Edit tour

Windows Analysis Report
TsLvuUO.dll

Overview

General Information

Sample name:	TsLvuUO.dll
Analysis ID:	1502267
MD5:	edd94a0a267df670b90f41c127f9dd6a
SHA1:	bd0005769a9392a922030793b1e88900a808f22a
SHA256:	00db74544ae4d92774a3008a5ee322577dab2a53bcb2eb9003e88af617f3b495
Tags:	dll
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Overwrites Mozilla Firefox settings

Performs DNS queries to domains with low reputation

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1408 cmdline: loaddll32.exe "C:\Users\user\Desktop\TsLvuUO.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6552 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6544 cmdline: rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7160 cmdline: rundll32.exe C:\Users\user\Desktop\TsLvuUO.dll,#1 MD5: 889B99C52A60DD49227C5E485A016679)

schtasks.exe (PID: 3620 cmdline: schtasks /END /TN "WYKSCfYVrwsdWpT" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5408 cmdline: schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2700 cmdline: schtasks /END /TN "WYKSCfYVrwsdWpT2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4476 cmdline: schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4180 cmdline: schtasks /END /TN "nfblQVJFwWHDFj" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3172 cmdline: schtasks /DELETE /F /TN "nfblQVJFwWHDFj" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7060 cmdline: schtasks /END /TN "YGYYnsbMowvpr" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1216 cmdline: schtasks /DELETE /F /TN "YGYYnsbMowvpr" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3128 cmdline: schtasks /END /TN "YGYYnsbMowvpr2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3620 cmdline: schtasks /DELETE /F /TN "YGYYnsbMowvpr2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5408 cmdline: schtasks /END /TN "SfQlcfTRPgaddFhgU" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7044 cmdline: schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5612 cmdline: schtasks /END /TN "SfQlcfTRPgaddFhgU2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4024 cmdline: schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3664 cmdline: schtasks /END /TN "MBOKUVJttHMBWpgjMbJ" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6096 cmdline: schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2748 cmdline: schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6804 cmdline: schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 2300 cmdline: rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

schtasks.exe (PID: 2640 cmdline: schtasks /END /TN "WYKSCfYVrwsdWpT" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5628 cmdline: schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5440 cmdline: schtasks /END /TN "WYKSCfYVrwsdWpT2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6780 cmdline: schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4484 cmdline: schtasks /END /TN "nfblQVJFwWHDFj" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6020 cmdline: schtasks /DELETE /F /TN "nfblQVJFwWHDFj" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6628 cmdline: schtasks /END /TN "YGYYnsbMowvpr" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5584 cmdline: schtasks /DELETE /F /TN "YGYYnsbMowvpr" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2700 cmdline: schtasks /END /TN "YGYYnsbMowvpr2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5064 cmdline: schtasks /DELETE /F /TN "YGYYnsbMowvpr2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5888 cmdline: schtasks /END /TN "SfQlcfTRPgaddFhgU" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6048 cmdline: schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5252 cmdline: schtasks /END /TN "SfQlcfTRPgaddFhgU2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3924 cmdline: schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2072 cmdline: schtasks /END /TN "MBOKUVJttHMBWpgjMbJ" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4696 cmdline: schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4708 cmdline: schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TsLvuUO.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://api2.check-data.xyz	Avira URL Cloud: Label: malware
Source: http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65	Avira URL Cloud: Label: malware
Source: http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	Avira URL Cloud: Label: malware
Source: http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E	Avira URL Cloud: Label: malware
Source: http://api4.check-data.xyz	Avira URL Cloud: Label: malware
Source: http://api5.check-data.xyz	Avira URL Cloud: Label: malware
Source: http://api.check-data.xyz	Avira URL Cloud: Label: malware
Source: http://api3.check-data.xyz	Avira URL Cloud: Label: malware
Source: http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: api4.check-data.xyz	Virustotal: Detection: 6%	Perma Link
Source: http://api4.check-data.xyz	Virustotal: Detection: 6%	Perma Link
Source: http://api2.check-data.xyz	Virustotal: Detection: 10%	Perma Link
Source: http://api5.check-data.xyz	Virustotal: Detection: 6%	Perma Link
Source: http://api.check-data.xyz	Virustotal: Detection: 6%	Perma Link
Source: http://api3.check-data.xyz	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: TsLvuUO.dll	ReversingLabs: Detection: 31%
Source: TsLvuUO.dll	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.2% probability

Source: TsLvuUO.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 44.232.42.242 80

Jump to behavior

Performs DNS queries to domains with low reputation

Source:

DNS query: api4.check-data.xyz

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36Host: api4.check-data.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36Host: api4.check-data.xyzConnection: Keep-AliveCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36Host: api4.check-data.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36Host: api4.check-data.xyzConnection: Keep-AliveCache-Control: no-cache

Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php! equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php( equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.phpxW equals www.facebook.com (Facebook)

Source: global traffic

DNS traffic detected: DNS query: api4.check-data.xyz

Source: rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api.check-data.xyz
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api2.check-data.xyz
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api3.check-data.xyz
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api4.check-data.xyz
Source: rundll32.exe, 00000003.00000002.2224250627.00000000034EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr
Source: rundll32.exe, 00000006.00000002.2291425440.000000000319C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283310545.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291506390.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://api5.check-data.xyz
Source: rundll32.exe, 00000003.00000003.2211108860.00000000034D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: rundll32.exe, 00000003.00000003.2223174899.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291506390.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283310545.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: rundll32.exe, 00000003.00000003.2212333363.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283192574.0000000004CB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283339215.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282828895.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282587225.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291455240.00000000031BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/
Source: rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281413884.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281539995.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266367276.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: rundll32.exe, 00000006.00000003.2282587225.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281413884.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281539995.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxW
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: rundll32.exe, 00000003.00000003.2212333363.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283192574.0000000004CB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283339215.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282828895.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282587225.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291455240.00000000031BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.co
Source: rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2266015010.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.c
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: rundll32.exe, 00000003.00000003.2212333363.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283192574.0000000004CB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283339215.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282828895.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282587225.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291455240.00000000031BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release
Source: prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290120533.000000000311F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290221613.000000000312B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291320377.000000000312E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290544375.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: rundll32.exe, 00000006.00000003.2282774739.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixeli
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: rundll32.exe, 00000006.00000003.2266015010.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/m/
Source: rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s/
Source: rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281226958.0000000004D62000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290120533.000000000311F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290221613.000000000312B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291320377.000000000312E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290544375.000000000312E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore7
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2210277018.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2210033495.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraF
Source: rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraX
Source: rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: rundll32.exe, 00000003.00000003.2223174899.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2211108860.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2212784001.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281168576.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280948948.00000000031D2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281226958.0000000004D4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282427984.00000000031CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283310545.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291506390.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282774739.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/chromewebstore/v1.1/items/verify
Source: rundll32.exe, 00000003.00000003.2223174899.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2211108860.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2212784001.00000000034D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.00000000034A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/chromewebstore/v1.1/items/verify(
Source: rundll32.exe, 00000006.00000003.2281226958.0000000004D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/chromewebstore/v1.1/items/verifyl

Source: schtasks.exe

Process created: 53

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033EC786	3_2_033EC786
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E25BB	3_2_033E25BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E4590	3_2_033E4590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E4BDD	3_2_033E4BDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E7A3F	3_2_033E7A3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0340A242	3_2_0340A242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033F4213	3_2_033F4213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FA2E0	3_2_033FA2E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033F32C0	3_2_033F32C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FB1F2	3_2_033FB1F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E8060	3_2_033E8060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0340975E	3_2_0340975E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FB627	3_2_033FB627
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FF4BF	3_2_033FF4BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FA4B1	3_2_033FA4B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033DD4CD	3_2_033DD4CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033DBB9C	3_2_033DBB9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FEAFE	3_2_033FEAFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E8926	3_2_033E8926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FA9A5	3_2_033FA9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0340A9EA	3_2_0340A9EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E19F3	3_2_033E19F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033DA82A	3_2_033DA82A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03401875	3_2_03401875
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03406F64	3_2_03406F64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E7F15	3_2_033E7F15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033F2F72	3_2_033F2F72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E7E69	3_2_033E7E69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FADBD	3_2_033FADBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033E7C37	3_2_033E7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03409CD0	3_2_03409CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0340BCAE	3_2_0340BCAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_054D33B0	3_2_054D33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_055433B0	4_2_055433B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D94590	6_2_04D94590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D925BB	6_2_04D925BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D9C786	6_2_04D9C786
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D97A3F	6_2_04D97A3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D94BDD	6_2_04D94BDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D8D4CD	6_2_04D8D4CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAF4BF	6_2_04DAF4BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAA4B1	6_2_04DAA4B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAB627	6_2_04DAB627
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DB975E	6_2_04DB975E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D98060	6_2_04D98060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAB1F2	6_2_04DAB1F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DA32C0	6_2_04DA32C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAA2E0	6_2_04DAA2E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DBA242	6_2_04DBA242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DA4213	6_2_04DA4213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DB9CD0	6_2_04DB9CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DBBCAE	6_2_04DBBCAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D97C37	6_2_04D97C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAADBD	6_2_04DAADBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D97E69	6_2_04D97E69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DA2F72	6_2_04DA2F72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DB6F64	6_2_04DB6F64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D97F15	6_2_04D97F15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DB1875	6_2_04DB1875
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D8A82A	6_2_04D8A82A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D919F3	6_2_04D919F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DBA9EA	6_2_04DBA9EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAA9A5	6_2_04DAA9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D98926	6_2_04D98926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAEAFE	6_2_04DAEAFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04D8BB9C	6_2_04D8BB9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_052633B0	6_2_052633B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04DA8863 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 033FE620 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04DA92B8 appears 137 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 033F92B8 appears 137 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04DAE620 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 033F8863 appears 43 times

Source: TsLvuUO.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winDLL@101/4@1/1

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_PhpuzIakkdPWqpI
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H135405890
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H140366885
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H98778193
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\2_PhpuzIakkdPWqpI
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H106729660
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H5174114
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H82944746
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_H133321728
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03

Source: TsLvuUO.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Program Files\Mozilla Firefox\application.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TsLvuUO.dll,#1

Source: TsLvuUO.dll	ReversingLabs: Detection: 31%
Source: TsLvuUO.dll	Virustotal: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\TsLvuUO.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TsLvuUO.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ2"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TsLvuUO.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: TsLvuUO.dll

Static file information: File size 6734848 > 1048576

Source: TsLvuUO.dll

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x5ebc00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033F92B8 push eax; ret	3_2_033F92D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_033FE665 push ecx; ret	3_2_033FE678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_054E64F0 push eax; ret	3_2_054E650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_054D3395 push ecx; ret	3_2_054D33A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_055564F0 push eax; ret	4_2_0555650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05543395 push ecx; ret	4_2_055433A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DAE665 push ecx; ret	6_2_04DAE678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DA92B8 push eax; ret	6_2_04DA92D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_052764F0 push eax; ret	6_2_0527650E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_05263395 push ecx; ret	6_2_052633A8

