000DBDF
strchr.MSVCRT ref: 1000DBF3
strlen.MSVCRT ref: 1000DC14
strlen.MSVCRT ref: 1000DC1F
memcpy.MSVCRT(?,00000002,?), ref: 1000DC2D
strstr.MSVCRT ref: 1000DC44

Strings

&utf8, xrefs: 1000DC3C
MT=, xrefs: 1000DBC0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strstr$strlen$memcpystrchr
String ID: &utf8$MT=
API String ID: 1576796791-1965320688
Opcode ID: d7e77442855d6ec1550d4aa2696be2a566bf50bbc2c92d67f196aab5254587ba
Instruction ID: d518cc3d4ada31e72cc2d61459313c5a8e7fd199638fc44bfc711fca48764211
Opcode Fuzzy Hash: d7e77442855d6ec1550d4aa2696be2a566bf50bbc2c92d67f196aab5254587ba
Instruction Fuzzy Hash: 99112E3720424A6BF741EA58ACC0FAE37E9DF851A1F21001BFA04D7145DF71AD418770

Function 10015636 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 100156A3
wcslen.MSVCRT ref: 100156A8
_wcsicmp.MSVCRT ref: 100156CB
_wcsnicmp.MSVCRT ref: 100156E6
wcsstr.MSVCRT ref: 10015720
_snwprintf.MSVCRT ref: 1001573D

Strings

[%s], xrefs: 10015690

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintf$_wcsicmp_wcsnicmpwcslenwcsstr
String ID: [%s]
API String ID: 3939914400-302437576
Opcode ID: 82474fb2ace0ddc8c12c3a1d30c280be21e0cc5bdf601bd2d02268e88599e2ee
Instruction ID: e66ef4bb80ad61a69d206730752b30dc16d46b9379775f81989446a76a118a0a
Opcode Fuzzy Hash: 82474fb2ace0ddc8c12c3a1d30c280be21e0cc5bdf601bd2d02268e88599e2ee
Instruction Fuzzy Hash: B331B136814616EBDF10DF14EC85A9A73A8EF44352F198425EC50AF2A1E732EDD1CB91

Function 10013E2F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10013E34

Part of subcall function 10013DBA: wcslen.MSVCRT ref: 10013DCA
Part of subcall function 10013DBA: PathCombineW.SHLWAPI(?,?,.\Download), ref: 10013DFD
Part of subcall function 10013DBA: PathIsDirectoryW.SHLWAPI(?), ref: 10013E14

lstrlenW.KERNEL32(?,?), ref: 10013EBB
SysFreeString.OLEAUT32(?), ref: 10013EC9
lstrlenW.KERNEL32(1001FF0C,000000FF,?,?,?,?,?,00000824), ref: 10013F04
_snwprintf.MSVCRT ref: 10013F25

Strings

`<u, xrefs: 10013EC9
%s%s, xrefs: 10013F1A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Pathlstrlen$CombineDirectoryFreeH_prologString_snwprintfwcslen
String ID: %s%s$`<u
API String ID: 576151958-688025701
Opcode ID: bb82781ab87e3206bf71b28bebe6f9595eb79f531e20605194eec3dc8bdddfda
Instruction ID: 726245d4ff0edc6745c4c1586bc81e9670c758431830d31d9261750087b31248
Opcode Fuzzy Hash: bb82781ab87e3206bf71b28bebe6f9595eb79f531e20605194eec3dc8bdddfda
Instruction Fuzzy Hash: A2319C7190025AEBEF00DFA4CC85AEEBBB4FF04354F108579E515A7291DB70AE85CBA1

Function 1001390B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

wcsncpy.MSVCRT ref: 1001395B

Part of subcall function 1000C553: memset.MSVCRT ref: 1000C56C
Part of subcall function 1000C553: FindFirstFileW.KERNEL32(?,?,?,?,00000103), ref: 1000C57E

wcsncpy.MSVCRT ref: 1001397A
wcsrchr.MSVCRT ref: 1001398D
wcslen.MSVCRT ref: 100139A1
wcsncpy.MSVCRT ref: 100139BC
_snwprintf.MSVCRT ref: 100139E0

Strings

%s%d.%s, xrefs: 100139D3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcsncpy$FileFindFirst_snwprintfmemsetwcslenwcsrchr
String ID: %s%d.%s
API String ID: 3091044564-588705153
Opcode ID: d3011a9e1c0eccc07607f6df1ca1ff4ffd33c60983350c57eba9ab1c6dfef84d
Instruction ID: bbc5075569a5bf76bf6cfc26104c851c0ec804b2b5c732841888846e48137b43
Opcode Fuzzy Hash: d3011a9e1c0eccc07607f6df1ca1ff4ffd33c60983350c57eba9ab1c6dfef84d
Instruction Fuzzy Hash: 2C219F7690021D7BEF10DAA4DC88ADB7B69EF44344F004475FA45E61A0EAB1DED48A91

Function 10005710 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10005726
wcsstr.MSVCRT ref: 1000573D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000824,00000000,00000000), ref: 10005764

Part of subcall function 1000DBAF: strstr.MSVCRT ref: 1000DBC8
Part of subcall function 1000DBAF: strchr.MSVCRT ref: 1000DBF3
Part of subcall function 1000DBAF: memcpy.MSVCRT(?,00000002,?), ref: 1000DC2D
Part of subcall function 1000DBAF: strstr.MSVCRT ref: 1000DC44

strlen.MSVCRT ref: 10005789
lstrlenA.KERNEL32(?), ref: 100057AA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 100057D2

Strings

auto.search.msn.com, xrefs: 10005735

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWidestrstr$lstrlenmemcpystrchrstrlenwcslenwcsstr
String ID: auto.search.msn.com
API String ID: 3501559847-3043395580
Opcode ID: 06f3c9e9cd8fbeed2d1c216d429a281dfe314dffc5ab748b3dacf68884475ee3
Instruction ID: 1a614f4992ac0ec7faa01e64a465d878186e71d0ccd0e162bfdc0f814a92c157
Opcode Fuzzy Hash: 06f3c9e9cd8fbeed2d1c216d429a281dfe314dffc5ab748b3dacf68884475ee3
Instruction Fuzzy Hash: 92217FB690811DAEEB11DBA4DC85EEF77ACEF082A1F1005A6F604D2050EA31DE848B60

Function 100170D4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000207,00000208), ref: 100170EB
wcslen.MSVCRT ref: 10017100
wcscat.MSVCRT ref: 1001711E
_snwprintf.MSVCRT ref: 10017140

Strings

\, xrefs: 10017106
%s%s, xrefs: 10017139
wininit.ini, xrefs: 10017133

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryWindows_snwprintfwcscatwcslen
String ID: %s%s$\$wininit.ini
API String ID: 2802880908-1580473635
Opcode ID: d2ad89105f4af0d5b8c591bd983343cc093f60b77b480adbb3be53b268d0b6f2
Instruction ID: c1643aa9848d64e12ee40a81c8ff6f694c2faaaeb983f7138faf67a94eefb4b1
Opcode Fuzzy Hash: d2ad89105f4af0d5b8c591bd983343cc093f60b77b480adbb3be53b268d0b6f2
Instruction Fuzzy Hash: 98018F36800228BAEB10DB689C4DECB77BCFB44350F5041A5F519E7092EB70E9848A90

Function 1000A8FF Relevance: 12.1, APIs: 8, Instructions: 76networktimeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 1000A942
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A95A
InternetCloseHandle.WININET(?), ref: 1000A965
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A977
InternetCloseHandle.WININET(?), ref: 1000A97C
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A985
InternetCloseHandle.WININET(?), ref: 1000A98A
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 1000A9A8

Part of subcall function 1000A55F: CloseHandle.KERNEL32(00000002,?,?,10009973,00000001,?,10009AF4,10009973), ref: 1000A5B2
Part of subcall function 1000A55F: InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5C3
Part of subcall function 1000A55F: InternetCloseHandle.WININET(?), ref: 1000A5CE
Part of subcall function 1000A55F: InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5D5
Part of subcall function 1000A55F: InternetCloseHandle.WININET(?), ref: 1000A5DA
Part of subcall function 1000A55F: InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5E1
Part of subcall function 1000A55F: InternetCloseHandle.WININET(?), ref: 1000A5E6
Part of subcall function 1000A55F: memset.MSVCRT ref: 1000A5F0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$TimerWaitable$Creatememset
String ID:
API String ID: 4035017867-0
Opcode ID: 931254182c901673c7a735d4b266c52d671e827a7eac7128be29f6de12b0781a
Instruction ID: a22c079262589f4deb820d96a14fa995addbc048e6af2528580467e200fe8799
Opcode Fuzzy Hash: 931254182c901673c7a735d4b266c52d671e827a7eac7128be29f6de12b0781a
Instruction Fuzzy Hash: 4A213D71204700AFE730CF26DC89C17BBF9EBC6B91B108A2EF556825A5C771E845CB24

Function 1000A55F Relevance: 12.1, APIs: 8, Instructions: 60networkCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000002,?,?,10009973,00000001,?,10009AF4,10009973), ref: 1000A5B2
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5C3
InternetCloseHandle.WININET(?), ref: 1000A5CE
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5D5
InternetCloseHandle.WININET(?), ref: 1000A5DA
InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A5E1
InternetCloseHandle.WININET(?), ref: 1000A5E6
memset.MSVCRT ref: 1000A5F0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$memset
String ID:
API String ID: 3996390244-0
Opcode ID: ed092344320e480f38fc3beac284dba3c057e1c0bd75b07b58bd726805dd350b
Instruction ID: 819068b017d59add0db5b54809fa5ee82e6c50ebc4e9fe7c2fba159fd9098689
Opcode Fuzzy Hash: ed092344320e480f38fc3beac284dba3c057e1c0bd75b07b58bd726805dd350b
Instruction Fuzzy Hash: 83116430200604AFEB319F25CC85F5AB7A5FF84744F008A29E5899B2A0CB31F919CB19

Function 10012C6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012C73
_wcsicmp.MSVCRT ref: 10012D5C
SysFreeString.OLEAUT32(?), ref: 10012D78

Strings

PARAM, xrefs: 10012CAB
src, xrefs: 10012C85
`<u, xrefs: 10012D78

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FreeH_prologString_wcsicmp
String ID: PARAM$`<u$src
API String ID: 3441065448-3788956495
Opcode ID: d7e40f155b96788ef39f994f38d5efd02eea2c18baa3ec72ff220b98627c52b6
Instruction ID: 06c060bc162c87cbe845a2d71a412d8add54e75e36bd53c240c6037742c7b6b4
Opcode Fuzzy Hash: d7e40f155b96788ef39f994f38d5efd02eea2c18baa3ec72ff220b98627c52b6
Instruction Fuzzy Hash: 4651F7B190020AEFCB00DF94D8849EEBBB6FF89355B51846DF905EB251C7319D85CB60

Function 1000F9FA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000F9FF
_wcsicmp.MSVCRT ref: 1000FAB2
SysFreeString.OLEAUT32(?), ref: 1000FAC1
SysFreeString.OLEAUT32(?), ref: 1000FAF7

Strings

`<u, xrefs: 1000FAC1, 1000FAF7
body, xrefs: 1000FAAA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FreeString$H_prolog_wcsicmp
String ID: `<u$body
API String ID: 1496338937-3709186860
Opcode ID: 07a168d98b2d5a02aa003719dc20afb8b8bdc41239cdb96ad1f82c4e55e1e0c1
Instruction ID: 5882f234f26dc4e2720bb1663ce7522ceebba20965c406bdbf432e8c9999e4a9
Opcode Fuzzy Hash: 07a168d98b2d5a02aa003719dc20afb8b8bdc41239cdb96ad1f82c4e55e1e0c1
Instruction Fuzzy Hash: 5441D8B5A0020AEFDB00DF94C8889AEB7B5FF89354B10856DF81AEB250D735AD46CF50

Function 1001014E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10010153

Part of subcall function 10002F5A: lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,?,10001DDB,%%s,?,10021B40), ref: 10002F78

wcstod.MSVCRT ref: 100101EE
_ftol.MSVCRT ref: 10010203
_ftol.MSVCRT ref: 1001020F
SysFreeString.OLEAUT32(?), ref: 1001021C

Part of subcall function 100029C4: InterlockedDecrement.KERNEL32(-000000F4), ref: 100029D8

Strings

`<u, xrefs: 1001021C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _ftol$DecrementFreeH_prologInterlockedStringlstrlenwcstod
String ID: `<u
API String ID: 2511985991-3367579956
Opcode ID: 66c4340a4c30a161832497fa6c6b6943be1d52c38264d4d89e2f642262429c64
Instruction ID: 9296b7b8cd6fe21cf770e1b40d918cb96beae3ff16b95ce04df07b4ea35ad036
Opcode Fuzzy Hash: 66c4340a4c30a161832497fa6c6b6943be1d52c38264d4d89e2f642262429c64
Instruction Fuzzy Hash: 85413B75A0024AEFCF01DFA4C9989EDBBB4FF48384F208468E545AB251DB74AA85CB50