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_033FEAFE EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_033FEAFE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_4-1364

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 8.6 %

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: rundll32.exe, 00000006.00000002.2291817732.0000000004C84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW,
Source: rundll32.exe, 00000003.00000003.2223174899.000000000352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2223174899.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2211208837.000000000352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2212333363.000000000352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2211208837.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.000000000352B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2211006123.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2210277018.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2210893104.00000000034ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2210033495.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.00000000034EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.2224875185.0000000004FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-45737
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-1365
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_6-45783

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0340843C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_0340843C

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_0340843C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_03403440 GetProcessHeap,

3_2_03403440

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_03405C54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_03405C54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_054D11A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_054D11A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_055411A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_055411A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04DB5C54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_04DB5C54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_052611A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_052611A4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 44.232.42.242 80

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "nfblQVJFwWHDFj"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "YGYYnsbMowvpr"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "WYKSCfYVrwsdWpT2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_033FEDD9 cpuid

3_2_033FEDD9

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	3_2_054D2C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_054DE1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_free,_free,_free,	3_2_054D33B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	4_2_05542C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_0554E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_free,_free,_free,	4_2_055433B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	6_2_05262C29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_0526E1C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __IsNonwritableInCurrentImage,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	6_2_052633B0

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0340578B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0340578B

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempjgCdeX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempjgCdeX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnwhObf	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnwhObf	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnShBdn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnShBdn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempXMDGGl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempXMDGGl	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\scriptCache-child-current.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\webext.sc.lz4	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\urlCache.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempjgCdeX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCache	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\scriptCache-current.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempXMDGGl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnShBdn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\scriptCache-child.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\urlCache-current.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\scriptCache.bin	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnwhObf	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCacheEYKKO\startupCache.8.little	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	21 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	111 Process Injection	LSASS Memory	51 Security Software Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	53 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TsLvuUO.dll	32%	ReversingLabs
TsLvuUO.dll	45%	Virustotal		Browse
TsLvuUO.dll	100%	Avira	HEUR/AGEN.1300638

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
checkdata-1114476139.us-west-2.elb.amazonaws.com	0%	Virustotal	Browse
api4.check-data.xyz	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://smartblock.firefox.etp/play.svg	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://drive-staging.corp.google.com/	0%	URL Reputation	safe
https://crash-reports.mozilla.com/submit?id=	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://drive-daily-2.corp.google.com/	0%	URL Reputation	safe
https://drive-autopush.corp.google.com/	0%	URL Reputation	safe
https://drive-daily-4.corp.google.com/	0%	URL Reputation	safe
https://drive-daily-1.corp.google.com/	0%	URL Reputation	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	0%	URL Reputation	safe
https://drive-daily-5.corp.google.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://drive-daily-6.corp.google.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-pixel	0%	URL Reputation	safe
https://drive-daily-0.corp.google.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://chromewebstore.google.com/	0%	URL Reputation	safe
https://drive-preprod.corp.google.com/	0%	URL Reputation	safe
http://api2.check-data.xyz	100%	Avira URL Cloud	malware
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0%	Avira URL Cloud	safe
https://sandbox.google.com/payments/v4/js/integrator.js	0%	Avira URL Cloud	safe
https://drive-daily-3.corp.google.com/	0%	URL Reputation	safe
http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65	100%	Avira URL Cloud	malware
https://payments.google.com/	0%	Avira URL Cloud	safe
http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	100%	Avira URL Cloud	malware
https://docs.google.com/	0%	Avira URL Cloud	safe
https://sandbox.google.com/payments/v4/js/integrator.js	0%	Virustotal		Browse
https://www.google.com/s/	0%	Avira URL Cloud	safe
https://payments.google.com/	0%	Virustotal		Browse
http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E	100%	Avira URL Cloud	malware
http://api4.check-data.xyz	100%	Avira URL Cloud	malware
https://drive.google.com/	0%	Avira URL Cloud	safe
https://www.amazon.com/exec/obidos/external-search/	0%	Avira URL Cloud	safe
https://hg.mozilla.org/releases/mozilla-release	0%	Avira URL Cloud	safe
https://github.com/mozilla-services/screenshots	0%	Avira URL Cloud	safe
http://api4.check-data.xyz	6%	Virustotal		Browse
https://drive.google.com/	0%	Virustotal		Browse
http://api5.check-data.xyz	100%	Avira URL Cloud	malware
https://hg.mozilla.org/releases/mozilla-release	0%	Virustotal		Browse
https://docs.google.com/	0%	Virustotal		Browse
http://api.check-data.xyz	100%	Avira URL Cloud	malware
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://github.com/mozilla/webcompat-reporter	0%	Avira URL Cloud	safe
https://github.com/mozilla/webcompat-reporter	0%	Virustotal		Browse
https://chrome.google.com/webstore	0%	Avira URL Cloud	safe
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
http://api2.check-data.xyz	10%	Virustotal		Browse
https://payments.google.com/payments/v4/js/integrator.js	0%	Avira URL Cloud	safe
http://api5.check-data.xyz	6%	Virustotal		Browse
https://docs.google.co	0%	Avira URL Cloud	safe
http://api3.check-data.xyz	100%	Avira URL Cloud	malware
http://api.check-data.xyz	6%	Virustotal		Browse
https://www.google.com/m/	0%	Avira URL Cloud	safe
https://static.adsafeprotected.com/firefox-etp-pixeli	0%	Avira URL Cloud	safe
https://payments.google.com/payments/v4/js/integrator.js	0%	Virustotal		Browse
https://drive-daily-2.c	0%	Avira URL Cloud	safe
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore/	0%	Avira URL Cloud	safe
https://static.adsafeprotected.com/firefox-etp-pixeli	0%	Virustotal		Browse
http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	100%	Avira URL Cloud	malware
https://sandbox.google.com/	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore/	0%	Virustotal		Browse
http://api3.check-data.xyz	9%	Virustotal		Browse
https://docs.google.co	1%	Virustotal		Browse
https://chrome.google.com/webstore	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
checkdata-1114476139.us-west-2.elb.amazonaws.com	44.232.42.242	true	true	0%, Virustotal, Browse	unknown
api4.check-data.xyz	unknown	unknown	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65	true	Avira URL Cloud: malware	unknown
http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api2.check-data.xyz	rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs.js_tempnwhObf.3.dr	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	URL Reputation: safe	unknown
https://smartblock.firefox.etp/play.svg	rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://payments.google.com/	rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sandbox.google.com/payments/v4/js/integrator.js	rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290120533.000000000311F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290221613.000000000312B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291320377.000000000312E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290544375.000000000312E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api4.check-data.xyz/api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	rundll32.exe, 00000006.00000002.2291425440.000000000319C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283310545.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291506390.00000000031D3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://docs.google.com/	rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/s/	rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ads.stickyadstv.com/firefox-etp	rundll32.exe, 00000003.00000003.2223174899.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2224250627.00000000034EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291506390.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283310545.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive-staging.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api4.check-data.xyz	rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://drive.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291908337.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hg.mozilla.org/releases/mozilla-release	rundll32.exe, 00000003.00000003.2212333363.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283192574.0000000004CB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283339215.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282828895.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282587225.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291455240.00000000031BA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mozilla-services/screenshots	rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api5.check-data.xyz	rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://api.check-data.xyz	rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/mozilla/webcompat-reporter	rundll32.exe, 00000006.00000003.2290120533.0000000003161000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291382323.0000000003165000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2290784410.0000000003161000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://crash-reports.mozilla.com/submit?id=	rundll32.exe, 00000003.00000003.2212333363.000000000351D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283192574.0000000004CB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283339215.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282828895.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282587225.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2282330261.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2291455240.00000000031BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	rundll32.exe, 00000006.00000003.2282774739.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive-daily-2.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive-autopush.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	rundll32.exe, 00000003.00000003.2210033495.00000000034D9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2196383980.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive-daily-4.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.co	rundll32.exe, 00000003.00000003.2195972684.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api3.check-data.xyz	rundll32.exe, 00000006.00000003.2283092527.0000000004C99000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2283381715.0000000004C99000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://drive-daily-1.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/m/	rundll32.exe, 00000006.00000003.2266015010.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-daily-5.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-pixeli	rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	URL Reputation: safe	unknown
https://drive-daily-6.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-pixel	rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive-daily-0.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	rundll32.exe, 00000006.00000003.2283092527.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive-daily-2.c	rundll32.exe, 00000006.00000003.2266015010.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2265993673.00000000031AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	URL Reputation: safe	unknown
https://chromewebstore.google.com/	rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive-preprod.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	prefs.js_tempjgCdeX.3.dr, prefs.js_tempXMDGGl.6.dr, prefs.js_tempnShBdn.6.dr, prefs.js_tempnwhObf.3.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/	rundll32.exe, 00000006.00000003.2281508795.00000000031CB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api4.check-data.xyz/api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr	rundll32.exe, 00000003.00000002.2224250627.00000000034EC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://sandbox.google.com/	rundll32.exe, 00000006.00000003.2266394321.00000000031B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280651031.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2280879303.00000000031CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-daily-3.corp.google.com/	rundll32.exe, 00000006.00000003.2280651031.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.232.42.242	checkdata-1114476139.us-west-2.elb.amazonaws.com	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502267
Start date and time:	2024-08-31 22:10:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	77
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TsLvuUO.dll
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winDLL@101/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.138, 142.250.186.74, 172.217.16.202, 172.217.23.106, 172.217.18.10, 142.250.186.106, 142.250.186.42, 216.58.212.170, 172.217.18.106, 172.217.16.138, 142.250.184.202, 142.250.185.106, 216.58.212.138, 216.58.206.42, 142.250.185.74, 216.58.206.74, 13.85.23.86, 20.3.187.198, 20.242.39.171, 52.165.164.15
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, www.googleapis.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkdata-1114476139.us-west-2.elb.amazonaws.com	3QKcKCEzYP.exe	Get hash	malicious	LummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBC	Browse	35.161.111.70
	Install.exe	Get hash	malicious	Neoreklami	Browse	35.167.197.26
	setup.exe	Get hash	malicious	Neoreklami	Browse	35.167.197.26
	file.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	44.240.96.128
	setup.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, Vidar	Browse	44.237.52.63
	1720605557.036432_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, Socks5Systemz, Stealc, Stealerium, Vidar	Browse	44.240.96.128
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	44.240.96.128
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	44.240.96.128
	0J4lhZneA6.exe	Get hash	malicious	Unknown	Browse	44.237.26.169
bg.microsoft.map.fastly.net	http://sin1.contabostorage.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	BankPaymAdviceVend.Report.docx	Get hash	malicious	Unknown	Browse	199.232.214.172
	TradingStationPublisher.msi	Get hash	malicious	Unknown	Browse	199.232.214.172
	DFweD7fjxj.exe	Get hash	malicious	DCRat	Browse	199.232.210.172
	http://lobster.cloudserver1097.com/3f9vxbkr4q83r4aq	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://login.ap-financier.com/TaqWmoGv	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://find-phone.za.com/icloud2022-esp.php	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://sharefile8.pages.dev/b08+zb2ylref0qax	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://seoservicesiox.firebaseapp.com/?err=tdn8ci80q...~311~...1bab28021k78dd4g97a557ek2c2e4	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://xjp.steamproxy.vip/profiles/76561199276106401	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	PSqBbz.dll	Get hash	malicious	Unknown	Browse	108.156.60.94
	PSqBbz.dll	Get hash	malicious	Unknown	Browse	13.225.78.36
	COTIZACION 290824.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	52.212.52.84
	play.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://grand-pika-f642c4.netlify.app/#mthatha@africawsp.co.za	Get hash	malicious	Unknown	Browse	99.86.8.175
	SecuriteInfo.com.Linux.Siggen.9999.15938.22369.elf	Get hash	malicious	Mirai	Browse	13.226.40.92
	SecuriteInfo.com.Linux.Siggen.9999.19003.7982.elf	Get hash	malicious	Mirai	Browse	35.183.153.119
	http://security-azure.b-cdn.net/	Get hash	malicious	Unknown	Browse	18.245.60.57

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with very long lines (1743), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	9505
Entropy (8bit):	5.512528074509136
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sy:PeegJUaJHEw9R
MD5:	1EB7ADCDEBE99FC2B3606DA246898A89
SHA1:	604A13087BDE1FB8109E83DBC4E6392EE187FBA6
SHA-256:	9B127A041FB737D48BC12CB760C0F6835B3B469D8FA8D34334AB08B25ADE997E
SHA-512:	BE4A4CDD3EED0E3280D535DD13A0565E1C4B4A59A7BD91B3C972BFB34A394B0AA332842F37A8446FE53A9775848F359B48B50729AE35238B3EDCE9EE39522708
Malicious:	true
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempjgCdeX

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with very long lines (1743), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	9505
Entropy (8bit):	5.512528074509136
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sy:PeegJUaJHEw9R
MD5:	1EB7ADCDEBE99FC2B3606DA246898A89
SHA1:	604A13087BDE1FB8109E83DBC4E6392EE187FBA6
SHA-256:	9B127A041FB737D48BC12CB760C0F6835B3B469D8FA8D34334AB08B25ADE997E
SHA-512:	BE4A4CDD3EED0E3280D535DD13A0565E1C4B4A59A7BD91B3C972BFB34A394B0AA332842F37A8446FE53A9775848F359B48B50729AE35238B3EDCE9EE39522708
Malicious:	true
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnShBdn

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with very long lines (1743), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	9505
Entropy (8bit):	5.512528074509136
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sy:PeegJUaJHEw9R
MD5:	1EB7ADCDEBE99FC2B3606DA246898A89
SHA1:	604A13087BDE1FB8109E83DBC4E6392EE187FBA6
SHA-256:	9B127A041FB737D48BC12CB760C0F6835B3B469D8FA8D34334AB08B25ADE997E
SHA-512:	BE4A4CDD3EED0E3280D535DD13A0565E1C4B4A59A7BD91B3C972BFB34A394B0AA332842F37A8446FE53A9775848F359B48B50729AE35238B3EDCE9EE39522708
Malicious:	true
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnwhObf

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with very long lines (1743), with CRLF, CR line terminators
Category:	dropped
Size (bytes):	9505
Entropy (8bit):	5.512528074509136
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sy:PeegJUaJHEw9R
MD5:	1EB7ADCDEBE99FC2B3606DA246898A89
SHA1:	604A13087BDE1FB8109E83DBC4E6392EE187FBA6
SHA-256:	9B127A041FB737D48BC12CB760C0F6835B3B469D8FA8D34334AB08B25ADE997E
SHA-512:	BE4A4CDD3EED0E3280D535DD13A0565E1C4B4A59A7BD91B3C972BFB34A394B0AA332842F37A8446FE53A9775848F359B48B50729AE35238B3EDCE9EE39522708
Malicious:	true
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.801046032125333
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TsLvuUO.dll
File size:	6'734'848 bytes
MD5:	edd94a0a267df670b90f41c127f9dd6a
SHA1:	bd0005769a9392a922030793b1e88900a808f22a
SHA256:	00db74544ae4d92774a3008a5ee322577dab2a53bcb2eb9003e88af617f3b495
SHA512:	f9168a60b0af17f7d53f80e1b906feb59d44a195b067f938b3925716b46a72279c71a40d8188f110e0d40318ba2a41bea78be4b63672a465cab98cf069f8291c
SSDEEP:	98304:e4p5fRmhQ1orSk3GCK4J7vADNR6oXc0/8+x0bRtI4PPgbYhiLC9kEN6+/mu:eKfiQ15M2aIDS0i+SRi4samC9bN9O
TLSH:	30660114F2009B1CD87702F16175EB99627C6530125426E376AEEA0F39B41D8BDAFEF2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hA.!, .r, .r, .r..:r. .r!r"r2 .r!r.ro .r!r.r. .r..6r% .r, .r. .r...r* .r...r= .r..!r- .r..#r- .rRich, .r................PE..L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10063100
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x615F3ED9 [Thu Oct 7 18:39:21 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	080e9a7727d30a43ca5568c2e04b20cd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F58347D8387h
call 00007F58347E3ABEh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F58347D838Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 1007CC98h
call 00007F58347DD746h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F58347D838Eh
cmp dword ptr [10669DA8h], esi
je 00007F58347D846Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F58347D8387h
cmp esi, 02h
jne 00007F58347D83B7h
mov ecx, dword ptr [100024D0h]
test ecx, ecx
je 00007F58347D838Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F58347D8437h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F58347D8196h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F58347D8420h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F58347E3AD3h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F58347D83AAh
test edi, edi
jne 00007F58347D83A6h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F58347E3ABBh
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F58347D815Ch
mov eax, dword ptr [100024D0h]
test eax, eax
je 00007F58347D8389h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 UPD5 build 40629
[EXP] VS2013 UPD5 build 40629
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7d2b0	0x3c	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x66c29c	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x66e000	0x2d48	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7db8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x66c000	0x29c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7c2ec	0x7c400	5198dbea9a0124ae10eaf669881aaf74	False	0.4727584255533199	data	6.333149874686492	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x7e000	0x5edeac	0x5ebc00	fd0d7d64d42f76f4b2bf445af0ff9882	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x66c000	0x1148	0x1200	2cbce472adca631c5feef1545631e8b3	False	0.4398871527777778	data	5.423143313414181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x66e000	0x2d48	0x2e00	8f99bf1ea0d1a7ab38ec94aedbd8b67e	False	0.7133152173913043	data	6.509573588463001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	FillConsoleOutputAttribute, GetConsoleScreenBufferInfo, ReadConsoleInputA, PeekConsoleInputA, GetNumberOfConsoleInputEvents, OutputDebugStringW, ReadConsoleW, WriteConsoleW, SetStdHandle, LoadLibraryExW, GetModuleFileNameW, SetFilePointerEx, FillConsoleOutputCharacterA, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, GetFileType, GetOEMCP, GetACP, IsValidCodePage, IsDebuggerPresent, GetProcessHeap, HeapSize, GetModuleHandleExW, ExitProcess, SetConsoleTextAttribute, SetConsoleCursorPosition, Sleep, GetStdHandle, CreateThread, LocalFree, CloseHandle, CreateEventW, CreateFileMappingA, FindClose, EnterCriticalSection, IsDBCSLeadByteEx, FindFirstFileA, GetSystemDirectoryA, MulDiv, CreateEventA, GetLocaleInfoW, InitializeSListHead, SetCommTimeouts, GetSystemTimeAsFileTime, ConnectNamedPipe, SetCommBreak, SetDllDirectoryW, VirtualQuery, GetCPInfo, GetThreadTimes, GetModuleFileNameA, CreatePipe, GetLocalTime, GetStartupInfoW, CreateFileW, IsProcessorFeaturePresent, GetSystemTimeAdjustment, OpenProcess, GetCurrentThread, QueryPerformanceCounter, ReadFile, EncodePointer, DecodePointer, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, GetLastError, HeapReAlloc, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, HeapFree, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetProcAddress, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, SetConsoleMode
USER32.dll	CreateDialogParamA, SendDlgItemMessageA, SetFocus, GetWindowTextLengthA, DrawFocusRect, GetWindowTextA, FlashWindow, ReleaseCapture, InsertMenuA, DestroyMenu, LoadCursorA, DialogBoxParamA, SetCursor, HideCaret, PostQuitMessage, SetKeyboardState, GetDC, CreateDialogIndirectParamA, OffsetRect, GetScrollInfo, GetWindowLongA, GetDlgItem, DestroyCaret, GetDesktopWindow, SetMenu, MessageBoxW, GetSystemMetrics, ValidateRgn, CheckMenuItem, IsRectEmpty
GDI32.dll	CreatePolygonRgn, GetMetaFileBitsEx, GetCharacterPlacementW, CreateHatchBrush, DeleteDC, GetDIBits, ExcludeClipRect, GdiFlush, RealizePalette, SetPolyFillMode, GetTextExtentPointW, CreateBitmapIndirect, GetTextExtentPointA, CreateDIBitmap, EndDoc, GetStockObject, UpdateColors, MoveToEx, ExtFloodFill, MaskBlt, Polygon, CreatePalette, GetRegionData, SelectObject, GetPaletteEntries, CreateRectRgnIndirect, RectInRegion, CreateRectRgn, RoundRect, SelectPalette
ADVAPI32.dll	CopySid, OpenProcessToken, GetLengthSid, InitializeSecurityDescriptor, EqualSid