Function 10015487 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 100154ED
_wcsicmp.MSVCRT ref: 10015509
_snwprintf.MSVCRT ref: 1001554F
wcslen.MSVCRT ref: 1001555A

Strings

[%s], xrefs: 100154DC
rename, xrefs: 10015499

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintf$_wcsicmpwcslen
String ID: [%s]$rename
API String ID: 1236505615-3452752509
Opcode ID: 09143cc2aa50a2d4e76672a3b1ab9d3c9bbfe2aa42993373cbcda6a0fb476f64
Instruction ID: 4720d33cc04500d44abca4f99a5670f3fc95f3f503c828239ba12b6c217767a7
Opcode Fuzzy Hash: 09143cc2aa50a2d4e76672a3b1ab9d3c9bbfe2aa42993373cbcda6a0fb476f64
Instruction Fuzzy Hash: C921EF32500A16DFDB10CF14C860A9A73F6FF04382F884465E9519F250D772EDD0CB91

Function 10015571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 10015487: _snwprintf.MSVCRT ref: 100154ED
Part of subcall function 10015487: _wcsicmp.MSVCRT ref: 10015509
Part of subcall function 10015487: _snwprintf.MSVCRT ref: 1001554F
Part of subcall function 10015487: wcslen.MSVCRT ref: 1001555A

wcschr.MSVCRT ref: 100155B2
_snwprintf.MSVCRT ref: 100155E3
wcslen.MSVCRT ref: 100155F4
_snwprintf.MSVCRT ref: 10015615
wcslen.MSVCRT ref: 10015623

Strings

rename, xrefs: 100155D3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintf$wcslen$_wcsicmpwcschr
String ID: rename
API String ID: 794387835-3650966606
Opcode ID: f296b4b463c9b33e517e7ccea4a7a046906d19f2353a7e422abb313ccadf01fa
Instruction ID: e1cb46834cdc40c2307b98be8ad7df9955c777b842da7b5d9bb9622cc6b868be
Opcode Fuzzy Hash: f296b4b463c9b33e517e7ccea4a7a046906d19f2353a7e422abb313ccadf01fa
Instruction Fuzzy Hash: 2B21497250020AEBDB10DF98CC81E9A77E8FF18314F114465FE44DB151D779E994CBA0

Function 1000C5BB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,759A5720), ref: 1000C5D5
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000C5F2
wcslen.MSVCRT ref: 1000C5FF
_snwprintf.MSVCRT ref: 1000C647
_snwprintf.MSVCRT ref: 1000C667

Strings

%s%s, xrefs: 1000C65C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Name_snwprintf$FileModulePathShortwcslen
String ID: %s%s
API String ID: 169645478-3252725368
Opcode ID: 7bd9a28264e1c435492f775b9022a54aed23814d031db38c109c31c7ff7392f3
Instruction ID: fe1de1a28924e6988f0c1d8fdf5876e0ba1ea8f9090bfe20516ab64cc304cfa9
Opcode Fuzzy Hash: 7bd9a28264e1c435492f775b9022a54aed23814d031db38c109c31c7ff7392f3
Instruction Fuzzy Hash: 28216D3140026DABEB21DF90DC48DDA77B8FF04395F104565F915D2061DB32DAA4CB90

Function 10014DE5 Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 10014E0C
GetDC.USER32(00000000), ref: 10014E15
GetDeviceCaps.GDI32(00000000,00000058), ref: 10014E26
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10014E2E
ReleaseDC.USER32(00000000,00000000), ref: 10014E34
MulDiv.KERNEL32(00001000,00000000,000009EC), ref: 10014E4A
MulDiv.KERNEL32(00001000,00000065,000009EC), ref: 10014E56

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice$DesktopReleaseWindow
String ID:
API String ID: 3662283245-0
Opcode ID: e7f71d3aaea7a0d968f8250689a91846683b0370b6ac505ad6d8d634cfe1b143
Instruction ID: b3c5fb3cdbcf47e52e1d2105d2bc06569f13d40c69968f374466bde67dd03179
Opcode Fuzzy Hash: e7f71d3aaea7a0d968f8250689a91846683b0370b6ac505ad6d8d634cfe1b143
Instruction Fuzzy Hash: 7C111C75901224BFEB109F65CC88DAA7FBDFF89760B118459F9059B260D670AE41CFA0

Function 1000FB37 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 1000FB8A
wcscmp.MSVCRT ref: 1000FB9A
SysFreeString.OLEAUT32(00000000), ref: 1000FBA7

Strings

hidden, xrefs: 1000FB82
`<u, xrefs: 1000FBA7
inherit, xrefs: 1000FB92

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcscmp$FreeString
String ID: `<u$hidden$inherit
API String ID: 95019075-3454458570
Opcode ID: 2fd055616b7557bc947d31faf267f3f0710eee2977f1bb4e732db690d1bce9ca
Instruction ID: 0e2b629dabadb89f22fd240393f9da3274069a5f036ee988081454c5cdc3dc37
Opcode Fuzzy Hash: 2fd055616b7557bc947d31faf267f3f0710eee2977f1bb4e732db690d1bce9ca
Instruction Fuzzy Hash: C1115B35600209BFEB00DB59CC58BAA7BA9EF84395F108069F904DB164DB71DE41DB90

Function 1000C8C9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 1000C8DA
GetWindowRect.USER32(00000000,?), ref: 1000C8E7
GetSystemMetrics.USER32(00000001), ref: 1000C8FB
GetSystemMetrics.USER32(00000000), ref: 1000C90D
SetWindowPos.USER32(00000000,00000000,00000000), ref: 1000C920

Strings

G, xrefs: 1000C8CF

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MetricsSystemWindow$ParentRect
String ID: G
API String ID: 139092935-985283518
Opcode ID: c7317fe78826e7a534b5373eed31b25127f0014ccb54afd82c7b706172926651
Instruction ID: 132831d73686e89f698dcee81da6163abd4e977aa1e7c16c14d74f551533e245
Opcode Fuzzy Hash: c7317fe78826e7a534b5373eed31b25127f0014ccb54afd82c7b706172926651
Instruction Fuzzy Hash: 5BF06872600219BBF7049BB8CC89FFE7B6DEB48741F054515F615E51C1CAB0F900CA54

Function 10014BD6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,1001158D,?,IMG,?,?,?,1001158D,?,000000E0,IMG), ref: 10014BE7
LoadResource.KERNEL32(?,00000000,?,1001158D,?,000000E0,IMG), ref: 10014BF7
LockResource.KERNEL32(00000000,?,1001158D,?,000000E0,IMG), ref: 10014C04
SizeofResource.KERNEL32(?,00000000,?,1001158D,?,000000E0,IMG), ref: 10014C12

Part of subcall function 10014B08: malloc.MSVCRT ref: 10014B31
Part of subcall function 10014B08: memset.MSVCRT ref: 10014B46
Part of subcall function 10014B08: GlobalAlloc.KERNEL32(00000002,1001158D,?,000000E0,IMG), ref: 10014B51
Part of subcall function 10014B08: GlobalLock.KERNEL32(00000000), ref: 10014B5E
Part of subcall function 10014B08: memcpy.MSVCRT(00000000,?,1001158D), ref: 10014B69
Part of subcall function 10014B08: GlobalUnlock.KERNEL32(00000000), ref: 10014B72
Part of subcall function 10014B08: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 10014B7F
Part of subcall function 10014B08: OleLoadPicture.OLEAUT32(?,1001158D,00000000,1001AE54,00000000), ref: 10014B94
Part of subcall function 10014B08: FreeResource.KERNEL32(00000000), ref: 10014BAF
Part of subcall function 10014B08: free.MSVCRT ref: 10014BBC

FreeResource.KERNEL32(00000000,?,1001158D,?,000000E0,IMG), ref: 10014C28

Strings

IMG, xrefs: 10014BDB

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$Global$FreeLoadLock$AllocCreateFindPictureSizeofStreamUnlockfreemallocmemcpymemset
String ID: IMG
API String ID: 370958411-761629222
Opcode ID: f493a1004ed470cd950aa76da896edc9bca1cebcd43fe5e6c9d9d6980ca6f7d3
Instruction ID: ee18250d7f2cd26ca9a39772cfcdc1046c471bee11c20f431a1576818ca03323
Opcode Fuzzy Hash: f493a1004ed470cd950aa76da896edc9bca1cebcd43fe5e6c9d9d6980ca6f7d3
Instruction Fuzzy Hash: 3EF0303210212ABFEB021F65DD8CCAB7F69EF456A67018124FD0896130DB72CC50DAA0

Function 1001348B Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 378COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10013490

Strings

background, xrefs: 10013713
src, xrefs: 100134C3, 100136C6, 100136F1
URL, xrefs: 10013635, 10013657
href, xrefs: 100136D5

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: URL$background$href$src
API String ID: 3519838083-2808172064
Opcode ID: 4ce5f43e368f0dae2bfcb2379f4ae737fcc877e73c1f6e0036cd3cd72c9121b3
Instruction ID: 7fdc7f20cfa22f9a10c5b92ac3344da393c6aa73d011ff3abf2dae1e241b11ae
Opcode Fuzzy Hash: 4ce5f43e368f0dae2bfcb2379f4ae737fcc877e73c1f6e0036cd3cd72c9121b3
Instruction Fuzzy Hash: BFE1F5B190024AABDF10DFD4C8849AEBBBAFF88354F60856DF515AF281D770D985CB60

Function 100177F5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 10017801
CopyRect.USER32(?,000000E8), ref: 10017836
InflateRect.USER32(?,?,?), ref: 10017858
CopyRect.USER32(000000F8,?), ref: 10017866
CopyRect.USER32(?,000000F8), ref: 10017899
ReleaseDC.USER32(?,?), ref: 100178DF

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$Copy$InflateRelease
String ID:
API String ID: 1888980783-0
Opcode ID: ea0fde34369f4b61a38e5db7a951fc5b31453234fc1b0a0346ebc4865b62e27e
Instruction ID: 3f5357ff4dfeb53d46ef1a1003c65ca955469f1caf062f99b59c245eb8cb42d2
Opcode Fuzzy Hash: ea0fde34369f4b61a38e5db7a951fc5b31453234fc1b0a0346ebc4865b62e27e
Instruction Fuzzy Hash: 9B3148B2900609AFDB11DFA8CC85EAEB7F9FF08300F104559E556A2661E770FA55CB20

Function 1000C261 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 1000C2B3
GlobalUnlock.KERNEL32(00000000), ref: 1000C2C5

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Global$LockUnlock
String ID:
API String ID: 2502338518-0
Opcode ID: d5d7207ccad53a54ced6cd8e6974a00fedb207bdc1adb18be1e9b38b06c72e75
Instruction ID: 87c725aebeaa3aef2d06849d86c848e2665e28e2cbc4d860b52100f98f8824a1
Opcode Fuzzy Hash: d5d7207ccad53a54ced6cd8e6974a00fedb207bdc1adb18be1e9b38b06c72e75
Instruction Fuzzy Hash: 78414C71910219ABEB10CF95CC88FDDBBB8FF057A1F108255F915EA1A0D7749A44CFA0

Function 10014D05 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 10014D58
GetDeviceCaps.GDI32(?,0000005A), ref: 10014D62
MulDiv.KERNEL32(?,000009EC,?), ref: 10014D79
MulDiv.KERNEL32(?,000009EC,?), ref: 10014D85
MulDiv.KERNEL32(?,000009EC,?), ref: 10014D91
MulDiv.KERNEL32(000009EC,000009EC,?), ref: 10014D9D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: cdf175a862c59dabd804d858af88c56fa15e11596af7e8d4af9a2413cc574f08
Instruction ID: 102e53cc85006482aa15a11e213f89d8201e20506dc3c39016effaafea0f1f84
Opcode Fuzzy Hash: cdf175a862c59dabd804d858af88c56fa15e11596af7e8d4af9a2413cc574f08
Instruction Fuzzy Hash: 6131F375A00219AFDF10DFA5CC448AA7BB9FF88350B118559F818AB264D6319D21DFA0

Function 10016B69 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10016B79
iswspace.MSVCRT ref: 10016B97
iswspace.MSVCRT ref: 10016BC0
memset.MSVCRT ref: 10016BEB
memmove.MSVCRT(?,00000000,00000000,00000103,00000000,?,?,?,100046E2,?,?,?,00000001), ref: 10016C01
memset.MSVCRT ref: 10016C1A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: iswspacememset$memmovewcslen
String ID:
API String ID: 360369320-0
Opcode ID: dc6ed12c2cb7f81217f4e773e25950673304d11d81385a200577944e19f8a3fb
Instruction ID: 5f1aae4419e3d117f5cf5e0fe6cdc9785db23543337822ea9cf896b1aebd575d
Opcode Fuzzy Hash: dc6ed12c2cb7f81217f4e773e25950673304d11d81385a200577944e19f8a3fb
Instruction Fuzzy Hash: 4F21D376905625ABDB10DF98CCC1A9A77ECEF48790F204569EC41DF240E730EAC58BA0