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 22:12:02.045289993 CEST	49705	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:02.050088882 CEST	80	49705	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:02.050203085 CEST	49705	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:02.050537109 CEST	49705	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:02.055466890 CEST	80	49705	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:02.684412956 CEST	80	49705	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:02.684495926 CEST	49705	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:02.945787907 CEST	49705	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:08.728751898 CEST	49709	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:08.733643055 CEST	80	49709	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:08.733721018 CEST	49709	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:08.737373114 CEST	49709	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:08.742177010 CEST	80	49709	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:09.373626947 CEST	80	49709	44.232.42.242	192.168.2.5
Aug 31, 2024 22:12:09.373817921 CEST	49709	80	192.168.2.5	44.232.42.242
Aug 31, 2024 22:12:09.675431013 CEST	49709	80	192.168.2.5	44.232.42.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 22:12:02.019076109 CEST	62965	53	192.168.2.5	1.1.1.1
Aug 31, 2024 22:12:02.044173956 CEST	53	62965	1.1.1.1	192.168.2.5
Aug 31, 2024 22:12:11.261497021 CEST	53	65001	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 31, 2024 22:12:02.019076109 CEST	192.168.2.5	1.1.1.1	0xdd1c	Standard query (0)	api4.check-data.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 31, 2024 22:12:02.044173956 CEST	1.1.1.1	192.168.2.5	0xdd1c	No error (0)	api4.check-data.xyz	checkdata-1114476139.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 31, 2024 22:12:02.044173956 CEST	1.1.1.1	192.168.2.5	0xdd1c	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		44.232.42.242	A (IP address)	IN (0x0001)	false
Aug 31, 2024 22:12:02.044173956 CEST	1.1.1.1	192.168.2.5	0xdd1c	No error (0)	checkdata-1114476139.us-west-2.elb.amazonaws.com		35.160.60.134	A (IP address)	IN (0x0001)	false
Aug 31, 2024 22:12:08.354293108 CEST	1.1.1.1	192.168.2.5	0x4c68	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 31, 2024 22:12:08.354293108 CEST	1.1.1.1	192.168.2.5	0x4c68	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api4.check-data.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	44.232.42.242	80	7160	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 31, 2024 22:12:02.050537109 CEST	358	OUT	GET /api/uninstall/17511/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/97D99714-22C7-D2AF-3668-2A796B33DC65 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36 Host: api4.check-data.xyz Connection: Keep-Alive Cache-Control: no-cache
Aug 31, 2024 22:12:02.684412956 CEST	404	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Content-Type: text/html; charset=UTF-8 Date: Sat, 31 Aug 2024 20:09:05 GMT Server: nginx Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	44.232.42.242	80	2300	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 31, 2024 22:12:08.737373114 CEST	358	OUT	GET /api/uninstall/59078/2C6A44CB-AD42-4731-A544-3FBD3D83AB5B/2.0.0.3281/wrtzr_ytab_b_1/8E53D89817ED4B0291FBFA7D0F319D53/1D5E65EB-947C-7A0A-9CCF-076D85CAD35E HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36 Host: api4.check-data.xyz Connection: Keep-Alive Cache-Control: no-cache
Aug 31, 2024 22:12:09.373626947 CEST	404	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Cache-control: no-cache="set-cookie" Content-Type: text/html; charset=UTF-8 Date: Sat, 31 Aug 2024 20:09:12 GMT Server: nginx Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200 Content-Length: 0 Connection: keep-alive

Target ID:	0
Start time:	16:11:51
Start date:	31/08/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\TsLvuUO.dll"
Imagebase:	0x660000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:11:51
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:11:51
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:11:51
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\TsLvuUO.dll,#1
Imagebase:	0x790000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:11:51
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Imagebase:	0x790000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:11:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\TsLvuUO.dll",#1
Imagebase:	0x790000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:11:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "WYKSCfYVrwsdWpT"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:11:56
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "WYKSCfYVrwsdWpT2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "nfblQVJFwWHDFj"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "nfblQVJFwWHDFj"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "YGYYnsbMowvpr"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "YGYYnsbMowvpr"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "YGYYnsbMowvpr2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "YGYYnsbMowvpr2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "SfQlcfTRPgaddFhgU"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:11:57
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "SfQlcfTRPgaddFhgU2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	16:11:58
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "WYKSCfYVrwsdWpT"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "WYKSCfYVrwsdWpT2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "WYKSCfYVrwsdWpT2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "nfblQVJFwWHDFj"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	16:12:04
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "nfblQVJFwWHDFj"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "YGYYnsbMowvpr"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "YGYYnsbMowvpr"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "YGYYnsbMowvpr2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "YGYYnsbMowvpr2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "SfQlcfTRPgaddFhgU"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "SfQlcfTRPgaddFhgU2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "SfQlcfTRPgaddFhgU2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "MBOKUVJttHMBWpgjMbJ"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	16:12:05
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	16:12:06
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /DELETE /F /TN "MBOKUVJttHMBWpgjMbJ"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	16:12:06
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	16:12:06
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /END /TN "MBOKUVJttHMBWpgjMbJ2"
Imagebase:	0xe10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	16:12:06
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.6%
Total number of Nodes:	1238
Total number of Limit Nodes:	52

Executed Functions

Function 033E7A3F Relevance: 84.5, APIs: 6, Strings: 41, Instructions: 2223COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033E7B54
__EH_prolog.LIBCMT ref: 033E7B69

Strings

C@, xrefs: 033E94C5
^, xrefs: 033E9DBF
h8, xrefs: 033E7BD4
>, xrefs: 033EA079
t, xrefs: 033E94DA
n, xrefs: 033E98FD
Y, xrefs: 033EA2A2
r, xrefs: 033E92AD
f, xrefs: 033E9383
hL4, xrefs: 033E7BCA
f, xrefs: 033E8A9D
Y, xrefs: 033E92A6
e, xrefs: 033E9185
2, xrefs: 033E7F5A
PO, xrefs: 033E8D00
W, xrefs: 033EA23F
h}?, xrefs: 033EA23A
S4, xrefs: 033E7D99
r, xrefs: 033E9DC6
i, xrefs: 033E9A3E
x(, xrefs: 033E868E
'`5x, xrefs: 033E8D9D
Sh;l, xrefs: 033E7BB2
]K, xrefs: 033E9341
ht, xrefs: 033E7CDD
"5, xrefs: 033E7BE1
h&}, xrefs: 033E8E6F
hPQ, xrefs: 033E7BA6
PhOg, xrefs: 033E8993
|h=1, xrefs: 033E85DC
h1, xrefs: 033E85F4
r8, xrefs: 033E7BB8
r, xrefs: 033E9CAB
h";, xrefs: 033E85EF
h4R, xrefs: 033E7BC0
hS, xrefs: 033EA215
r, xrefs: 033E87AB
DwKoYBuJCEyytDi, xrefs: 033E7B4F
t, xrefs: 033E97E4
D, xrefs: 033EA227
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E7B59

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prologXinvalid_argumentstd::_
String ID: C@$'`5x$2$>$D$DwKoYBuJCEyytDi$PO$PhOg$Sh;l$Y$Y$]K$^$e$f$f$h8$h";$h&}$h4R$hL4$hPQ$ht$h}?$h1$hS$i$n$r$r$r$r$t$t$x($xbftzkZErMGIHumMcosuOxQ$|h=1$"5$S4$W$r8
API String ID: 4014091808-959085074
Opcode ID: 46905a0a2b181afca9046ee8058e7fdded348f0d9e6dacdb2937fece99c965ec
Instruction ID: 75c71d8a163fae18a0933ee6d8ef5d52dcfda2d3cb0d223cb8ee6db35f23dd5c
Opcode Fuzzy Hash: 46905a0a2b181afca9046ee8058e7fdded348f0d9e6dacdb2937fece99c965ec
Instruction Fuzzy Hash: B52387B4D042699EDB21DF64CC94BEEBBB8AB05304F1040E9E549BB281DB755F88CF91

Function 033EC786 Relevance: 83.5, APIs: 5, Strings: 41, Instructions: 2976COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033EC78B
ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 033EF5E1

Part of subcall function 033EBABF: __EH_prolog.LIBCMT ref: 033EBAC4

GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000001,00000003,00000000,00000002,00000000,?,?,0DFE9F48,?,00000000,?,?,00000002), ref: 033ECF4F
GetDesktopWindow.USER32 ref: 033ED1D6
SetWindowLongW.USER32(00000000), ref: 033ED1DD

Part of subcall function 033C38F8: _memmove.LIBCMT ref: 033C3918

Part of subcall function 033D4630: __EH_prolog.LIBCMT ref: 033D4635

Part of subcall function 033C3943: _memmove.LIBCMT ref: 033C3963

Strings

(, xrefs: 033EE592
{, xrefs: 033EEA26
e, xrefs: 033EF285
p, xrefs: 033ECF9B
e, xrefs: 033EE80C
v, xrefs: 033EE167
!, xrefs: 033EE2C4
<, xrefs: 033EE0D2
G, xrefs: 033EE039
'`5x, xrefs: 033ED817
t, xrefs: 033EF199
m, xrefs: 033EDF94
R, xrefs: 033EE3B3
b, xrefs: 033EE73A
v, xrefs: 033EE47D
!'E, xrefs: 033EEB95
t, xrefs: 033EDEBA
[, xrefs: 033EE476
*, xrefs: 033EF31B
m, xrefs: 033EEC94
AA, xrefs: 033EE55A
PO, xrefs: 033ED772
:, xrefs: 033EF0DB
*, xrefs: 033EEFEC
u, xrefs: 033EF3B8
*, xrefs: 033EF4A6
s, xrefs: 033EED47
t, xrefs: 033EEBA6
#, xrefs: 033ED968
h&}, xrefs: 033ED94E
, xrefs: 033EEAF1
!, xrefs: 033ED56E
p, xrefs: 033ED3F7
l, xrefs: 033EE93F
t, xrefs: 033EEF2A
, xrefs: 033EEE08
H, xrefs: 033EED40
n, xrefs: 033EE1F5
<, xrefs: 033EE3BA
p, xrefs: 033EE67C
r, xrefs: 033EDA7D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog$Window_memmove$CreateDesktopLongOverlappedRegionResult
String ID: $ $!$!$!'E$'`5x$($*$*$*$:$<$<$AA$G$H$PO$R$[$b$e$e$h&}$l$m$m$n$p$p$p$r$s$t$t$t$t$u$v$v${$#
API String ID: 4063478863-2971129802
Opcode ID: e858f285400d7d4ffb65f846191b432d1a1c16ad37466317d26c007e2f6baaa5
Instruction ID: 6dbe0e0c714107005048f02ecb2391b8d42f95f496a8f578ad337beb085e15d5
Opcode Fuzzy Hash: e858f285400d7d4ffb65f846191b432d1a1c16ad37466317d26c007e2f6baaa5
Instruction Fuzzy Hash: 1D539D74D443A99EEB21DF98CC95BEDBBB8AB05304F5440E9E548BB2C1C7B50A88CF51

Function 033E7C37 Relevance: 44.9, APIs: 4, Strings: 21, Instructions: 1189COMMON

Download Yara Rule

Strings

x(, xrefs: 033E868E
C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
ht, xrefs: 033E7CDD
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
PhOg, xrefs: 033E8993
|h=1, xrefs: 033E85DC
h1, xrefs: 033E85F4
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
h";, xrefs: 033E85EF
2, xrefs: 033E7F5A
PO, xrefs: 033E8D00
#, xrefs: 033E96F1
S4, xrefs: 033E7D99
r, xrefs: 033E87AB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Ucopy$Allocate
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$ht$h1$r$r$t$x($|h=1$S4
API String ID: 1811393872-1841768753
Opcode ID: 51d7fcb94b557962e1673eb90b8d45471d48652782109d30b33828aa7fa9a01b
Instruction ID: d30461541b3da8922b127e69d122afda5558e0b6f14ba9149cdd1713ed70fa0e
Opcode Fuzzy Hash: 51d7fcb94b557962e1673eb90b8d45471d48652782109d30b33828aa7fa9a01b
Instruction Fuzzy Hash: 58C254B4D043699EDF21DF94CC85BEEBBB8AB08304F1441E9E549BB281DB745A84CF91

Function 033E7E69 Relevance: 41.4, APIs: 4, Strings: 19, Instructions: 1135COMMON