Function 1000E295 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 1000E2EF
GetClassNameW.USER32(?,?,00000208), ref: 1000E309
_wcsicmp.MSVCRT ref: 1000E317
wcslen.MSVCRT ref: 1000E32F
GetWindowTextW.USER32(?,?,00000208), ref: 1000E352
_wcsicmp.MSVCRT ref: 1000E361

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _wcsicmpwcslen$ClassNameTextWindow
String ID:
API String ID: 2823004452-0
Opcode ID: 86ddd5e53ec2910cdd8550de78cbc744a39ede4df1de48e4520da88db670ba0f
Instruction ID: 38f0c20c3875832ffeb683e1601d710d471d5ce08b08eb8cc35eae54a6f9f275
Opcode Fuzzy Hash: 86ddd5e53ec2910cdd8550de78cbc744a39ede4df1de48e4520da88db670ba0f
Instruction Fuzzy Hash: DB21907260025AABEB10CF75CC88A8AB7E9FB44395F108979E695E7150E770EE818B50

Function 100144DC Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

abs.MSVCRT ref: 10014502
abs.MSVCRT ref: 10014519
abs.MSVCRT ref: 10014521
abs.MSVCRT ref: 10014539

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afe19c1ffb5c3e1f93332ff89836383ef15ba388f196874e862853fc10207945
Instruction ID: 11b9eaecee1c92dcecbdef8032412f1977b8d582584e496dccc903f67aa95f46
Opcode Fuzzy Hash: afe19c1ffb5c3e1f93332ff89836383ef15ba388f196874e862853fc10207945
Instruction Fuzzy Hash: D81104372049106FD715D6688982A4E77DADF876A1B67401AFD049F263DE30FEC243A0

Function 1000C7F0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

PathIsRootW.SHLWAPI(10003997,00000006,?,?), ref: 1000C800
wcslen.MSVCRT ref: 1000C817

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: PathRootwcslen
String ID:
API String ID: 2234252343-0
Opcode ID: cdacf9727ab6731b8ddf9fd191a15adcb297ebb852f2690775bac9762d6979b9
Instruction ID: 05897a7c66683591d69fde896309b7fab98e1bbdd2fd654ecbb9cb329c5a1b72
Opcode Fuzzy Hash: cdacf9727ab6731b8ddf9fd191a15adcb297ebb852f2690775bac9762d6979b9
Instruction Fuzzy Hash: 8511B43290021EA6EB10DB609C88FC973A8EF44391F148469E915E71C0DB74EA858794

Function 1000429F Relevance: 9.1, APIs: 6, Instructions: 64synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?), ref: 1000EC94
WaitForSingleObject.KERNEL32(?,000007D0), ref: 1000ECA2
CloseHandle.KERNEL32(?), ref: 1000ECB1
CloseHandle.KERNEL32(?), ref: 1000ECB6
DeleteCriticalSection.KERNEL32(1007A0D4), ref: 1000ECC2
CloseHandle.KERNEL32(?,?,?,?), ref: 1000ECD0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteEventObjectSectionSingleWait
String ID:
API String ID: 2643359179-0
Opcode ID: f7d4f0c73b4ecb77e0bce3939ea34483b1a2a3393f5e0d55737db6526468db75
Instruction ID: 77e99e495810674a17090582fde99592e90c15d2026e4e8188786b84d8aecd82
Opcode Fuzzy Hash: f7d4f0c73b4ecb77e0bce3939ea34483b1a2a3393f5e0d55737db6526468db75
Instruction Fuzzy Hash: 7D21D571900750DFE721DFA4CC84B5ABBF5FB84790F608A1DF45692AA4C735AC84CB50

Function 10014C35 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 10014C99
GetDeviceCaps.GDI32(?,0000005A), ref: 10014CA3
MulDiv.KERNEL32(?,00000000,000009EC), ref: 10014CB5
MulDiv.KERNEL32(?,?,000009EC), ref: 10014CC1

Strings

, xrefs: 10014C35

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-4100489788
Opcode ID: d59746c0a5d8ba174e5ae1c3c1d84db339fc8fa2aab168403bc503947db302fa
Instruction ID: 23a676b839359cbe897db6140437db38c9f00f39d0df68dd6d703ad91f999997
Opcode Fuzzy Hash: d59746c0a5d8ba174e5ae1c3c1d84db339fc8fa2aab168403bc503947db302fa
Instruction Fuzzy Hash: 8831F471900219AFDF00CFA8D9808AEBBB9FF48310B118569F915AB260D731EE60DF90

Function 1000DABA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000DABF
_snwprintf.MSVCRT ref: 1000DAFE

Part of subcall function 10016CD9: wcsstr.MSVCRT ref: 10016CEC
Part of subcall function 10016CD9: wcslen.MSVCRT ref: 10016D02
Part of subcall function 10016CD9: lstrlenW.KERNEL32(000000FF,000000FF), ref: 10016D0E

Part of subcall function 1000E698: lstrlenA.KERNEL32(?,00000002,?,?,10011CC3,00000000,?,?,00000002,00000000,00000000), ref: 1000E6AD

wcscmp.MSVCRT ref: 1000DB4D

Part of subcall function 100029C4: InterlockedDecrement.KERNEL32(-000000F4), ref: 100029D8

Strings

:^:, xrefs: 1000DB13, 1000DB22, 1000DB2D, 1000DB72, 1000DB7F, 1000DB8A
Baidu, xrefs: 1000DAD7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$DecrementH_prologInterlocked_snwprintfwcscmpwcslenwcsstr
String ID: :^:$Baidu
API String ID: 2226504211-1254441690
Opcode ID: 869fe81e12b56ab49c58bcf771bd0e24590378bf1caadb30c4e5e49593723ab5
Instruction ID: 65facd445c7e24d74bdee8241503db6b2bd0d7984a79545c9fd2f06a3a0a1a4a
Opcode Fuzzy Hash: 869fe81e12b56ab49c58bcf771bd0e24590378bf1caadb30c4e5e49593723ab5
Instruction Fuzzy Hash: 7121A17A900258BBEB04CFA1CC95DDF7B69EF08360F008529F9599B191DB74EB84CB90

Function 1000B7A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,00000012,?,74DF23A0,00000000), ref: 1000B819
wcscmp.MSVCRT ref: 1000B82B
memset.MSVCRT ref: 1000B840
HttpQueryInfoW.WININET(?,0000002A,?,74DF23A0,00000000), ref: 1000B863

Strings

HTTP/1.1, xrefs: 1000B825

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: HttpInfoQuery$memsetwcscmp
String ID: HTTP/1.1
API String ID: 3116164046-1626175334
Opcode ID: dbf334766668146bc731dbe78fc03a1b99e0b358460a58b6be0079e1aaeea104
Instruction ID: dfdbc865d9ee8059c777e840100eee344e7d88534a6c157ab865e1242f4241d8
Opcode Fuzzy Hash: dbf334766668146bc731dbe78fc03a1b99e0b358460a58b6be0079e1aaeea104
Instruction Fuzzy Hash: FC2162B6500219EBEB11DF50CC89BDB77ACFB04391F208276E915EA195EA30DA85CBD0

Function 10003B2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 10003B79
DeleteFileW.KERNEL32(?), ref: 10003B8C
PathCombineW.SHLWAPI(?,?,..\,?,?), ref: 10003BEA
RemoveDirectoryW.KERNEL32(?), ref: 10003BF7

Strings

..\, xrefs: 10003BE3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteFile$CombineDirectoryPathRemove
String ID: ..\
API String ID: 195365093-2756224523
Opcode ID: b790de18519664b753b3172bd80bd20793cbea334ac25e6f7ac5f916bdc61202
Instruction ID: 8fde837e0947a5e706be76d1a18b9c0872f4a50caac561de58ab8b4454aee12d
Opcode Fuzzy Hash: b790de18519664b753b3172bd80bd20793cbea334ac25e6f7ac5f916bdc61202
Instruction Fuzzy Hash: 08219535600219EFDF14DF54C888ADA7778FF04359F108869EA19AB192DB70EA45CF50

Function 1000C713 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?,?), ref: 1000C741
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?,?), ref: 1000C75E
VerQueryValueW.VERSION(00000000,1001FF0C,?,00000104,?,00000000,00000000,00000000,?,?,?), ref: 1000C77B
_snwprintf.MSVCRT ref: 1000C7AD

Strings

%d.%d.%d.%d, xrefs: 1000C7A6

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_snwprintf
String ID: %d.%d.%d.%d
API String ID: 3866946760-3491811756
Opcode ID: 9f372da94681139b6ee2c18afdd511bb229fdfccda27fce7912f187c4466de94
Instruction ID: b2765d419a4b4244168d8de32d69bc6888172e1afa75003b748c1c5a4d0266d1
Opcode Fuzzy Hash: 9f372da94681139b6ee2c18afdd511bb229fdfccda27fce7912f187c4466de94
Instruction Fuzzy Hash: EA119377114209BAEB10DB58CC81EEA77FCFF08750F014469BA09E6092D770EA84CB64

Function 10011456 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 1001147E
CopyRect.USER32(10006C6D,00000000), ref: 100114B9
IsWindow.USER32(00000000), ref: 100114EF

Part of subcall function 1001150A: memset.MSVCRT ref: 1001153E
Part of subcall function 1001150A: wcscpy.MSVCRT ref: 10011557
Part of subcall function 1001150A: CreateFontIndirectW.GDI32(?), ref: 10011564
Part of subcall function 1001150A: GetClientRect.USER32(100055D5,?), ref: 100115C7
Part of subcall function 1001150A: SetTimer.USER32(100055D5,00000100,000007D0,00000000), ref: 10011646
Part of subcall function 1001150A: SetPropW.USER32(100055D5,IESuper_PROP,?), ref: 10011655

Strings

IESuperWnd, xrefs: 1001148A, 100114E4
0, xrefs: 1001146E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Rect$ClientCopyCreateCursorFontIndirectLoadPropTimerWindowmemsetwcscpy
String ID: 0$IESuperWnd
API String ID: 1886696815-2306747139
Opcode ID: 91b839b4832c5c35600c68b09b164ef4aed62d77d87abebe91d1093fc5508597
Instruction ID: 3ca8996318656cab42f1a92a5e7d172af7e1d90096452c51d0bb58969a99ab50
Opcode Fuzzy Hash: 91b839b4832c5c35600c68b09b164ef4aed62d77d87abebe91d1093fc5508597
Instruction Fuzzy Hash: 4A21D3B5D11229AFDF00DFE9C8888EEBFB8FF49650F00811AF515EA251D7749A45CBA0

Function 10008F8A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10008F99
memset.MSVCRT ref: 10008FA9
wcslen.MSVCRT ref: 10009009
InternetCrackUrlW.WININET(00000001,00000000), ref: 10009014

Strings

<, xrefs: 10008FF5

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CrackInternetwcslen
String ID: <
API String ID: 1057199975-4251816714
Opcode ID: 87866dee01bcb321ffbde0269aa5b4a07785988eca0369b3a843e0169026cb2d
Instruction ID: 3829ad8c9541eb293ae7dca575a143c1fcb0a1ce248b20593bf58d5ce018a541
Opcode Fuzzy Hash: 87866dee01bcb321ffbde0269aa5b4a07785988eca0369b3a843e0169026cb2d
Instruction Fuzzy Hash: 2A21EA71D00209AFEB51DFA4C845BDEBBF8FF08380F10842AE556E7251E775A685CB90

Function 1001172E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59stringCOMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 1001173F
strlen.MSVCRT ref: 10011749
DrawTextA.USER32(?,?,000000FF,,00008025), ref: 100117CE

Strings

IMG, xrefs: 1001179B
, xrefs: 100117C7, 100117B9

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Text$ColorDrawstrlen
String ID: IMG$
API String ID: 1838181329-4093138344
Opcode ID: dded58d39b0cc24183a9e1d0aa0f8ab49c962692445208cb6d59bdaa2ca62617
Instruction ID: 1051a16947ea5ed5476d1636844fd7a1ba7c383757c07aedae06cf2a0baafb39
Opcode Fuzzy Hash: dded58d39b0cc24183a9e1d0aa0f8ab49c962692445208cb6d59bdaa2ca62617
Instruction Fuzzy Hash: 73119E75504209BBFB109F94CC89FEF7BB8EB04368F108814FA15AA2D1D775DA45CBA0

Function 10001348 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(10019528,00000000,00000001,10019518,?,00000104), ref: 10001364
GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001383
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 10001398

Strings

Module, xrefs: 100013A8
REGISTRY, xrefs: 100013BE

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Name$CreateFileInstanceModulePathShort
String ID: Module$REGISTRY
API String ID: 968466879-2506633518
Opcode ID: e9bf56c6cbd7ceeed75f3e7e2e5ec8be43bfeee606540fa49f62ca82c95bbb8d
Instruction ID: b48e39cf847f86469e2fc967f2d8b0406de676acbd6b4aabd1a571d62cc94b77
Opcode Fuzzy Hash: e9bf56c6cbd7ceeed75f3e7e2e5ec8be43bfeee606540fa49f62ca82c95bbb8d
Instruction Fuzzy Hash: 77112EB1900129AFDB10DBA4CC48EDA77B9EF88754F108194FA09EB151D774DE85CBA1

Function 100041E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?), ref: 1000422C
wcsrchr.MSVCRT ref: 1000423B
_wcsicmp.MSVCRT ref: 10004251

Part of subcall function 10016D5B: GetVersionExW.KERNEL32(?), ref: 10016D75

Part of subcall function 10015BA6: wcscpy.MSVCRT ref: 10015BBD
Part of subcall function 10015BA6: InitializeCriticalSection.KERNEL32(100D51D0), ref: 10015BCA

Part of subcall function 1000F44B: InitializeCriticalSection.KERNEL32(10079D0C,?,10004284), ref: 1000F45A

Part of subcall function 1000EC13: InitializeCriticalSection.KERNEL32(1007A0D4,?,?,?,1000428E), ref: 1000EC1C
Part of subcall function 1000EC13: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,1000428E), ref: 1000EC2F
Part of subcall function 1000EC13: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,1000428E), ref: 1000EC38
Part of subcall function 1000EC13: _beginthreadex.MSVCRT ref: 1000EC4A

Part of subcall function 10017BFF: IsWindow.USER32(?), ref: 10017C05
Part of subcall function 10017BFF: SendMessageW.USER32(00000000,00000403,00000003,00000320), ref: 10017C4E
Part of subcall function 10017BFF: SendMessageW.USER32(?,00000403,00000001,000005DC), ref: 10017C5B

Strings

Software\IESuper, xrefs: 1000426C
iexplore.exe, xrefs: 1000424B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalInitializeSection$CreateEventMessageSend$FileModuleNameVersionWindow_beginthreadex_wcsicmpwcscpywcsrchr
String ID: Software\IESuper$iexplore.exe
API String ID: 1657038522-4111106632
Opcode ID: 339050d95947c7cb5aa18bbc1d3dff208bdd221d258478059bacfe3690febadc
Instruction ID: abb6aead98a39dfee50fd27eee13eef94e3bf70ce916f61d5a27452bb8d65f5e
Opcode Fuzzy Hash: 339050d95947c7cb5aa18bbc1d3dff208bdd221d258478059bacfe3690febadc
Instruction Fuzzy Hash: AE112671A043149FFB00DBA4DC8AB8A37F4EB80359F100159F545EA0D2EF74E9C04B55

Function 10006E33 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,IESuper,00000040), ref: 10006EBA

Part of subcall function 1001655A: DllRegisterServer.RCM4CX31IY(10006E4D,?,100079E8,00000029,00000000,00000000), ref: 10016593

Strings

jscript.dll, xrefs: 10006E80
vbscript.dll, xrefs: 10006E8B
IESuper, xrefs: 10006EA9
DllRegisterServer, xrefs: 10006E7A, 10006E7F, 10006E8A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MessageRegisterServer
String ID: DllRegisterServer$IESuper$jscript.dll$vbscript.dll
API String ID: 3182076914-2378748890
Opcode ID: 186094a3ae4ced754e20c122c7a4314666fee761def89f9df352270bbacfad83
Instruction ID: daf127c69531001bf6c77c99ca59ee891c7d15e7bfa7d955a580a6e27b079de6
Opcode Fuzzy Hash: 186094a3ae4ced754e20c122c7a4314666fee761def89f9df352270bbacfad83
Instruction Fuzzy Hash: ACF0623D049791A6FB10E7F4DC46A5E6296EF1C2D9F604925F1445C0CACE70F8D581B3

Function 10015ACF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10015AF9
GetModuleFileNameW.KERNEL32(?,00000104), ref: 10015B16
wcsrchr.MSVCRT ref: 10015B29
_snwprintf.MSVCRT ref: 10015B4B

Strings

%s.ini, xrefs: 10015B40

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName_snwprintfwcslenwcsrchr
String ID: %s.ini
API String ID: 1316285421-2418677838
Opcode ID: 34f4bd46059b0e5221b1bb559a71830455a55eceda863c8769dc361e0f9dacd9
Instruction ID: bd499ab18a03fd58a9c408df242ba8cbf873f0895c0608cb3cdda6419b625366
Opcode Fuzzy Hash: 34f4bd46059b0e5221b1bb559a71830455a55eceda863c8769dc361e0f9dacd9
Instruction Fuzzy Hash: CF018636600325ABFB50DB54DC8CBD777ACEF44716F0101A5F951EA0A1EB74DAC48750

Function 100049B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(80000002,Software\Microsoft\Internet Explorer,Version,?,?,?), ref: 100049ED
wcsncmp.MSVCRT ref: 10004A2C

Strings

6.0.2800, xrefs: 10004A26
Software\Microsoft\Internet Explorer, xrefs: 100049DC
Version, xrefs: 100049D7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Valuewcsncmp
String ID: 6.0.2800$Software\Microsoft\Internet Explorer$Version
API String ID: 3637388305-295221154
Opcode ID: f5333658285aa58c7cc3f277fe3f17dcc62710e14bfb16ef8f85494dbd412985
Instruction ID: d620f4cc437a189029ac48775a95612533969678681630e8d16566e80429f021
Opcode Fuzzy Hash: f5333658285aa58c7cc3f277fe3f17dcc62710e14bfb16ef8f85494dbd412985
Instruction Fuzzy Hash: AC0181B1950119AEE700CFA4CC89BEE7BF8F710348F40446AE515E6150EB78DA848B55

Function 100146CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,?), ref: 100146E5
wcschr.MSVCRT ref: 100146EE
wcslen.MSVCRT ref: 100146FF
wcscpy.MSVCRT ref: 10014710

Strings

ABC, xrefs: 1001470A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: LoadStringwcschrwcscpywcslen
String ID: ABC
API String ID: 101312571-2743272264
Opcode ID: fc3e426b69281d831a06aaf0f74826cdfbff97a2cd7e678af62db5e5fdbedc10
Instruction ID: 5361b3bbe307a6ab1edfaa088c1cdbd039c69e41a217eb4e690525704433b377
Opcode Fuzzy Hash: fc3e426b69281d831a06aaf0f74826cdfbff97a2cd7e678af62db5e5fdbedc10
Instruction Fuzzy Hash: B1E03933009222EFF7129B50EC48E8A3BE8FF46361F128409F640910A0EB3994818669

Function 1000E3E5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetAncestor.USER32(00000001,00000002,?,?,100052DD,?,00000001,00000001), ref: 1000E3ED

Part of subcall function 1000E379: memset.MSVCRT ref: 1000E391
Part of subcall function 1000E379: wcscpy.MSVCRT ref: 1000E3AF
Part of subcall function 1000E379: wcscpy.MSVCRT ref: 1000E3C3
Part of subcall function 1000E379: EnumChildWindows.USER32(?,Function_0000E295,?), ref: 1000E3D6

Strings

ReBarWindow32, xrefs: 1000E405
ComboBoxEx32, xrefs: 1000E413
Edit, xrefs: 1000E41F
WorkerW, xrefs: 1000E3F9

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcscpy$AncestorChildEnumWindowsmemset
String ID: ComboBoxEx32$Edit$ReBarWindow32$WorkerW
API String ID: 1305542645-512072214
Opcode ID: d8b362c4e65898f675ed400a04a41bb5cdfd756f73c59e74425ef9b0cd8bc352
Instruction ID: 1481b87e843e7ec0f25cf4f57a4173609f80b21ce85ba00815ac571aecc2b673
Opcode Fuzzy Hash: d8b362c4e65898f675ed400a04a41bb5cdfd756f73c59e74425ef9b0cd8bc352
Instruction Fuzzy Hash: 37E0ECAD5052A032E531F2766C0EEEB2D2CCFE37F0B428668B658F715697249E8190B5

Function 1000B4C3 Relevance: 7.7, APIs: 5, Instructions: 169COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000B53B
memcmp.MSVCRT(?,?,0000001C,10009837,?,00000000), ref: 1000B550
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000B5FF
_ui64toa.MSVCRT ref: 1000B699
_ui64toa.MSVCRT ref: 1000B6B0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _ui64toa$Unothrow_t@std@@@__ehfuncinfo$??2@memcmpmemset
String ID:
API String ID: 725350826-0
Opcode ID: f452d54ba5d0917ef7a8cf8c3f918d594a8f75d00bb40870ddc1924bd431f922
Instruction ID: 7dee4863d8685e5747c4557f6829e5b08df625c1206acaea6ad5fa2a8c188c43
Opcode Fuzzy Hash: f452d54ba5d0917ef7a8cf8c3f918d594a8f75d00bb40870ddc1924bd431f922
Instruction Fuzzy Hash: 1F61D231A01A05AFDB54CFA8C880B9AF3E0FF48351F1482A9DA599B295DB30ED45CF80

Function 1000A360 Relevance: 7.7, APIs: 5, Instructions: 154networkCOMMON

Download Yara Rule

APIs

InternetSetStatusCallbackW.WININET(?,00000000), ref: 1000A3DB
InternetCloseHandle.WININET(?), ref: 1000A3E4
memset.MSVCRT ref: 1000A4B3
_snwprintf.MSVCRT ref: 1000A4CD
memset.MSVCRT ref: 1000A4DE

Part of subcall function 1000B6BD: memset.MSVCRT ref: 1000B70F

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$Internet$CallbackCloseHandleStatus_snwprintf
String ID:
API String ID: 3184555854-0
Opcode ID: 3debea28c2f605329e5594d3361c4fcb869d006b5c8118c8615991fa702929c5
Instruction ID: 86ae412b5bdd81a8673292e8e4ac690cdaeb42eea7c1d69adba3eecca71b535d
Opcode Fuzzy Hash: 3debea28c2f605329e5594d3361c4fcb869d006b5c8118c8615991fa702929c5
Instruction Fuzzy Hash: 5451B371600A01ABEB14CF35CC85A9BB7E6FF863C2F114619F55A8B245D770FAC58B90

Function 10007960 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(000000D0), ref: 10007975
GetSubMenu.USER32(00000000,00000000), ref: 1000798B
CopyRect.USER32(?,?), ref: 100079A3
TrackPopupMenuEx.USER32(?,00000128,?,?,?,00000014), ref: 100079C1
DestroyMenu.USER32(?), ref: 10007A5C

Part of subcall function 10006E33: MessageBoxW.USER32(?,00000000,IESuper,00000040), ref: 10006EBA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Menu$CopyDestroyLoadMessagePopupRectTrack
String ID:
API String ID: 3473361103-0
Opcode ID: 459647d3131db5d57bcb9e329a6fd58c4323cd9a262cb49c755f9ec54d44dd7f
Instruction ID: 4e34ae73c7885cdfedcced92ea436271f0a5d9a81b5a474e392fefb389f919de
Opcode Fuzzy Hash: 459647d3131db5d57bcb9e329a6fd58c4323cd9a262cb49c755f9ec54d44dd7f
Instruction Fuzzy Hash: BE21B474B00609BFFB00DBA0CC8AFAF7AAEFB857C4F108011F215A91D4DAB55F409662

Function 10008493 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10008498
memcmp.MSVCRT(?,100196C0,00000010), ref: 100084CB
??2@YAPAXI@Z.MSVCRT(000024A8), ref: 100084DC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@H_prologmemcmp
String ID:
API String ID: 1157519902-0
Opcode ID: 27c78a5165fefe4b0a1a1d91c934ab202a6901dec08c63bdbb17b33974d2f400
Instruction ID: d7e8e93c9b172d68a33f5adda4c32e93c61cdb2fff0b063afe5ad1b7e01b7294
Opcode Fuzzy Hash: 27c78a5165fefe4b0a1a1d91c934ab202a6901dec08c63bdbb17b33974d2f400
Instruction Fuzzy Hash: 6821E231A41A1AABE751CF649C01B9E73E4FF08395F104129FE85EB285E774DF808B65

Function 10016305 Relevance: 7.6, APIs: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001630A

Part of subcall function 10011188: memset.MSVCRT ref: 10011196

_snprintf.MSVCRT ref: 1001635C
strlen.MSVCRT ref: 10016373
_snprintf.MSVCRT ref: 10016398
strlen.MSVCRT ref: 100163BA

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snprintfstrlen$H_prologmemset
String ID:
API String ID: 13963009-0
Opcode ID: ae17a4315e764c28c8ff141a231ab58b3ade406036640c1c9de1173967fe1ebd
Instruction ID: fe050b46cfa76489c2bd4aef79c84c3cf9fccd6f31e4fd035e8cd3dabf84a3d7
Opcode Fuzzy Hash: ae17a4315e764c28c8ff141a231ab58b3ade406036640c1c9de1173967fe1ebd
Instruction Fuzzy Hash: 0111DA75904159BEEF11C7A4DC05BE9777CEF08390F0008A5F594D6181D774DBC49B61

Function 10008327 Relevance: 7.6, APIs: 5, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000837E
wcslen.MSVCRT ref: 10008388
memcpy.MSVCRT(?,?,00000000), ref: 1000839A
lstrcpyW.KERNEL32(?,?), ref: 100083B5
lstrcatW.KERNEL32(?,?), ref: 100083C3