Download Yara Rule

Strings

x(, xrefs: 033E868E
C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
|h=1, xrefs: 033E85DC
PhOg, xrefs: 033E8993
h1, xrefs: 033E85F4
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
h";, xrefs: 033E85EF
2, xrefs: 033E7F5A
PO, xrefs: 033E8D00
#, xrefs: 033E96F1
r, xrefs: 033E87AB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 0-247542439
Opcode ID: 2f7d43b88e4747c2f7d5ede1d71be01711c12bcee4ed666ed1d4e16cbaa38be5
Instruction ID: 5db330a27725c654d8a719bdea4f6beb544cbfdec715e37efd312b2c84dd7df1
Opcode Fuzzy Hash: 2f7d43b88e4747c2f7d5ede1d71be01711c12bcee4ed666ed1d4e16cbaa38be5
Instruction Fuzzy Hash: 1BB266B4D04269DEDF21DFA8CC85BEEBBB8AB08304F1440E9D549BB281DB755A84CF51

Function 033E7F15 Relevance: 41.3, APIs: 4, Strings: 19, Instructions: 1079COMMON

Download Yara Rule

APIs

Part of subcall function 033C13C5: _Allocate.LIBCPMT ref: 033C1417
Part of subcall function 033C13C5: _Ucopy.LIBCPMT ref: 033C1428
Part of subcall function 033C13C5: _Ucopy.LIBCPMT ref: 033C1436
Part of subcall function 033C13C5: _Ucopy.LIBCPMT ref: 033C1444

ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 033E83BC

Strings

x(, xrefs: 033E868E
C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
|h=1, xrefs: 033E85DC
PhOg, xrefs: 033E8993
h1, xrefs: 033E85F4
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
h";, xrefs: 033E85EF
2, xrefs: 033E7F5A
PO, xrefs: 033E8D00
#, xrefs: 033E96F1
r, xrefs: 033E87AB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Ucopy$AllocateCreateRegion
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 2216468127-247542439
Opcode ID: 57c4e1bbd6a2f55fcfacfafab7e0365f4392c7302fbe6ebb07054987a1b2daa5
Instruction ID: 4ff1c2789e1df2d88d9fc3b2ca7fc829c5218a7b54bd88dcc50fc36ba8497ea4
Opcode Fuzzy Hash: 57c4e1bbd6a2f55fcfacfafab7e0365f4392c7302fbe6ebb07054987a1b2daa5
Instruction Fuzzy Hash: 27B254B4D043699EDF21DFA8CC85BEEBBB8AB04304F1440E9E549BB281DB755A84CF51

Function 033E8060 Relevance: 39.7, APIs: 4, Strings: 18, Instructions: 1178COMMON

Download Yara Rule

Strings

x(, xrefs: 033E868E
C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
|h=1, xrefs: 033E85DC
PhOg, xrefs: 033E8993
h1, xrefs: 033E85F4
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
h";, xrefs: 033E85EF
PO, xrefs: 033E8D00
#, xrefs: 033E96F1
r, xrefs: 033E87AB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Ucopy$Allocate
String ID: C@$#$'`5x$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 1811393872-3020287246
Opcode ID: 2d9722a022fd3eb360820279f84c7ca3567f7643049c834082cb6a34a0dbd51c
Instruction ID: e8dd375d414dd57a68e5761797c46ceebd484718e786a9458e6c0b1ea6cb93cd
Opcode Fuzzy Hash: 2d9722a022fd3eb360820279f84c7ca3567f7643049c834082cb6a34a0dbd51c
Instruction Fuzzy Hash: 69B255B4D00269DEDF21DF94CC95BEEBBB8AB04304F1441EAE509BB281DB755A84CF51

Function 033E8926 Relevance: 28.7, APIs: 3, Strings: 13, Instructions: 716COMMON

Download Yara Rule

Strings

C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
PhOg, xrefs: 033E8993
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
PO, xrefs: 033E8D00
#, xrefs: 033E96F1

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID: C@$#$'`5x$PO$PhOg$Y$]K$e$f$f$h&}$r$t
API String ID: 0-446310366
Opcode ID: d8ccd4536fdd793834d08276f2a498e1b571badcd6446bc2ce9feb51cfd619eb
Instruction ID: dbd1609cc9403c55cd62142a5389d992bc71349dba78d72469ed6c5732399a3f
Opcode Fuzzy Hash: d8ccd4536fdd793834d08276f2a498e1b571badcd6446bc2ce9feb51cfd619eb
Instruction Fuzzy Hash: 086244B4D002699EDF20DF94CC85BEEBBB8AB19304F5440EAD549BB281DB745B84CF91

Function 033E4BDD Relevance: 14.6, APIs: 3, Strings: 5, Instructions: 598
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 033E4BE2
RegUnLoadKeyW.ADVAPI32(00000000,00000000,033C19D1,00000001,00000000), ref: 033E53EA

Part of subcall function 033E42FC: QueryDosDeviceW.KERNEL32(00000000,00000000,00000752), ref: 033E4318

EndMenu.USER32(033C19D1,00000001,00000000), ref: 033E541E

Strings

#, xrefs: 033E4F9A
'`5x, xrefs: 033E4EB5
h&}, xrefs: 033E4F7A
PO, xrefs: 033E4E3C
Xx, xrefs: 033E4D62

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DeviceH_prologLoadMenuQuery
String ID: '`5x$PO$Xx$h&}$#
API String ID: 2890571477-3551381960
Opcode ID: f915be176cf0aa8606942d16d24c9f8ed34cc6759b457b375b4486dea8e8f4a3
Instruction ID: 0f5dc5f2e40a9ebd32e38083fafa1ecec34394b17151fe17ee3cce2cbd9a909c
Opcode Fuzzy Hash: f915be176cf0aa8606942d16d24c9f8ed34cc6759b457b375b4486dea8e8f4a3
Instruction Fuzzy Hash: B64246B5D01229DFEF10CF98C981AEDBBB5FB09308F1142AAE919BA280D7749D41CF54

Function 033E25BB Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 664
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 033E25C0

Strings

!, xrefs: 033E2814
'`5x, xrefs: 033E2E2F
h&}, xrefs: 033E2A79
PO, xrefs: 033E2DBF
#, xrefs: 033E2A90
Xx, xrefs: 033E297C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: !$'`5x$PO$Xx$h&}$#
API String ID: 3519838083-2769257566
Opcode ID: c7d87aedad0fcbd69a343c79ee1425f1601d4b65a59835d5b21ef0ffb428a8a1
Instruction ID: 814cb1922c186ce2b60acbee70081c5e4874814bac2ef1e19a891d3f130032ea
Opcode Fuzzy Hash: c7d87aedad0fcbd69a343c79ee1425f1601d4b65a59835d5b21ef0ffb428a8a1
Instruction Fuzzy Hash: 255249B4E0022ADFDF14DF98C885AEEBBB9FB44315F208529E515BB2C0D7754A81CB91

Function 033E4590 Relevance: 8.0, APIs: 5, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 033E4595
GetDesktopWindow.USER32 ref: 033E4686
GetDC.USER32(00000000), ref: 033E468D
GetTextExtentPointW.GDI32(00000000), ref: 033E4694
GetSysColorBrush.USER32(0000196A), ref: 033E4713

Part of subcall function 033E5FC5: GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000001,?,033E6141), ref: 033E5FDB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: BrushColorDesktopExtentH_prologOverlappedPointResultTextWindow
String ID:
API String ID: 251452265-0
Opcode ID: b5032529ff25e3c54ebbe3a9b56c32de6ddcef4827e830e420207f5bb3e548f5
Instruction ID: 0755098b915e563cf3fbcaabce74e214593a3da35f08240e3acd4dcd82d4e081
Opcode Fuzzy Hash: b5032529ff25e3c54ebbe3a9b56c32de6ddcef4827e830e420207f5bb3e548f5
Instruction Fuzzy Hash: 03126AB5E4435A9FDB14CFA9DC81AEEB7B9FB09305F140519F921AB2C0D7709A50CBA0

Function 054D2C29 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,00000002,?,?,054D36FA,?,?,?,00000002,?,?,?), ref: 054D2C45
GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,054D36FA,?,?,?,00000002,?,?,?), ref: 054D2C50

Memory Dump Source

Source File: 00000003.00000002.2225059714.00000000053B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000003.00000002.2225041734.00000000053B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225178708.000000000550A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225480615.000000000597D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225501466.000000000597F000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8260114073be6e898b295944d0f6e74121f718663b98b548d29f38d2cdf98b3f
Instruction ID: 0a4b9a1c072336226b7a6575b46ae3461645c9033b52a4865fc5b7a5b7b272be
Opcode Fuzzy Hash: 8260114073be6e898b295944d0f6e74121f718663b98b548d29f38d2cdf98b3f
Instruction Fuzzy Hash: A3D09E7651820DBF8F059FE1F80ACAA7F7AFF4C724B084846F91885110EA72E5709B65

Function 033E8A5B Relevance: 28.7, APIs: 3, Strings: 13, Instructions: 657
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C@, xrefs: 033E94C5
'`5x, xrefs: 033E8D9D
t, xrefs: 033E94DA
]K, xrefs: 033E9341
!, xrefs: 033E8A6C
r, xrefs: 033E92AD
h&}, xrefs: 033E8E6F
f, xrefs: 033E9383
f, xrefs: 033E8A9D
e, xrefs: 033E9185
Y, xrefs: 033E92A6
PO, xrefs: 033E8D00
#, xrefs: 033E96F1

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopItemTextWindow
String ID: C@$!$#$'`5x$PO$Y$]K$e$f$f$h&}$r$t
API String ID: 2254304967-3921538676
Opcode ID: 7c5db17764e51ec0183eda63a456619c7eff79bf5fbf1e605f53d217db8fb3f4
Instruction ID: c27a71b76469c547c62b18c3b00a4f009c474a4d2404ae31978579874b9938bb
Opcode Fuzzy Hash: 7c5db17764e51ec0183eda63a456619c7eff79bf5fbf1e605f53d217db8fb3f4
Instruction Fuzzy Hash: 6E6254B4D0026D9EDB21DF94CC85BEEBBB8AB19304F5080E9D549BB281DB745B84CF91

Function 033D2852 Relevance: 21.3, APIs: 14, Instructions: 260
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 033D28E0
GetDC.USER32(00000000), ref: 033D28E7
GetTextExtentPointW.GDI32(00000000), ref: 033D28EE
CreateFileMappingW.KERNELBASE(00000000,00000002,00000000,00000000,00000000,00000003,75A89CE0,?,00000000), ref: 033D2945
GetSysColorBrush.USER32(0000196A), ref: 033D2994
GetDesktopWindow.USER32 ref: 033D29A8
SetWindowTextW.USER32(00000000), ref: 033D29AF
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 033D29D4
GetDesktopWindow.USER32 ref: 033D2A41
SetDlgItemInt.USER32(00000000), ref: 033D2A48
GetDesktopWindow.USER32 ref: 033D2A6A
GetDC.USER32(00000000), ref: 033D2A71
SetViewportExtEx.GDI32(00000000), ref: 033D2A78
MapViewOfFile.KERNEL32(00000004,033D2769,?,?,?,?,?,?,?,0341CF60,00000000), ref: 033D2B44