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: lstrcatlstrcpymemcpymemsetwcslen
String ID:
API String ID: 1171249246-0
Opcode ID: d1445a95df173c29fa232a6e3f3faad84660646db62d9b8740c339490c9edabc
Instruction ID: f98e5c83b3c524c74ab1786698b9d656c5f0770054bb0b4f2df447c00a79bae2
Opcode Fuzzy Hash: d1445a95df173c29fa232a6e3f3faad84660646db62d9b8740c339490c9edabc
Instruction Fuzzy Hash: 0A119136500218BBEB51DBA8DC49ECB77A8FF48780F004551FA95D61A2EB70EB91CB54

Function 1000CFB0 Relevance: 7.6, APIs: 5, Instructions: 54memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,?,?,00000000), ref: 1000CFD3
GetCurrentProcess.KERNEL32(00000000,?,?,00000000), ref: 1000CFED
ReadProcessMemory.KERNEL32(00000000), ref: 1000CFF0
GetCurrentProcess.KERNEL32(?,?,?,00000000), ref: 1000D009
WriteProcessMemory.KERNEL32(00000000), ref: 1000D00C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CurrentMemory$ProtectReadVirtualWrite
String ID:
API String ID: 674560703-0
Opcode ID: abd883ebd4cc7f679e287e3fc141540d9d69de995874f0e86a21be3a29b3df96
Instruction ID: 7ec7c372db0ec5a2278dc69596185582b7640cab74e8a79e8c1efdd27418a195
Opcode Fuzzy Hash: abd883ebd4cc7f679e287e3fc141540d9d69de995874f0e86a21be3a29b3df96
Instruction Fuzzy Hash: 4B01E5B6A00209BBEB10DFA9CC89F8B77ECEB49795F114425F604D3280D670EA459B60

Function 10009B3F Relevance: 7.6, APIs: 5, Instructions: 50networkfileCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(00000002,?,?,74DF23A0,1000998B,?,?,?), ref: 10009B54
HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 10009B73
FtpOpenFileW.WININET(?,?,80000000,80000002,?), ref: 10009B8D
SetEvent.KERNEL32(00000002), ref: 10009BA6
GetLastError.KERNEL32 ref: 10009BAE

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Event$ErrorFileHttpLastOpenRequestReset
String ID:
API String ID: 1076770906-0
Opcode ID: 8d435f2cb221fd41fc192f963f5a9d48f757f5a0a06135fb77c909fa05007c56
Instruction ID: f23372491201a1d010368a9e71b72f321190485903a459b068be537b0686bb75
Opcode Fuzzy Hash: 8d435f2cb221fd41fc192f963f5a9d48f757f5a0a06135fb77c909fa05007c56
Instruction Fuzzy Hash: 39019E71204611EFF7218F29DD88F0ABAE9FB583A1F118529F54AD21B0C771E891CA21

Function 10009FE3 Relevance: 7.6, APIs: 5, Instructions: 50networkfileCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(00000002,?,?,74DF23A0,100099BB,?,?,?,?,?,?,?), ref: 10009FF8
HttpEndRequestW.WININET(?,00000000,00000000,00000000), ref: 1000A017
FtpOpenFileW.WININET(?,?,80000000,80000002,?), ref: 1000A031
SetEvent.KERNEL32(00000002), ref: 1000A04A
GetLastError.KERNEL32 ref: 1000A052

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Event$ErrorFileHttpLastOpenRequestReset
String ID:
API String ID: 1076770906-0
Opcode ID: 1a25b7944d028e7230c89bd56b4fa91a3a965d5fcf46bf9d0a07634623220961
Instruction ID: 28a86dbc0fe1d6d2692274abb9c2dadd3bbe4048c62af7d1d1cbd5621dd95c23
Opcode Fuzzy Hash: 1a25b7944d028e7230c89bd56b4fa91a3a965d5fcf46bf9d0a07634623220961
Instruction Fuzzy Hash: 77019E71600611EBF7308F25CC88F4BBBE9FB19395F108629F64AD21B1C771E891DA21

Function 10011313 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 10011327
strstr.MSVCRT ref: 10011338
strncpy.MSVCRT ref: 1001134F
strcpy.MSVCRT(?,?), ref: 1001135E

Strings

://, xrefs: 10011321

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: strstr$strcpystrncpy
String ID: ://
API String ID: 3526421744-1869659232
Opcode ID: 64a9255043ee0fda17ff48ca523e3acd3ba5583ab94837c28e87e7f31aa65d4f
Instruction ID: e4ae7de2b6efa1b8260e957aa6e935768b69e1fbad8904df95b76b0a37a17a51
Opcode Fuzzy Hash: 64a9255043ee0fda17ff48ca523e3acd3ba5583ab94837c28e87e7f31aa65d4f
Instruction Fuzzy Hash: 5DF0B43720420ABBEB48CA95FC05CDB37ADEB41671720442AFE14CA840DA30EB8187A0

Function 10013DBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10013DCA

Part of subcall function 1000C5BB: GetModuleFileNameW.KERNEL32(?,?,00000104,759A5720), ref: 1000C5D5
Part of subcall function 1000C5BB: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000C5F2
Part of subcall function 1000C5BB: wcslen.MSVCRT ref: 1000C5FF
Part of subcall function 1000C5BB: _snwprintf.MSVCRT ref: 1000C647

PathCombineW.SHLWAPI(?,?,.\Download), ref: 10013DFD

Part of subcall function 1000C681: wcscpy.MSVCRT ref: 1000C6C9
Part of subcall function 1000C681: PathCombineW.SHLWAPI(?,?,00000000), ref: 1000C6E1
Part of subcall function 1000C681: wcslen.MSVCRT ref: 1000C6EE
Part of subcall function 1000C681: wcscat.MSVCRT ref: 1000C707

PathIsDirectoryW.SHLWAPI(?), ref: 10013E14

Part of subcall function 1000C7F0: PathIsRootW.SHLWAPI(10003997,00000006,?,?), ref: 1000C800

Strings

.\Download, xrefs: 10013DC4, 10013DC9, 10013DF7

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Path$wcslen$CombineName$DirectoryFileModuleRootShort_snwprintfwcscatwcscpy
String ID: .\Download
API String ID: 955913302-3258373688
Opcode ID: 6728680f4dca06ec372d5be4694bd35ef2cbe1d254da69bb52374674bef87da5
Instruction ID: 5e9baabd2bca3aa4c3de83fedbce0c1f72d3bf143e76148a960474609df82d8d
Opcode Fuzzy Hash: 6728680f4dca06ec372d5be4694bd35ef2cbe1d254da69bb52374674bef87da5
Instruction Fuzzy Hash: 30F0C236510324BBFB10EB609C4AFDB37ECEF05651F00405AF901E90C1EBB4EAC18AA5

Function 10017BFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 10017C05
SendMessageW.USER32(00000000,00000403,00000003,00000320), ref: 10017C4E
SendMessageW.USER32(?,00000403,00000001,000005DC), ref: 10017C5B

Strings

tooltips_class32, xrefs: 10017C2B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: MessageSend$Window
String ID: tooltips_class32
API String ID: 2326795674-1918224756
Opcode ID: bc021b26834e17f60e64cc7a819a2d6b31af0e2ab3fa3011d1d97ea0a295a4f8
Instruction ID: e6ca1821336e0cbc24f79263f9860d6dd43f730ae0b696523df5f00035567929
Opcode Fuzzy Hash: bc021b26834e17f60e64cc7a819a2d6b31af0e2ab3fa3011d1d97ea0a295a4f8
Instruction Fuzzy Hash: A4F0A0B12103007EF6285B10EC8BFB76A9CE780B40F01812DFA05F60E0E6E0BE408A30

Function 1000118B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

StringFromIID.OLE32(?,1000126B), ref: 1000119C
_snwprintf.MSVCRT ref: 100011D9

Part of subcall function 100160F6: wcslen.MSVCRT ref: 10016106
Part of subcall function 100160F6: GetProcAddress.KERNEL32(00000000,RegDeleteTreeW), ref: 10016130
Part of subcall function 100160F6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,10001342,80000002,?), ref: 1001614D
Part of subcall function 100160F6: RegCloseKey.ADVAPI32(?,?,10001342,80000002,?), ref: 10016163
Part of subcall function 100160F6: FreeLibrary.KERNEL32(00000000,?,10001342,80000002,?), ref: 1001616A

CoTaskMemFree.OLE32(00000000), ref: 100011F6

Strings

%s\%s, xrefs: 100011C8

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Free$AddressCloseFromLibraryOpenProcStringTask_snwprintfwcslen
String ID: %s\%s
API String ID: 2030704463-4073750446
Opcode ID: f6d99dda1fbd1c0a68fc0005a259a66b25358997b84a8301248e170bbfb27486
Instruction ID: 33c8039404a00635515243ca8f5466dd11e1497bd1bf8a172f6d4db63a0d24b2
Opcode Fuzzy Hash: f6d99dda1fbd1c0a68fc0005a259a66b25358997b84a8301248e170bbfb27486
Instruction Fuzzy Hash: 53F03C76900218FBEF11DBA4DD49FCA77B9EB08300F1041A1E615E2092D7B49B95DB91

Function 10017CB9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 10017CD5
SendMessageW.USER32(?,00000407,00000000,?), ref: 10017CF2
SendMessageW.USER32(?), ref: 10017D22

Strings

,, xrefs: 10017D0B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Message$Send
String ID: ,
API String ID: 954663948-3772416878
Opcode ID: f2216ee946fc5e5775d17333a94374f9d16940d569bd83cbec387d84ff1ca6d3
Instruction ID: 59287ab02fca4fc244a6e6172c119a34a6e22dc4885070eea61d00941419bbe8
Opcode Fuzzy Hash: f2216ee946fc5e5775d17333a94374f9d16940d569bd83cbec387d84ff1ca6d3
Instruction Fuzzy Hash: CF01E8B1D00219EFEB109FD9DC85BDEBBB8EF48714F104116E650B6290D3B4AA468FA4

Function 10003104 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 10008D1B: memset.MSVCRT ref: 10008DC9
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008DDB
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E6D
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E7B
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E8E
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008E9C
Part of subcall function 10008D1B: memset.MSVCRT ref: 10008EAD

memset.MSVCRT ref: 10003147
GetTempPathW.KERNEL32(00000104,?), ref: 10003155
wcscat.MSVCRT ref: 10003161

Strings

IeSuper\Update\, xrefs: 1000315B

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memset$PathTempwcscat
String ID: IeSuper\Update\
API String ID: 2533783615-3270867836
Opcode ID: 52fff0fdabe26e0fa3c66d832dc2dfa5fc5ee9d2e102f968693b63d468af2202
Instruction ID: 07fc70cf78da77092fd633aa16c9cdbe2abf05ac9b2afa8cf97c1e394c173a32
Opcode Fuzzy Hash: 52fff0fdabe26e0fa3c66d832dc2dfa5fc5ee9d2e102f968693b63d468af2202
Instruction Fuzzy Hash: 2FF0C2B1504701AFD7288F28E84A897BBE4EF45721314C96EF5AED72A1DA70A544CF10

Function 10008C28 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,DllRegisterServer,10006E8A,jscript.dll,DllRegisterServer,?,?,100079E8,00000029,00000000,00000000), ref: 10008C2C
GetProcAddress.KERNEL32(00000000,00000000), ref: 10008C4B
FreeLibrary.KERNEL32(00000000,?,DllRegisterServer,10006E8A,jscript.dll,DllRegisterServer,?,?,100079E8,00000029,00000000,00000000), ref: 10008C5A

Strings

DllRegisterServer, xrefs: 10008C28

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressErrorFreeLibraryModeProc
String ID: DllRegisterServer
API String ID: 827327079-1663957109
Opcode ID: d34c07cfd6112c788380eb414ae4f9a417bf364070ac6e468f852232bc1c6ce1
Instruction ID: 55acebd1b5a524f9425cd6b9f6e56e66baacf20a2efd04482f7efabc32008f25
Opcode Fuzzy Hash: d34c07cfd6112c788380eb414ae4f9a417bf364070ac6e468f852232bc1c6ce1
Instruction Fuzzy Hash: 30E0DF312014206FF612AB695C4CE4F29B1FBC9A81F054820F081D2054DA318D05C771

Function 1001655A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 100160F6: wcslen.MSVCRT ref: 10016106
Part of subcall function 100160F6: GetProcAddress.KERNEL32(00000000,RegDeleteTreeW), ref: 10016130
Part of subcall function 100160F6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,000F003F,?,?,10001342,80000002,?), ref: 1001614D
Part of subcall function 100160F6: RegCloseKey.ADVAPI32(?,?,10001342,80000002,?), ref: 10016163
Part of subcall function 100160F6: FreeLibrary.KERNEL32(00000000,?,10001342,80000002,?), ref: 1001616A

Part of subcall function 100160F6: SHDeleteKeyW.SHLWAPI(80000002,10001342,?,10001342,80000002,?), ref: 10016179

DllRegisterServer.RCM4CX31IY(10006E4D,?,100079E8,00000029,00000000,00000000), ref: 10016593

Strings

Software\Microsoft\Internet Explorer\URLSearchHooks, xrefs: 10016585
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects, xrefs: 10016562
Software\Microsoft\Internet Explorer\Extensions, xrefs: 1001656D, 10016577, 1001657E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: AddressCloseDeleteFreeLibraryOpenProcRegisterServerwcslen
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects$Software\Microsoft\Internet Explorer\Extensions$Software\Microsoft\Internet Explorer\URLSearchHooks
API String ID: 2567297164-1606756284
Opcode ID: dbc8e950be6e847f229c822c2ba076c4b0d9b8e16b69e38550f8483a82d473b7
Instruction ID: 705639114c941c9ebbe4bae25b473d27d1dfaf0fbbb5e950a429ee77a9f8ba13
Opcode Fuzzy Hash: dbc8e950be6e847f229c822c2ba076c4b0d9b8e16b69e38550f8483a82d473b7
Instruction Fuzzy Hash: 13D05E9A96127133E232E1762E86E8F080ECFCE660F9104B9BA04699039D29A88101B5

Function 100112DB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 100112ED
_wcsnicmp.MSVCRT ref: 10011301

Strings

https://, xrefs: 100112F8
http://, xrefs: 100112E4

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _wcsnicmp
String ID: http://$https://
API String ID: 1886669725-1916535328
Opcode ID: 02c48cfea50897d27410f87cf47f7cb75fed684a4359529df431f64c97d8bce6
Instruction ID: ba54b086f668a9ed9948b0775bd7b9c75943ad1ffecb73f1c7724633021d2363
Opcode Fuzzy Hash: 02c48cfea50897d27410f87cf47f7cb75fed684a4359529df431f64c97d8bce6
Instruction Fuzzy Hash: 2ED01731B683216BEA80D628BD81BC73AC6AF44651F010832FE90A94D9EB61DA948691

Function 10015BA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 10015BBD
InitializeCriticalSection.KERNEL32(100D51D0), ref: 10015BCA
DeleteCriticalSection.KERNEL32(100D51D0), ref: 10015BDE

Strings

Software\Phoenix, xrefs: 10015BB8

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteInitializewcscpy
String ID: Software\Phoenix
API String ID: 3532340086-1254586771
Opcode ID: 1b3fb9f1ce32515888c67a1ae8774e8cf3eed16becb32f6d3cf268079706dcc1
Instruction ID: 6909682cd19ecf063d3691be7ae41d8b7d982e6118af5e61d722a14fc1c04207
Opcode Fuzzy Hash: 1b3fb9f1ce32515888c67a1ae8774e8cf3eed16becb32f6d3cf268079706dcc1
Instruction Fuzzy Hash: 51E0EC35808302FAEB459790DC8DB8936A1EB40743F64C409F606190A0EB7284C0D722

Function 1001677E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SHDeleteKeyW.SHLWAPI(80000001,Software\Policies\Microsoft\Internet Explorer\Control Panel,?,10006E63,?,100079E8,00000029,00000000,00000000), ref: 1001678A

Part of subcall function 100160B6: RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,00000000,0000007E,?,100168A5,80000000,http\shell,10021B38), ref: 100160CF
Part of subcall function 100160B6: RegDeleteValueW.ADVAPI32(00000000,?,?,100168A5,80000000,http\shell,10021B38), ref: 100160E5
Part of subcall function 100160B6: RegCloseKey.ADVAPI32(00000000,?,100168A5,80000000,http\shell,10021B38), ref: 100160EE

Strings

NoBrowserOptions, xrefs: 10016790
Software\Policies\Microsoft\Internet Explorer\Restrictions, xrefs: 10016795
Software\Policies\Microsoft\Internet Explorer\Control Panel, xrefs: 10016784

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Delete$CloseOpenValue
String ID: NoBrowserOptions$Software\Policies\Microsoft\Internet Explorer\Control Panel$Software\Policies\Microsoft\Internet Explorer\Restrictions
API String ID: 2185037004-3598548959
Opcode ID: 2a29540298c0b6ad5e0671fa69c6d015ca9458429a3cb0d0d9e8b266ca945de9
Instruction ID: a63a250163a983d69b6565fcce49317771ce084218ef222928d0eafe996f0884
Opcode Fuzzy Hash: 2a29540298c0b6ad5e0671fa69c6d015ca9458429a3cb0d0d9e8b266ca945de9
Instruction Fuzzy Hash: B6C08C2E42163032D201E2603C04CCB1149CB2D220B810061F600A0000D318879101D7

Function 10015413 Relevance: 6.3, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 10015458
free.MSVCRT ref: 1001545B
free.MSVCRT ref: 1001546A
free.MSVCRT ref: 1001546D
free.MSVCRT ref: 10015479

Part of subcall function 10015A13: GetFileAttributesW.KERNEL32(10015409,00000000), ref: 10015A22
Part of subcall function 10015A13: SetFileAttributesW.KERNEL32(10015409,00000080), ref: 10015A35
Part of subcall function 10015A13: _wfopen.MSVCRT ref: 10015A41

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: free$AttributesFile$_wfopen
String ID:
API String ID: 3686464801-0
Opcode ID: 54f3a599b86664fed80b5868c1afe6615c382c7f21e9f198f77728a7595305df
Instruction ID: 728833ec6f66aa55e4edee72c864e908bd8ad8ac5afeed8e28e495a47f327954
Opcode Fuzzy Hash: 54f3a599b86664fed80b5868c1afe6615c382c7f21e9f198f77728a7595305df
Instruction Fuzzy Hash: 3C019E32104319DFD760EF55D880B8AB3E8EF88626F15841EE5885F161CB76EC84CAA1

Function 10003597 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 100152C1: malloc.MSVCRT ref: 100152D6

Part of subcall function 10015571: wcschr.MSVCRT ref: 100155B2
Part of subcall function 10015571: _snwprintf.MSVCRT ref: 100155E3
Part of subcall function 10015571: wcslen.MSVCRT ref: 100155F4
Part of subcall function 10015571: _snwprintf.MSVCRT ref: 10015615
Part of subcall function 10015571: wcslen.MSVCRT ref: 10015623

memset.MSVCRT ref: 10003651

Part of subcall function 10003310: _snwprintf.MSVCRT ref: 10003340
Part of subcall function 10003310: _snwprintf.MSVCRT ref: 10003412
Part of subcall function 10003310: _snwprintf.MSVCRT ref: 1000346A
Part of subcall function 10003310: _snwprintf.MSVCRT ref: 10003479

memset.MSVCRT ref: 1000369C
memset.MSVCRT ref: 100036AB

Strings

main, xrefs: 10003608, 10003620, 100036C9

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintf$memset$wcslen$mallocwcschr
String ID: main
API String ID: 1146620783-3207122276
Opcode ID: 8b3a417c99674701a6c0813b9882c8e0869863acd586478fb7949c8792318c38
Instruction ID: 041cce7aafc5b467a93ad4a638a7e49255deec92f51170d86f114ff5dea15cfd
Opcode Fuzzy Hash: 8b3a417c99674701a6c0813b9882c8e0869863acd586478fb7949c8792318c38
Instruction Fuzzy Hash: 974102B690021CBBDB11CA94CC85EDFB7BDEB08244F5045A6B905E7251EA71AF848B94

Function 10004F0D Relevance: 6.1, APIs: 4, Instructions: 119threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10004F12
GetCurrentThreadId.KERNEL32 ref: 10004F27

Part of subcall function 1000F470: EnterCriticalSection.KERNEL32(1007A514,?,?,10004F38,00000000), ref: 1000F47B
Part of subcall function 1000F470: LeaveCriticalSection.KERNEL32(1007A514,?,?,10004F38,00000000), ref: 1000F4A4

PostMessageW.USER32(?,00000500,00000000,00000000), ref: 10004F7F
CallNextHookEx.USER32(?,?,?,?), ref: 10005075

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CallCurrentEnterH_prologHookLeaveMessageNextPostThread
String ID:
API String ID: 3721156593-0
Opcode ID: 99518e98d9947035fc1aefee83b65c3cddbd83921866f05ceada6ffad7ede8d0
Instruction ID: 2d5f1b68a2858188a15c89f92262c87e5fc596a2c5bd79b9f63259139fdc69cc
Opcode Fuzzy Hash: 99518e98d9947035fc1aefee83b65c3cddbd83921866f05ceada6ffad7ede8d0
Instruction Fuzzy Hash: 43419071900742EFEB20CF54C984BAEBBF5FB04395F61842DE665A6094CB72AD90CB91

Function 1000B3CB Relevance: 6.1, APIs: 4, Instructions: 89fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000001,?,?,00000000,?,?,?,?,?,?,1000A27D,?,?,?,74DF23A0,?), ref: 1000B428
GetLastError.KERNEL32(?,1000A27D,?,?,?,74DF23A0,?,?,100099DF,?,?,?,?,?,?,?), ref: 1000B433
WriteFile.KERNEL32(00000001,?,?,00000000,00000000,?,1000A27D,?,?,?,74DF23A0,?,?,100099DF,?,?), ref: 1000B451
WriteFile.KERNEL32(00000001,?,?,00000000,00000000,?,?,?,?,?,?,1000A27D,?,?,?,74DF23A0), ref: 1000B494

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$Write$ErrorLastPointer
String ID:
API String ID: 3001789091-0
Opcode ID: d7676b7c02a0d10a407519007ec7acbf5a7cdc896dab27b157320c0e346ba828
Instruction ID: 16b19bf1761a709678e43bd1c805c9542e509296676c90ca0fe0377034a7000c
Opcode Fuzzy Hash: d7676b7c02a0d10a407519007ec7acbf5a7cdc896dab27b157320c0e346ba828
Instruction Fuzzy Hash: A2316A71601A05EFEB54CF54C984A9ABBFAFF00794F14812AE9098B256D734EE44CBA0

Function 100092D2 Relevance: 6.1, APIs: 4, Instructions: 63networkCOMMON

Download Yara Rule

APIs

InternetQueryOptionW.WININET(00000000,00000049,00000002,?), ref: 100092FD
InternetSetOptionW.WININET(00000000,00000049,00000002,?), ref: 1000931F
InternetQueryOptionW.WININET(00000000,00000049,00000002,?), ref: 1000933E
InternetSetOptionW.WININET(00000000,00000049,00000002,?), ref: 1000935A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOption$Query
String ID:
API String ID: 600136097-0
Opcode ID: 944285d054305b448810e5c33d3d97783e7fc9b676d23be2fc87bfb7f2cf4e96
Instruction ID: c8d39f0c5653213c93f4fd65291542629187c59c8694ed4f566ed4ef53124539
Opcode Fuzzy Hash: 944285d054305b448810e5c33d3d97783e7fc9b676d23be2fc87bfb7f2cf4e96
Instruction Fuzzy Hash: 3811FEB6600618BFEB50DF91CC85FDE77ACEF44B90F108026FA09DB180D674EA458BA5

Function 1000DF77 Relevance: 6.1, APIs: 4, Instructions: 52timewindowCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 1000DF9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 1000DFAA
CommitUrlCacheEntryW.WININET(?,?,?,?,?,?,00000001,00000000,00000000,00000000,00000000), ref: 1000DFD0
PostMessageW.USER32(00000000,00001405,?,?), ref: 1000DFEC

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Time$System$CacheCommitEntryFileMessagePost
String ID:
API String ID: 3943306583-0
Opcode ID: 5c2356d1ac8348fc606a0171e2c158a9c75b666a02ad72581b4c66ad773f395b
Instruction ID: b72b9b03d2c5893916cb4c5e4b22c72498361d9875ef1c91806954bb28a37842
Opcode Fuzzy Hash: 5c2356d1ac8348fc606a0171e2c158a9c75b666a02ad72581b4c66ad773f395b
Instruction Fuzzy Hash: 5101173290021ABBEF11EFE18C49CDF7BBDEB8A751F00C426F612D6050D6719685CBA1

Function 10017B1B Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,100D6860,00000104,?), ref: 10017B40
wcslen.MSVCRT ref: 10017B47
wcsstr.MSVCRT ref: 10017B68
wcsstr.MSVCRT ref: 10017B76

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcsstr$LoadStringwcslen
String ID:
API String ID: 3304469301-0
Opcode ID: ccc6ae8f7bb507219f7088696b688d1df40c046114b27607a6734b4c60848796
Instruction ID: 04d1299f703a22a4e31740bfb66b33e651be487b136666ed97dc29bbd5f37429
Opcode Fuzzy Hash: ccc6ae8f7bb507219f7088696b688d1df40c046114b27607a6734b4c60848796
Instruction Fuzzy Hash: BE01A236209269ABE304DF85ECC4F9777ACFB86362B11016AFA0497150DB75EC808761

Function 10014F52 Relevance: 6.0, APIs: 4, Instructions: 50memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(000000E9,00000200,?,000000E9,00000000,?,?,?,10015002,000000E9,?,1000F3E0,?,1000F3E0,?,000000E9), ref: 10014F78
VirtualProtect.KERNEL32(000000E9,00000200,000000E9,000000E9,?,10015002,000000E9,?,1000F3E0,?,1000F3E0,?,000000E9,00000005), ref: 10014FA3
GetCurrentProcess.KERNEL32(00000000,?,?,?,10015002,000000E9,?,1000F3E0,?,1000F3E0,?,000000E9,00000005), ref: 10014FA7
WriteProcessMemory.KERNEL32(00000000,000000E9,?,1000F3E0,00000000,?,10015002,000000E9,?,1000F3E0,?,1000F3E0,?,000000E9,00000005), ref: 10014FB9