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$FileText$BrushColorCreateExtentFormatItemMappingMessagePointViewViewport
String ID:
API String ID: 2213085167-0
Opcode ID: 3a52c3050ddecc77a9906c5e30c0db3debcef1422e61f9c73f8c14fb45d22f2c
Instruction ID: 74dcdc9c03e2028d890022faf11b6d20b22c51c805958ce61ff91bd6eb35d5c3
Opcode Fuzzy Hash: 3a52c3050ddecc77a9906c5e30c0db3debcef1422e61f9c73f8c14fb45d22f2c
Instruction Fuzzy Hash: 1CA18DB6D04749EFDB10DFA4E8D49AEFBB9FF04315F088999E511AB280C7314A85CB90

Function 033D20BE Relevance: 19.8, APIs: 13, Instructions: 288
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 033D214C
GetDC.USER32(00000000), ref: 033D2153
GetTextExtentPointW.GDI32(00000000), ref: 033D215A
GetSysColorBrush.USER32(0000196A), ref: 033D21D9
GetDesktopWindow.USER32 ref: 033D21F0
SetWindowTextW.USER32(00000000), ref: 033D21F7
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,75A89CE0,?,00000000), ref: 033D221F
GetDesktopWindow.USER32 ref: 033D228B
SetDlgItemInt.USER32(00000000), ref: 033D2292
GetDesktopWindow.USER32 ref: 033D22B5
GetDC.USER32(00000000), ref: 033D22BC
SetViewportExtEx.GDI32(00000000), ref: 033D22C3
CreateFileW.KERNEL32(000000F2,00000000,5C6F1BF5,8F93905C,00000000,00000003,75A89CE0,?,00000000), ref: 033D23AE

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorCreateExtentFileFormatItemMessagePointViewport
String ID:
API String ID: 349340697-0
Opcode ID: f4d4daaec228cdae9e5e2b9660a20abcfc0fc408bd3697f53036f2fc737b8957
Instruction ID: 5f2d6b1f5fa45a48ad067e81810b03928095dba6d59e2a1414faeb9b6eec45c7
Opcode Fuzzy Hash: f4d4daaec228cdae9e5e2b9660a20abcfc0fc408bd3697f53036f2fc737b8957
Instruction Fuzzy Hash: 09A19172E04309EEEB14DF99EC897AEBBB5EF44311F18C869E915AE1C1C7748680CB50

Function 033E8EBB Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 033C7C9C: char_traits.LIBCPMT ref: 033C7CB5

_fseek.LIBCMT ref: 033E8FD3
_fseek.LIBCMT ref: 033E8FE7

Part of subcall function 033FCA22: __lock_file.LIBCMT ref: 033FCA67
Part of subcall function 033FCA22: __fseek_nolock.LIBCMT ref: 033FCA76

__fread_nolock.LIBCMT ref: 033E902D

Strings

f, xrefs: 033E9383
C@, xrefs: 033E94C5
e, xrefs: 033E9185
Y, xrefs: 033E92A6
t, xrefs: 033E94DA
]K, xrefs: 033E9341
#, xrefs: 033E96F1
r, xrefs: 033E92AD

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _fseek$__fread_nolock__fseek_nolock__lock_filechar_traits
String ID: C@$#$Y$]K$e$f$r$t
API String ID: 15111844-2411602883
Opcode ID: 10e7e700d5feeee4420f39db90fefb89327f85880e8089cd08075d2ffcac49d7
Instruction ID: a081a68044bdfbb65ea523a5a708db931025d5837d7837e4495779f779a6f255
Opcode Fuzzy Hash: 10e7e700d5feeee4420f39db90fefb89327f85880e8089cd08075d2ffcac49d7
Instruction Fuzzy Hash: D51265B5C0126CAEEB21DB54CC88BDEBBB8AB15304F4440E9D5497B281EB755F88CF51

Function 033E8EAB Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseek.LIBCMT ref: 033E8FD3
_fseek.LIBCMT ref: 033E8FE7
__fread_nolock.LIBCMT ref: 033E902D

Strings

f, xrefs: 033E9383
C@, xrefs: 033E94C5
e, xrefs: 033E9185
Y, xrefs: 033E92A6
t, xrefs: 033E94DA
]K, xrefs: 033E9341
#, xrefs: 033E96F1
r, xrefs: 033E92AD

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _fseek$__fread_nolock
String ID: C@$#$Y$]K$e$f$r$t
API String ID: 1795926144-2411602883
Opcode ID: 2d528e74903ec87688e47f8fd3febbdd5604fa3de356d65049178ff95b72cd0a
Instruction ID: 91046c48aefad347707926ed72068acab3d09422144978a416caa1fdb1742891
Opcode Fuzzy Hash: 2d528e74903ec87688e47f8fd3febbdd5604fa3de356d65049178ff95b72cd0a
Instruction Fuzzy Hash: A91255B5C0126CAEEB21DB54CC88BDEBBB8AB19304F4440E9D5497B281EB755F88CF51

Function 033D25AC Relevance: 18.2, APIs: 12, Instructions: 178
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 033D263E
GetDC.USER32(00000000), ref: 033D2641
GetTextExtentPointW.GDI32(00000000,?,?), ref: 033D2648
GetSysColorBrush.USER32(0000196A), ref: 033D26E0
GetDesktopWindow.USER32 ref: 033D26F7
SetWindowTextW.USER32(00000000), ref: 033D26FA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000002,00000021,00000003,?,?,?,00000000,00000000), ref: 033D2722
GetDesktopWindow.USER32 ref: 033D279E
SetDlgItemInt.USER32(00000000,?,?), ref: 033D27A1
GetDesktopWindow.USER32 ref: 033D27C3
GetDC.USER32(00000000), ref: 033D27C6
SetViewportExtEx.GDI32(00000000,?,?), ref: 033D27CD

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: 41d02364c48ae0e2af7f6be911e99b15eb297632d47d7151a69028877b20a146
Instruction ID: 7905e72bcd7de4db87279d84d07f8aec7a32dfd488f539c6dfd8d6ccb6bb85ca
Opcode Fuzzy Hash: 41d02364c48ae0e2af7f6be911e99b15eb297632d47d7151a69028877b20a146
Instruction Fuzzy Hash: 37617D75E00348FEDB10EFA4E9886AEBFB5AF44315F14C89AE815EA281D7748681CB50

Function 03404F40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsnicmp.LIBCMT ref: 034050F9
__wcsnicmp.LIBCMT ref: 03405118

Part of subcall function 033FBF95: __getptd_noexit.LIBCMT ref: 033FBF95

Strings

ccs, xrefs: 034050BA
UTF-16LE, xrefs: 03405112
UNICODE, xrefs: 03405131
UTF-8, xrefs: 034050F3

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: __wcsnicmp$__getptd_noexit
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 78897640-3573488595
Opcode ID: 30dfa22233bfe585a210d3f05e97a122eeeb6c96ea4f97510eef58a2d81be311
Instruction ID: 9e27bbc66d8fe3b9f0eb6425f48658220f5b48a4ccaa07da69aafbbbacc4f5c5
Opcode Fuzzy Hash: 30dfa22233bfe585a210d3f05e97a122eeeb6c96ea4f97510eef58a2d81be311
Instruction Fuzzy Hash: FA51E576F0830299EB34DE668A0977F6694EB02310F1C44FBEE559E3C1E67485418EDD

Function 033E600C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 495
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 033E6011
GetVolumeInformationW.KERNEL32(00000002,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000003,00000003), ref: 033E6408
ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 033E6664
GetFileSize.KERNEL32(00000000,00000000,00000002,00000004,00000000), ref: 033E666D

Part of subcall function 033E5CA7: GetDesktopWindow.USER32 ref: 033E5CC6
Part of subcall function 033E5CA7: SetDlgItemTextW.USER32(00000000,?,033E5559), ref: 033E5CCD

Strings

!, xrefs: 033E661B
x(, xrefs: 033E6293

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: CreateDesktopFileH_prologInformationItemRegionSizeTextVolumeWindow
String ID: !$x(
API String ID: 2925256546-3571294847
Opcode ID: 7bfedaf0007e4ed70da26c16447f16b01edf41831b8d27dc08b6ae31825052a4
Instruction ID: 540677343304d7f0855543f6e19d716240a0d0daf89e2d9ed0501456c615ebe3
Opcode Fuzzy Hash: 7bfedaf0007e4ed70da26c16447f16b01edf41831b8d27dc08b6ae31825052a4
Instruction Fuzzy Hash: 191256B8E4022ADFDB10DF98C982AEEB7B9FF14304F104469E915BB2C1D7B59A44CB51

Function 033D0806 Relevance: 10.6, APIs: 7, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 033D0898
GetDC.USER32(00000000), ref: 033D089B
GetTextExtentPointW.GDI32(00000000), ref: 033D08A2
GetSysColorBrush.USER32(0000196A), ref: 033D0918
GetDesktopWindow.USER32 ref: 033D092C
SetWindowTextW.USER32(00000000), ref: 033D092F
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,75A89CE0,?,00000000), ref: 033D0954

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$DesktopText$BrushColorExtentFormatMessagePoint
String ID:
API String ID: 627555471-0
Opcode ID: b5c3524db1ed135f908ea8c895254eb973346ee09b22cd963dc5018fa85c479a
Instruction ID: 6af9f975b15830c497f10783340bedf0e444ee0972be696f71a7444823ef970c
Opcode Fuzzy Hash: b5c3524db1ed135f908ea8c895254eb973346ee09b22cd963dc5018fa85c479a
Instruction Fuzzy Hash: 6B5149B5D04248EFDB14DFA9E8C44ADBFB8FB04715F14C49AE96AAA251C3348681CF90

Function 03408F22 Relevance: 10.6, APIs: 7, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___createFile.LIBCMT ref: 03408F53

Part of subcall function 03408B74: ___crtIsPackagedApp.LIBCMT ref: 03408B7A
Part of subcall function 03408B74: GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,?,00000001,?,00000000,00000109), ref: 03408B8D
Part of subcall function 03408B74: GetProcAddress.KERNEL32(00000000), ref: 03408B94

GetLastError.KERNEL32 ref: 03408F7C
__dosmaperr.LIBCMT ref: 03408F83
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 03408F96
GetLastError.KERNEL32 ref: 03408FB9
__dosmaperr.LIBCMT ref: 03408FC2
CloseHandle.KERNEL32(?), ref: 03408FCB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: ErrorFileHandleLast__dosmaperr$AddressCloseModulePackagedProcType___create___crt
String ID:
API String ID: 569456945-0
Opcode ID: c31f53a29872941688d3ff5b98ac973b000b2dd1e2239e58d3611f1233a99c94
Instruction ID: 564d8e66eb4ad3cc42f7c170fa9f69d2150bd5a7e81900b4541b2a6f0d922ab6
Opcode Fuzzy Hash: c31f53a29872941688d3ff5b98ac973b000b2dd1e2239e58d3611f1233a99c94
Instruction Fuzzy Hash: 2311D271B003119FD709EFB4DE44A6DBB65BB01224B184769F9219F3D0DB70D851CB50