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessProtectVirtual$CurrentMemoryWrite
String ID:
API String ID: 2659437903-0
Opcode ID: 2438b94d9f815868a6af8cd192c0e455f6870a5e3d106a83dd56a154e653544b
Instruction ID: 2310c2540bfbd25e4f0fddfd5a67da0945f044898a925afd4da92723509029b4
Opcode Fuzzy Hash: 2438b94d9f815868a6af8cd192c0e455f6870a5e3d106a83dd56a154e653544b
Instruction Fuzzy Hash: C301253560025ABFDF019F61CC84E9A7FADEB89790F118429FE048B261C631D5558B60

Function 1000C681 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 1000C5BB: GetModuleFileNameW.KERNEL32(?,?,00000104,759A5720), ref: 1000C5D5
Part of subcall function 1000C5BB: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 1000C5F2
Part of subcall function 1000C5BB: wcslen.MSVCRT ref: 1000C5FF
Part of subcall function 1000C5BB: _snwprintf.MSVCRT ref: 1000C647

wcscpy.MSVCRT ref: 1000C6C9
PathCombineW.SHLWAPI(?,?,00000000), ref: 1000C6E1
wcslen.MSVCRT ref: 1000C6EE
wcscat.MSVCRT ref: 1000C707

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathwcslen$CombineFileModuleShort_snwprintfwcscatwcscpy
String ID:
API String ID: 1985362433-0
Opcode ID: a772aa4d5e4757e84c685d5d6be120cd784f8d01f193f533954d972be1490265
Instruction ID: 20d10d4531baabad9338148e0747518a539ca8da3ee8b87150a8da3a8bf3ffdb
Opcode Fuzzy Hash: a772aa4d5e4757e84c685d5d6be120cd784f8d01f193f533954d972be1490265
Instruction Fuzzy Hash: B5017172904728AAEB20DB54CC89FDB77BCFF40354F008065F615A20A1EBB4AAC5CB94

Function 1000F519 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(1007A514,00000000), ref: 1000F52D
UnhookWindowsHookEx.USER32(?), ref: 1000F563
memset.MSVCRT ref: 1000F56E
LeaveCriticalSection.KERNEL32(1007A514), ref: 1000F57E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterHookLeaveUnhookWindowsmemset
String ID:
API String ID: 298641776-0
Opcode ID: 92e8c1cd53a32c4a13dce87e28b52c7ea5f7a5970ac552d7f0d058bba8d79511
Instruction ID: 1f7158023e3d2e854e777c46f86a90348e28a589ad0eed010969323eef0045a0
Opcode Fuzzy Hash: 92e8c1cd53a32c4a13dce87e28b52c7ea5f7a5970ac552d7f0d058bba8d79511
Instruction Fuzzy Hash: 1DF0D1722006119FF310DF24DC84FAA33A9FB88295F50890DE617E6145C770E982D750

Function 100117DB Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 100117EB
SetTextColor.GDI32(?,00000000), ref: 100117F6
strrchr.MSVCRT ref: 10011802
DrawTextA.USER32(?,00000001,000000FF,?,00008025), ref: 1001181E

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Text$ColorCopyDrawRectstrrchr
String ID:
API String ID: 769265739-0
Opcode ID: 012eff37553705a00ce02045900f56e5b040f1d147ef9d2f3804f6f5fcf100be
Instruction ID: 4431bc766dab6759251dce873ba85ca7e80300c8a923a95ffd31999b1b9798da
Opcode Fuzzy Hash: 012eff37553705a00ce02045900f56e5b040f1d147ef9d2f3804f6f5fcf100be
Instruction Fuzzy Hash: EAF04976400219BBEF15ABA0CC09EEA7B6CFB18350F10C515FA66990E0EB71E650CB90

Function 1000EFE6 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000EFEB
EnterCriticalSection.KERNEL32(?,00000002,?,10011CD7,?,00000030,?,00000030,00000000,?,?,00000002,00000000,00000000), ref: 1000EFFC
LeaveCriticalSection.KERNEL32(?,?,?,10011CD7,?,00000030,?,00000030,00000000,?,?,00000002,00000000,00000000), ref: 1000F02D
SetEvent.KERNEL32(?,?,10011CD7,?,00000030,?,00000030,00000000,?,?,00000002,00000000,00000000), ref: 1000F036

Part of subcall function 100029C4: InterlockedDecrement.KERNEL32(-000000F4), ref: 100029D8

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DecrementEnterEventH_prologInterlockedLeave
String ID:
API String ID: 3667443071-0
Opcode ID: 3eea3c55df7c70b78921099061c13f1739ea02b29de298aba2b0b38c44a17b4e
Instruction ID: 053518a9ee2cf63998b97e64fce2a17555745cc776e305e1629f984635053eda
Opcode Fuzzy Hash: 3eea3c55df7c70b78921099061c13f1739ea02b29de298aba2b0b38c44a17b4e
Instruction Fuzzy Hash: 2F0125359006059FDB20CFA8C985A8ABBF4FF48310F40891AF856C3A90D774F545CF60

Function 1000E379 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000E391
wcscpy.MSVCRT ref: 1000E3AF
wcscpy.MSVCRT ref: 1000E3C3
EnumChildWindows.USER32(?,Function_0000E295,?), ref: 1000E3D6

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcscpy$ChildEnumWindowsmemset
String ID:
API String ID: 80078839-0
Opcode ID: 675d591719625e0c540d4efd300449ea3c3be2b1dd234c3d3f74b260589573d4
Instruction ID: c63dd7e5767eb40d2ba9a68a534c229986762e867c927c1c7deed7c872230e87
Opcode Fuzzy Hash: 675d591719625e0c540d4efd300449ea3c3be2b1dd234c3d3f74b260589573d4
Instruction Fuzzy Hash: DCF04F7180022CABEF119B50DC09BD97BACEB00354F008062FA15A6091E775EBD8CF95

Function 1000EC13 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(1007A0D4,?,?,?,1000428E), ref: 1000EC1C
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,1000428E), ref: 1000EC2F
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,1000428E), ref: 1000EC38
_beginthreadex.MSVCRT ref: 1000EC4A

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection_beginthreadex
String ID:
API String ID: 3001727292-0
Opcode ID: 0147e2f2c335f293a73d776cfe97694aee87d29344fb894e9a8ba5f9e855bd2a
Instruction ID: 8821e77aefa35350f15f3006c9c4e65ee760b8b59ad6ac87257186a1aaa5189a
Opcode Fuzzy Hash: 0147e2f2c335f293a73d776cfe97694aee87d29344fb894e9a8ba5f9e855bd2a
Instruction Fuzzy Hash: 2CF015B28002907AE2309B668CCCCA7BABCEBCBB10300892EF60682100D670A804CA70

Function 100013ED Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 100013F8
StringFromCLSID.OLE32(?,00000000), ref: 10001411
_snwprintf.MSVCRT ref: 1000142E
CoTaskMemFree.OLE32(00000000), ref: 10001440

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CreateFreeFromGuidStringTask_snwprintf
String ID:
API String ID: 1080326307-0
Opcode ID: a849a7a7371c12c68061798a3893abe0b1737f32964c3f7075b1b00c880e89cb
Instruction ID: 874b33e0c94b33b3317a6dce0485c6a1d11eac4402c635734f4ac1634472fae5
Opcode Fuzzy Hash: a849a7a7371c12c68061798a3893abe0b1737f32964c3f7075b1b00c880e89cb
Instruction Fuzzy Hash: 99F0F976800219FBEB01DB94CD49ADEB7BCFF44316F108065E902A3050E774AB19DBA5

Function 10016CD9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 10016CEC
wcslen.MSVCRT ref: 10016D02
lstrlenW.KERNEL32(000000FF,000000FF), ref: 10016D0E

Strings

:^:, xrefs: 10016CE6

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlenwcslenwcsstr
String ID: :^:
API String ID: 2850465286-881397820
Opcode ID: 1463a024aa1fe27ec4153304cb1fcaae87538cbcc1bbc943543b305f874550bd
Instruction ID: 4aef44abafdaadaaac31a5f0962cddff897f8277af602b97fbb6dc8b0a1a2eb5
Opcode Fuzzy Hash: 1463a024aa1fe27ec4153304cb1fcaae87538cbcc1bbc943543b305f874550bd
Instruction Fuzzy Hash: 21E0A033608321ABD7528B98EC4485BBBB8FFC57A1B01482DF98083114CB30D441D791

Function 100138C1 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

wcsrchr.MSVCRT ref: 100138CF
wcsrchr.MSVCRT ref: 100138D9
wcslen.MSVCRT ref: 100138ED
memmove.MSVCRT(00000000,00000002,?), ref: 100138FF

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: wcsrchr$memmovewcslen
String ID:
API String ID: 3019260065-0
Opcode ID: a60d1f96e876bb57845dfdbac14ffdc9ab5888d8cbdd016409d8c51adba032da
Instruction ID: 7cd40cb99d6967512fafb1f37ba955f2727b7dba68276a3d932092ee7ed1c066
Opcode Fuzzy Hash: a60d1f96e876bb57845dfdbac14ffdc9ab5888d8cbdd016409d8c51adba032da
Instruction Fuzzy Hash: 53E0E5316441267BEB14DB109C49D9B3FA8EF80351B068466F5088F161D770D995CBA2

Function 10011E73 Relevance: 6.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 10011E76
CreateSolidBrush.GDI32(00000000), ref: 10011E7D
FillRect.USER32(?,?,00000000), ref: 10011E92
DeleteObject.GDI32(00000000), ref: 10011E99

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: BrushColorCreateDeleteFillObjectRectSolid
String ID:
API String ID: 1811745850-0
Opcode ID: 9c5b81fac18ea106082ada16998f1d9610bc07ba5359ffdeadfd5c2ba683bd3c
Instruction ID: 5a958bedf34287bdf1b5a69f4d7629fedc8d316261a512c49f00b3d39e145599
Opcode Fuzzy Hash: 9c5b81fac18ea106082ada16998f1d9610bc07ba5359ffdeadfd5c2ba683bd3c
Instruction Fuzzy Hash: 55D05E32402731AFD7125BA09C4C9DF3E64FF48661F004804F91992060C730CA44CB93

Function 10001667 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000166C

Part of subcall function 1000F770: __EH_prolog.LIBCMT ref: 1000F775

GetPropW.USER32(?,ADFILTER_PTR), ref: 10001744

Strings

ADFILTER_PTR, xrefs: 1000173C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog$Prop
String ID: ADFILTER_PTR
API String ID: 3695378956-1201213848
Opcode ID: f4e57210bf26ee43b81dc2925d37abb2e37326b8f03abaf7b1d432eee2f32ce9
Instruction ID: b286a9fbf21533829c28ea9b3a462f9b1ba9451730a8abe04f787b94551e631b
Opcode Fuzzy Hash: f4e57210bf26ee43b81dc2925d37abb2e37326b8f03abaf7b1d432eee2f32ce9
Instruction Fuzzy Hash: 2E412A75A0024AEFDB00CFD8C8849EEBBB9FF48285B10846DE509EB251C7359E45CB60

Function 100067DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100067E1

Part of subcall function 1000F770: __EH_prolog.LIBCMT ref: 1000F775

SysFreeString.OLEAUT32(00000000), ref: 100068B2

Strings

`<u, xrefs: 100068B2

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog$FreeString
String ID: `<u
API String ID: 397689101-3367579956
Opcode ID: 849ee1825a5a5fe19b236ee11a4047ebd72abe6cfa83231c705fba73629dc7ba
Instruction ID: 0549d1d58398f04970a67744cc6584c9567565787d38ea093e334f41b4fc8443
Opcode Fuzzy Hash: 849ee1825a5a5fe19b236ee11a4047ebd72abe6cfa83231c705fba73629dc7ba
Instruction Fuzzy Hash: 3C417F71D00249EFEF00CF94C8859AEBBB5FF48394F20816EE405A7241CB359E45CB61

Function 1000C92E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 1000C94D
wcscpy.MSVCRT ref: 1000C9E3

Strings

L, xrefs: 1000C970

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: _snwprintfwcscpy
String ID: L
API String ID: 999028693-2909332022
Opcode ID: a3d80d00b802d0f160f737f279606534b1410e3be8ef31e15d62ef3c312017b5
Instruction ID: 4d6b723d2e5cbd023fa4fbb743ee3dd241399ff6390101c1f70114d94c89c298
Opcode Fuzzy Hash: a3d80d00b802d0f160f737f279606534b1410e3be8ef31e15d62ef3c312017b5
Instruction Fuzzy Hash: 0D21CCB5D1121EAFDB50CFA8D984ADEBBF4FF08794F10412AE914E3240E7749A858F94

Function 1000E56A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 1000E5C7
SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,?,00000208), ref: 1000E5ED

Part of subcall function 1000E430: _snwprintf.MSVCRT ref: 1000E47F
Part of subcall function 1000E430: SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,1000E60A,00000103), ref: 1000E4A3
Part of subcall function 1000E430: _snwprintf.MSVCRT ref: 1000E4BD
Part of subcall function 1000E430: SHGetValueW.SHLWAPI(80000000,00000000,00000000,00000001,1000E60A,00000103), ref: 1000E4DE

Strings

%s\CLSID, xrefs: 1000E5A4

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Value_snwprintf
String ID: %s\CLSID
API String ID: 1829442792-2182714705
Opcode ID: 4d98526f8aed4bd7f8e56244cb9dacbfd6071941ffd663f592363d7051a031b6
Instruction ID: eccf7f8de9e95eb223f9bbffda6ed30e5586416666c3f42a174148cfa12a68d5
Opcode Fuzzy Hash: 4d98526f8aed4bd7f8e56244cb9dacbfd6071941ffd663f592363d7051a031b6
Instruction Fuzzy Hash: 1111307290011CBBEF11CF94CC49BDA77B9FB44304F1085B5EA15E6190EBB1DB958B94

Function 1000CB92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000CBBE
_snwprintf.MSVCRT ref: 1000CBD8

Part of subcall function 10015E3C: EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,?), ref: 10015EAF
Part of subcall function 10015E3C: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015ED4
Part of subcall function 10015E3C: wcslen.MSVCRT ref: 10015EE5
Part of subcall function 10015E3C: _wtoi.MSVCRT(00000000), ref: 10015EF7

Strings

Gesture, xrefs: 1000CBEE

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave_snwprintf_wtoimemsetwcslen
String ID: Gesture
API String ID: 199640887-1815970732
Opcode ID: 476d03b5ba7990595b887b8af97f5ad480d05649d628c9b00836e2ac32891e61
Instruction ID: 41ac02826677bf857e32522da1535ef296ab7b11c9778ce96d41a18c39c56fed
Opcode Fuzzy Hash: 476d03b5ba7990595b887b8af97f5ad480d05649d628c9b00836e2ac32891e61
Instruction Fuzzy Hash: BC014FB6900369ABEB10EB51CC89F9A73ACFB44245F600165FE58E6141E370AB858BA1

Function 10006BFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 10006C0A
FindWindowExW.USER32(?,00000000,msctls_statusbar32,00000000), ref: 10006C45

Strings

msctls_statusbar32, xrefs: 10006C3C

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: Window$Find
String ID: msctls_statusbar32
API String ID: 3232775697-4095915827
Opcode ID: b7f97a6638158f456610427a18c21e6c94e41c57bac8ba6560eac5d6f440f477
Instruction ID: 7037a283e417363306352b699d51ee39c1403e0111106ec727bae359c4c196d0
Opcode Fuzzy Hash: b7f97a6638158f456610427a18c21e6c94e41c57bac8ba6560eac5d6f440f477
Instruction Fuzzy Hash: 11014CB0800605EFEB10DF65CD888AFFBF8EF84344B10856EE456A7210E770AA05DF60

Function 1000AD56 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

HttpQueryInfoW.WININET(?,00000001,?,74DF23A0,74DF23A0), ref: 1000ADA5
wcscmp.MSVCRT ref: 1000ADBC

Strings

application/metalink+xml, xrefs: 1000ADB6

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: HttpInfoQuerywcscmp
String ID: application/metalink+xml
API String ID: 3363685527-3170905041
Opcode ID: 2df28c25f1d1fee77d14060ca497ade46d0faee1aa5c4a9313b4c3c88517909e
Instruction ID: 3d1158b67c09534a98b6a110f7bb0cd4c0c13157872bbe180123b2efe3c15d66
Opcode Fuzzy Hash: 2df28c25f1d1fee77d14060ca497ade46d0faee1aa5c4a9313b4c3c88517909e
Instruction Fuzzy Hash: 9501AD76600309AAFB10CBA4CC48FDA73BDEF54351F20826AE516D6054EB70DA81CB54

Function 100172EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,rename), ref: 10017301
MoveFileExW.KERNEL32(?,?,00000005,rename), ref: 10017336

Part of subcall function 10016E90: DeleteFileW.KERNEL32(00000000,10017314,?,00000000), ref: 10016E9B

Strings

rename, xrefs: 100172F5

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: File$CopyDeleteMove
String ID: rename
API String ID: 2003877678-3650966606
Opcode ID: 864619ed8c1d2f1735fca7a94a392bd6be3de1269c2f8dc71f00195e303ba3f9
Instruction ID: 21649885522f2d2ef42f1958c7251298ddf6d494eac7dd4a8aea0f6f99d639f8
Opcode Fuzzy Hash: 864619ed8c1d2f1735fca7a94a392bd6be3de1269c2f8dc71f00195e303ba3f9
Instruction Fuzzy Hash: 7AF0B436144205FBE725DE409C45B6E37FAFB40B22F204019FD299C0D1DB70E2C1B614

Function 1000CC1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000CC44
_snwprintf.MSVCRT ref: 1000CC5E

Part of subcall function 10015F70: _snwprintf.MSVCRT ref: 10015FD9
Part of subcall function 10015F70: EnterCriticalSection.KERNEL32(100D51D0), ref: 10015FF7
Part of subcall function 10015F70: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10016017

Strings

Gesture, xrefs: 1000CC72

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection_snwprintf$EnterLeavememset
String ID: Gesture
API String ID: 496235497-1815970732
Opcode ID: 2be7c6bcf7da4cb972f576438b353ac9aa838afb57c04037b221d31edc5e46ce
Instruction ID: c2bf9ade1207c1ef6867f45b954ce7b735f198167e843ba9855bf45527f92b86
Opcode Fuzzy Hash: 2be7c6bcf7da4cb972f576438b353ac9aa838afb57c04037b221d31edc5e46ce
Instruction Fuzzy Hash: 4EF0B476900328BBEB60E690DC4AFCB776CFB04644F400265FE98E6151E670A7C58BE1

Function 100031A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

time.MSVCRT(?), ref: 100031B5

Part of subcall function 10015E3C: EnterCriticalSection.KERNEL32(100D51D0,00000000,80000001,?), ref: 10015EAF
Part of subcall function 10015E3C: LeaveCriticalSection.KERNEL32(100D51D0), ref: 10015ED4
Part of subcall function 10015E3C: wcslen.MSVCRT ref: 10015EE5
Part of subcall function 10015E3C: _wtoi.MSVCRT(00000000), ref: 10015EF7

GetTickCount.KERNEL32 ref: 100031D3

Strings

LastCheckUpdate, xrefs: 100031C4

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CountEnterLeaveTick_wtoitimewcslen
String ID: LastCheckUpdate
API String ID: 2179317918-193840331
Opcode ID: 761877b41f33ebf4442d6d0365bc3af77f6c3296e05ae829d7488b5bcc9cd7d3
Instruction ID: e911987981f0610aa1bff72d9993dc3ca463d11b36a4887cc865ccc3fe7e3d73
Opcode Fuzzy Hash: 761877b41f33ebf4442d6d0365bc3af77f6c3296e05ae829d7488b5bcc9cd7d3
Instruction Fuzzy Hash: BFF08C72A10118BFFB09C7A4CC8BBCE77AEEB84349F148061F201E6084DAB1EB904661

Function 10006D35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000104), ref: 10006D4D
wcscmp.MSVCRT ref: 10006D63

Part of subcall function 10006D1F: PostMessageW.USER32(00000501,00000501,00000000,?), ref: 10006D2E

Strings

IESuperWnd, xrefs: 10006D5D

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ClassMessageNamePostwcscmp
String ID: IESuperWnd
API String ID: 3932178447-860704587
Opcode ID: 2cccc29081e418b9173362020ee2b3770257b45d1fbb40304e3769acef5832ce
Instruction ID: a0e791b123889555c27aeab8fbab17f32c413f99371a41cd4dd39604b883ae7c
Opcode Fuzzy Hash: 2cccc29081e418b9173362020ee2b3770257b45d1fbb40304e3769acef5832ce
Instruction Fuzzy Hash: 8DE01236604209BFFF40DB60DC49ADA3BB9EB08394F204167F654D90E1EFB5D995CA90

Function 100169F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000103), ref: 10016A27
_snwprintf.MSVCRT ref: 10016A42

Strings

res://%s/%s, xrefs: 10016A37

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleName_snwprintf
String ID: res://%s/%s
API String ID: 412489677-2322498915
Opcode ID: ec448c62440caf962f3da11ec1f920ddd3be8e39e8305833711e570aa633aab8
Instruction ID: 5b954d9dcb27bc18d81908b1ccc15b36107a7fef5da5e994538a31ae0257a958
Opcode Fuzzy Hash: ec448c62440caf962f3da11ec1f920ddd3be8e39e8305833711e570aa633aab8
Instruction Fuzzy Hash: 39F06536400218BFEF519F58DC49EDA7BB9FB44304F4042A5FA55A1071DA719AA5CB40

Function 1001734A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000,00000000,10007799,?,00000104,00000000,OptionLast,80000001), ref: 10017359
wcscat.MSVCRT ref: 10017365

Strings

\internet explorer\iexplore.exe, xrefs: 1001735F

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: FolderPathSpecialwcscat
String ID: \internet explorer\iexplore.exe
API String ID: 3186554317-1952367867
Opcode ID: 256773cc9c9bd580dd74f057950c8172fe19efd25ffd53d841b0dbf37f4f090d
Instruction ID: b2806212f28b72c87c1e51e6fd97b3884ba3d72f1f8cbd53c9f9e924791f1e97
Opcode Fuzzy Hash: 256773cc9c9bd580dd74f057950c8172fe19efd25ffd53d841b0dbf37f4f090d
Instruction Fuzzy Hash: D1D0127681A331BEFA109B54BC49EEB7BECEF09360B14444AF545D3050D731A84087AD

Function 10014E8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,canot copy high memory error.,00000000,00000010), ref: 10014E9A
ExitProcess.KERNEL32 ref: 10014EA2

Strings

canot copy high memory error., xrefs: 10014E93

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: ExitMessageProcess
String ID: canot copy high memory error.
API String ID: 1220098344-1817938031
Opcode ID: 68e34c40111d86ccfe93de37309a3d0c3d6f2654ee4ff94c8e5407d7ddbd6ec1
Instruction ID: dbbd3d4bd4c08f37eb215c9dba4b778fbc396473d5f791607b515c3ca53157f6
Opcode Fuzzy Hash: 68e34c40111d86ccfe93de37309a3d0c3d6f2654ee4ff94c8e5407d7ddbd6ec1
Instruction Fuzzy Hash: 05C09B3128831477F55157958C4AF8437189705B36F544710F735540D1C7E170908556

Function 10016C29 Relevance: 5.1, APIs: 4, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10016C39
memset.MSVCRT ref: 10016C84

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memsetstrlen
String ID:
API String ID: 841943882-0
Opcode ID: da896bbacef6f6be44cf814b9d7e80fe7413b3af25866e0cb4177f03ccd64fe4
Instruction ID: c566d17f73647c56e479447fa3dbac9b3a2a6b0aff0e68f3ad9a2105d1607d0a
Opcode Fuzzy Hash: da896bbacef6f6be44cf814b9d7e80fe7413b3af25866e0cb4177f03ccd64fe4
Instruction Fuzzy Hash: 7701497270455A1DE721C9689C82BBB179EDB4D1D4F510029F4C2CE102E631EDCA45E5

Function 1000C47B Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,1001AE84,00000010), ref: 1000C491
memcmp.MSVCRT(?,1001AE94,00000010), ref: 1000C4AC
memcmp.MSVCRT(?,1001AE74,00000010), ref: 1000C4C0

Memory Dump Source

Source File: 00000006.00000002.1918813477.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.1918795538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918840483.0000000010019000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918924548.00000000100D7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_rundll32.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 16ba2a11e8d5d99c6f68726acfbdd4a9e2c1421422a461f76bd8243a5ed848af
Instruction ID: 3e8743cb3ab9d1cad813f78502c8f184c0869c059a20b30c80fb668328bef18d
Opcode Fuzzy Hash: 16ba2a11e8d5d99c6f68726acfbdd4a9e2c1421422a461f76bd8243a5ed848af
Instruction Fuzzy Hash: B601B57264030E67E710DB24CC12FAA33D8EB556A1F00442CFE86EA246F6BDEDD19355

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rcM4Cx31Iy.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9bba6880298fd69bbd62a2e3ccc3e1353d16d6bf_7522e4b5_bd184202-64a7-4a1b-9a9d-c8d614e36535\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC00F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0BC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0EC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
rcM4Cx31Iy.dll

Function 10004316 Relevance: 3.8, APIs: 3, Instructions: 56
COMMON

Function 10013F56 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 196
clipboardkeyboardmemoryCOMMON

Function 1000BA33 Relevance: 42.4, APIs: 14, Strings: 10, Instructions: 355
commemoryfileCOMMON

Function 1000A9BE Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 195
COMMON

Function 100130CF Relevance: 49.3, APIs: 15, Strings: 13, Instructions: 335
COMMON

Function 10015006 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 248
stringCOMMON