Function 033D48BF Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 033D48C4
GetDesktopWindow.USER32 ref: 033D48F3
SetDlgItemInt.USER32(00000000), ref: 033D48FA
GetDesktopWindow.USER32 ref: 033D491C
GetDC.USER32(00000000), ref: 033D4923
SetViewportExtEx.GDI32(00000000), ref: 033D492A

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 8512147849c2680f8ff7e11077a60dfed255c10a5f1ee2a41187390a08b00cd8
Instruction ID: ec0a31db43ef14607579dceb75ff975a6b01fd3c860fda36d94fed92b6154333
Opcode Fuzzy Hash: 8512147849c2680f8ff7e11077a60dfed255c10a5f1ee2a41187390a08b00cd8
Instruction Fuzzy Hash: 2B21AE76D04259EBCB10EFE5E8C8AEDFB78AF00300F088558E5527F294DB304A44CB91

Function 033FC722 Relevance: 6.2, APIs: 4, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 033FC780
_memcpy_s.LIBCMT ref: 033FC7F2
__filbuf.LIBCMT ref: 033FC873
_memset.LIBCMT ref: 033FC8B7

Part of subcall function 033FBF95: __getptd_noexit.LIBCMT ref: 033FBF95

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 489aa8885060dc1f206dc58b40215f1e2c3fff13f482bd878ea38537d7812e47
Instruction ID: 1a9ff46059f52cfd907b43873a6301cab0887c8052a0a743a83baf37cab5357e
Opcode Fuzzy Hash: 489aa8885060dc1f206dc58b40215f1e2c3fff13f482bd878ea38537d7812e47
Instruction Fuzzy Hash: FF51C575A4030DEFDB24CF69CCC066EF7A5AF40321F98976DFA259A2D0D77099548B80

Function 033E5B6B Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033E5B70
GetDesktopWindow.USER32 ref: 033E5C6C
GetDC.USER32(00000000), ref: 033E5C73
GetTextExtentPoint32W.GDI32(00000000), ref: 033E5C7A

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPoint32TextWindow
String ID:
API String ID: 4235267150-0
Opcode ID: de51f07d78f1bc1c136ab6d3971637bcbb293becdbd358a8ff2715d8af51bdbe
Instruction ID: 3565f41af7129814fe745cd910ac5a79c89bfed9118ea017dfcff9f0e3429d7d
Opcode Fuzzy Hash: de51f07d78f1bc1c136ab6d3971637bcbb293becdbd358a8ff2715d8af51bdbe
Instruction Fuzzy Hash: 8331E3B5D09268AFEB00EFA4D9D0ABE7BA8EB06258F140159E8056F2C0C7359D448BA5

Function 033F7B07 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033F7B57
GetDesktopWindow.USER32 ref: 033F7B6B
SetWindowTextW.USER32(00000000), ref: 033F7B72
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000002,00000000), ref: 033F7B97

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: ec381c79863f8ff1a5fd144056163766d2bbdc93f01972540d1b422e1ad37440
Instruction ID: ff8be41fb5264c36a1b722136d12d707cd908e0017086368e5c8dafe25245793
Opcode Fuzzy Hash: ec381c79863f8ff1a5fd144056163766d2bbdc93f01972540d1b422e1ad37440
Instruction Fuzzy Hash: C6212AB4D4434CBFEB10DF98D8849ADFFB8AB06355F8485E9EA507A381C3710A85CB50

Function 033E7843 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 033E787B

Strings

h.I, xrefs: 033E78C2
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E78A0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memcmp
String ID: h.I$xbftzkZErMGIHumMcosuOxQ
API String ID: 2931989736-3166254412
Opcode ID: 7f515139bcfe7c43c98cded32006b589a8ae7c16d6792ad0efd9c54a3ca80e6a
Instruction ID: 1583cdbfc60219a3f410b68e3e7c12f1af336fac7454a8081bdbe3af94fea4a4
Opcode Fuzzy Hash: 7f515139bcfe7c43c98cded32006b589a8ae7c16d6792ad0efd9c54a3ca80e6a
Instruction Fuzzy Hash: B011E631A0431EBFDF14DE689C82DEE376AAB04701F504124FE14AB5D1E272E9618AD5

Function 033C34A1 Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033C34A6
_Allocate.LIBCPMT ref: 033C34FD
_memmove.LIBCMT ref: 033C3554

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateH_prolog_memmove
String ID:
API String ID: 3429787499-0
Opcode ID: 658074708cdc4eae649a0db26b8cd169f83442387c90a9b62b2c73c3739ac409
Instruction ID: 206918a267a2b83f82e326e3c66466de0e2be37af952b7e1dd8dab418ad04948
Opcode Fuzzy Hash: 658074708cdc4eae649a0db26b8cd169f83442387c90a9b62b2c73c3739ac409
Instruction Fuzzy Hash: D621D379E20245ABD725DF2CD8C056EF7B9EB84630F14862EE8129B281D734EE4187A0

Function 033F7DA6 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033F7E31
GetDC.USER32(00000000), ref: 033F7E38
GetTextExtentPointW.GDI32(00000000), ref: 033F7E3F

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentPointTextWindow
String ID:
API String ID: 2168015606-0
Opcode ID: 34179ec1ab01fb46e51d9d213df793da518cb40689f1eb82420416c5fb911d28
Instruction ID: ce39d83299991c66ef59755a391b8dfe045c9147f4370baafcaf38e715cc244d
Opcode Fuzzy Hash: 34179ec1ab01fb46e51d9d213df793da518cb40689f1eb82420416c5fb911d28
Instruction Fuzzy Hash: 4E21F374D04208EFCB11EFA4C8D49EDFF78FF04359F90849AE6156A241C7340A91CB90

Function 033F8A6D Relevance: 4.5, APIs: 3, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 033F8A85

Part of subcall function 033FC44C: __FF_MSGBANNER.LIBCMT ref: 033FC463
Part of subcall function 033FC44C: __NMSG_WRITE.LIBCMT ref: 033FC46A
Part of subcall function 033FC44C: RtlAllocateHeap.NTDLL(03430000,00000000,00000001,00000001,033E18DB,033E18DB,?,033FBDB1,00000001,00000000,00000003,00000000,?,033FBCEB,033F887B,?), ref: 033FC48F

std::exception::exception.LIBCMT ref: 033F8AA3
__CxxThrowException@8.LIBCMT ref: 033F8AB8

Part of subcall function 033F9254: RaiseException.KERNEL32(?,?,033F8890,033E18DB,00000003,?,?,?,?,?,033F8890,033E18DB,03418A94,00000003), ref: 033F92A9

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 866a3580327a6915bcf6b4839e8ed3a1980805ba4b7644266ca020c0f6258279
Instruction ID: 62dc2c2bef74ad68759ce2de6da5fa5677bb8cce0e4d71efbd9f4fb9ebb619b9
Opcode Fuzzy Hash: 866a3580327a6915bcf6b4839e8ed3a1980805ba4b7644266ca020c0f6258279
Instruction Fuzzy Hash: 92E0657484070EBEDF04FA54CCC09EEB77CEB00240FD48666EE146E591DF31CA5495A1

Function 033C3B27 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 033C3BB0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID: xbftzkZErMGIHumMcosuOxQ
API String ID: 0-1224003671
Opcode ID: 85fcaee7b6b2c7ebc8c4edf465d11f35044d0ed496444d616fdaf501723ba330
Instruction ID: 59e396a137140a44ef1d795aad777c76722c041baba8da8bfdf566b7bee8fb0e
Opcode Fuzzy Hash: 85fcaee7b6b2c7ebc8c4edf465d11f35044d0ed496444d616fdaf501723ba330
Instruction Fuzzy Hash: F2119139724394ABC624DE5D98C0D9BFBADEB45A74B00841EF9598B241C776EC0087E5

Function 033C3749 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033C37A6

Part of subcall function 033C34A1: __EH_prolog.LIBCMT ref: 033C34A6
Part of subcall function 033C34A1: _Allocate.LIBCPMT ref: 033C34FD
Part of subcall function 033C34A1: _memmove.LIBCMT ref: 033C3554

Strings

DwKoYBuJCEyytDi, xrefs: 033C37A1

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateH_prologXinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi
API String ID: 353893102-3097608044
Opcode ID: 22546fe32f267d688b738aafd157c33795ba5f82fc29e03a0732be2b4bc8fbe3
Instruction ID: a762c5db33fc761f688896ac6faaae0e80b79ee0ee4e4feee28ee0cfa282624f
Opcode Fuzzy Hash: 22546fe32f267d688b738aafd157c33795ba5f82fc29e03a0732be2b4bc8fbe3
Instruction Fuzzy Hash: 6AF04C7D9703A06FDB25E96C88C86A9B708DF01635F34899DF8619E0C2C329CD428FD2

Function 033FC902 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 033FC931
__lock_file.LIBCMT ref: 033FC952

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 499949f707b210cb84359f25b9dc2fc6103906bd2d374ade3a88cd0ccfca7f6f
Instruction ID: 0a496cb7a195c351a1a0656c10fba2d82646350c902a071fcb48455ae0655780
Opcode Fuzzy Hash: 499949f707b210cb84359f25b9dc2fc6103906bd2d374ade3a88cd0ccfca7f6f
Instruction Fuzzy Hash: 22017175C4070DEFCF21EF6A8C4099FBB65AF80320F948215F6241E1A0D7718611DF91

Function 033FC6AB Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 033FBF95: __getptd_noexit.LIBCMT ref: 033FBF95

__lock_file.LIBCMT ref: 033FC6F0

Part of subcall function 03403959: __lock.LIBCMT ref: 0340397C

__fclose_nolock.LIBCMT ref: 033FC6FB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c856f08cabe1bb5c045b07fdc8e2a0c60ef7c131cfbe08d7995d85845514d8ce
Instruction ID: c761f5f2f442b5442c43d42560aca6ae19343ad2f5e6f8c1218cd5aa86414a41
Opcode Fuzzy Hash: c856f08cabe1bb5c045b07fdc8e2a0c60ef7c131cfbe08d7995d85845514d8ce
Instruction Fuzzy Hash: DEF090B5D847099EDB20EF75888076E7B905F40330FA8A65A9664AF1D0CB7C45418F59

Function 033FCE35 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 033FCE69
__ftell_nolock.LIBCMT ref: 033FCE74

Part of subcall function 033FBF95: __getptd_noexit.LIBCMT ref: 033FBF95

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: d2ccfe2dd14cd76604589b9b918d7cf94d1ed68e9096c409461ea98669cff323
Instruction ID: 0258bc37aa82fae8473d8913cc41ec8657a3da00e8765cbc123ff94754829cd8
Opcode Fuzzy Hash: d2ccfe2dd14cd76604589b9b918d7cf94d1ed68e9096c409461ea98669cff323
Instruction Fuzzy Hash: 21F0A079E507099EDB10FFB58C8176E76A06F40335FA04A1A9120AE1E0CF788A425B99

Function 033E237A Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033E237F

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35514b894be742deec590353f36c4bd4c66099d808f2808611030d7e6ed5f43a
Instruction ID: 7f99de89c71045a7d36916e2dbdec8a403b7102cdecc5067c4e1dde6eee35e8d
Opcode Fuzzy Hash: 35514b894be742deec590353f36c4bd4c66099d808f2808611030d7e6ed5f43a
Instruction Fuzzy Hash: 06611571E4022ADBDF14DF98C9C19EEFBB9BB05701F24452AE615BA2C0D7705A81CF91

Function 033D3E8F Relevance: 1.7, APIs: 1, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D3E94

Part of subcall function 033F8A6D: _malloc.LIBCMT ref: 033F8A85

Part of subcall function 033D4630: __EH_prolog.LIBCMT ref: 033D4635

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: 0025d878f199e9186de3cb5f16c0daf5ff8ffdcd13862ad185288323c1fa19da
Instruction ID: 5282277728837b4a138b01b443e58971cdd680506e1bdb28bc3b4d6f9cd50f07
Opcode Fuzzy Hash: 0025d878f199e9186de3cb5f16c0daf5ff8ffdcd13862ad185288323c1fa19da
Instruction Fuzzy Hash: 6A51B17AE04249AFDB15DF28E8C076EF7E9AF44320F084669E415DF280DB749D408792

Function 033F77D0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033F77D5

Part of subcall function 033D24D8: __EH_prolog.LIBCMT ref: 033D24DD

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b181fa8273060b715d52741f86849bd63027ece770199a588f02b86e557053e4
Instruction ID: 63813843c3edcab93ad3554042dd73257c0ca5a6013ae8573ea8a6efef869c27
Opcode Fuzzy Hash: b181fa8273060b715d52741f86849bd63027ece770199a588f02b86e557053e4
Instruction Fuzzy Hash: D421C075E00309AFCB04EFA898C19BEBBA9AF09210F44456EE915AF340CB706A40C760

Function 033F7BE3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033F7BE8

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 09ff5b91e8a273edaba9c6f12dc66844ebd197024ca35d857f3d5f8c035f3810
Instruction ID: 7a02f02e78e4f3b7af0b59ec960bb27e6826224d45d0758f3ed69fb2eb2c40a0
Opcode Fuzzy Hash: 09ff5b91e8a273edaba9c6f12dc66844ebd197024ca35d857f3d5f8c035f3810
Instruction Fuzzy Hash: A621D53AD01208EFCF18EBE8D9D4AEDBBB4AF55340F644199D905AB280DB315F09C660

Function 033D4630 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D4635

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1916cf1d358c6f4c824e84719af36950058dd0b4fdbf36924bbf3bb01ef6757a
Instruction ID: ea742901c6971d440ca868f3435bcc00db760a939668f0b4b5e983ee70b2b3f6
Opcode Fuzzy Hash: 1916cf1d358c6f4c824e84719af36950058dd0b4fdbf36924bbf3bb01ef6757a
Instruction Fuzzy Hash: 7D115E79D00349DEDB10DFA4D8C1BEDBBB0EF04324F18452AE916AA2C1DB759544CB95

Function 033E3F6E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033E3F73

Part of subcall function 033E5B6B: __EH_prolog.LIBCMT ref: 033E5B70

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 510af84323efef3716c9d5ac451134bffa783c9b6c8064ccedd3a88a798b2a7c
Instruction ID: 5a3eff4d02e36cc41c30a63fcd0492b90c4985e50ce3bef18c2b0bcbc684e04e
Opcode Fuzzy Hash: 510af84323efef3716c9d5ac451134bffa783c9b6c8064ccedd3a88a798b2a7c
Instruction Fuzzy Hash: 11017C35D0121CBACB20EA95C888FDFBF7CEB49A64F004056F508AA281CB708604C7F1

Function 033EB587 Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,033EB55F,00000002,00000001,00000B83,00005234,00000001,000069A2,00005100), ref: 033EB5CB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 21fb7cc55f5240f5c1f7a1ee84f6c50729cb9b845d95d1399434ccb8d02b4c5b
Instruction ID: 073cde2740a0ed7743b26fd013bb9f580798caa16a185f5cdd0319e648ebe55e
Opcode Fuzzy Hash: 21fb7cc55f5240f5c1f7a1ee84f6c50729cb9b845d95d1399434ccb8d02b4c5b
Instruction Fuzzy Hash: DDF0C271248248AFFF02DF64ED86BFA7BA89B41708F080084F90D9E1D2C67598A1C760

Function 033DDA35 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033DDA3A

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3a2db44ef9ef1fd353790f469fd5909d0038a25b21f853cb3383b1d346fb3169
Instruction ID: b32b4580269d3fc229ae5dee10a781d6920e968f937abf0e3398906dea23ed5b
Opcode Fuzzy Hash: 3a2db44ef9ef1fd353790f469fd5909d0038a25b21f853cb3383b1d346fb3169
Instruction Fuzzy Hash: D7E08C76E046589FC718EF98E4803ADB7A4EF04200F00469EA4895F340EBB40E018B85

Non-executed Functions

Function 03401875 Relevance: 30.5, APIs: 15, Strings: 2, Instructions: 773COMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 03401A4C
__aulldvrm.LIBCMT ref: 034020C6
_write_multi_char.LIBCMT ref: 03402243
_write_string.LIBCMT ref: 0340226C
_write_multi_char.LIBCMT ref: 0340228E
__cftof.LIBCMT ref: 034022C6
_write_string.LIBCMT ref: 034022F7
_write_string.LIBCMT ref: 0340232B
_write_multi_char.LIBCMT ref: 03402357
_free.LIBCMT ref: 0340236E

Strings

g, xrefs: 03401DB0
, xrefs: 03402203

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _write_multi_char_write_string$__cftof$__aulldvrm_free
String ID: $g
API String ID: 4283718489-3845294767
Opcode ID: c7a0b276f864477969a1c3bcaec8a9f50c80ee83691e420dd965081e8ba37ea8
Instruction ID: 1be3d7dc27a4942ba1f3654ae8b9ad636a2f06e16448b7083d031047cbaf0363
Opcode Fuzzy Hash: c7a0b276f864477969a1c3bcaec8a9f50c80ee83691e420dd965081e8ba37ea8
Instruction Fuzzy Hash: 64528F75B046288BEB25CA18CC447AAB7F5BB40314F1885FBD599AF2D0DB719E81CF84

Function 033DBB9C Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1072COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033DC2A7

Strings

inity, xrefs: 033DBF12
j, xrefs: 033DC112

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove
String ID: inity$j
API String ID: 4104443479-3329007786
Opcode ID: 2ba151d3c4228a14a204f6a94b0420ac04a1a4b44400a49c2d4cd48b60e15c97
Instruction ID: 33bf7a3b4aef712cc566789c495cf449f9ecec0e8f7963499907f7f75232509a
Opcode Fuzzy Hash: 2ba151d3c4228a14a204f6a94b0420ac04a1a4b44400a49c2d4cd48b60e15c97
Instruction Fuzzy Hash: 9192C172D106099BDF19CFA9E9D06ADFBB9FF45350F28926AE415FB250E7308981CB40

Function 033DA82A Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 922COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033DB07A

Strings

Infinity, xrefs: 033DA8A0
NaN, xrefs: 033DA8B7

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove
String ID: Infinity$NaN
API String ID: 4104443479-4285296124
Opcode ID: 14a281c616c90a4a5d746a998c58890f390b263017819a6af4f8fa72cd275a16
Instruction ID: fd4343a82fb5142db9e19d04827662911662e75f9a1f2d3eeeee4361cc23f092
Opcode Fuzzy Hash: 14a281c616c90a4a5d746a998c58890f390b263017819a6af4f8fa72cd275a16
Instruction Fuzzy Hash: 8272C273D106099FDF16DFB8E9907ADF7B9EF05350F15826AE812BB240E77499428B40

Function 033F4213 Relevance: 4.6, APIs: 3, Instructions: 139COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033F423D
_memset.LIBCMT ref: 033F4265
_memset.LIBCMT ref: 033F42B0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 39854f4c7c8c96835557c93b2be0a52577e2c1d1d299cb158765d7c2349f738a
Instruction ID: a9bdf156fe8750205ecadd8db4149b7a5088fc3aa9c1d6eaf2a3e9b29ef40bcf
Opcode Fuzzy Hash: 39854f4c7c8c96835557c93b2be0a52577e2c1d1d299cb158765d7c2349f738a
Instruction Fuzzy Hash: D841F2766192C19FCB06CF6D8CC099ABF689F6A11079D83D6EE98CF347C120D545C7A1

Function 033F2F72 Relevance: 4.6, APIs: 3, Instructions: 130COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033F2F9B
_memset.LIBCMT ref: 033F2FC1
_memset.LIBCMT ref: 033F300E

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: e1cf7a4849ae17f2b3e71ceecc07b82d9542eb943d80f1f72b30f71d3d9f1040
Instruction ID: b5625c0b15e988fb0fd8b50ac66c3e5b2adb0e6efbb91c4e1b703636418421a4
Opcode Fuzzy Hash: e1cf7a4849ae17f2b3e71ceecc07b82d9542eb943d80f1f72b30f71d3d9f1040
Instruction Fuzzy Hash: D7416326219BC6AFC31ACE6C4C4069AFF746F36104B488A5DD9D5A7B43C210F669C7F1

Function 033E19F3 Relevance: 3.2, Strings: 2, Instructions: 678COMMON

Download Yara Rule

Strings

hwA, xrefs: 033E1C70
r, xrefs: 033E1C42

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Ucopy$AllocateErrorLast
String ID: hwA$r
API String ID: 3596851790-2805155317
Opcode ID: 80dabcf5b99dec776cc5eb69493c654803dee8e5d5bd31f621508530ffa7a732
Instruction ID: a1a0e19bc2278241e8ea34f35ba9905d31b93273f12dcd47b1255aa1692068e6
Opcode Fuzzy Hash: 80dabcf5b99dec776cc5eb69493c654803dee8e5d5bd31f621508530ffa7a732
Instruction Fuzzy Hash: CF524AB5D00269DFDB14DFA8CC85AEEBBB8FB08314F1445AAE519BB281D7705A84CF50

Function 03405C54 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,033E18DB,03400E9D,033E15B3,?,?,00000001), ref: 03405C59
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 03405C62

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c9851a18540c480e5fe1dc15fb634378450868fdd10de81e8de92b17d8d6be36
Instruction ID: c44d7fe2ad00cd60a8644fc9bc9b4fbc1d17725c958261db49b1edf0639b8252
Opcode Fuzzy Hash: c9851a18540c480e5fe1dc15fb634378450868fdd10de81e8de92b17d8d6be36
Instruction Fuzzy Hash: 7AB09235244618ABCB003B91EA0DB48BFA8EB1865AF000810F60D5C0548BB254A08A92

Function 054D11A4 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,054DBB0A,053B768C,00000001,?,054DBC21,053B768C,00000017), ref: 054D11A9
UnhandledExceptionFilter.KERNEL32(053B768C,?,054DBB0A,053B768C,00000001,?,054DBC21,053B768C,00000017), ref: 054D11B2

Memory Dump Source

Source File: 00000003.00000002.2225059714.00000000053B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000003.00000002.2225041734.00000000053B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225178708.000000000550A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225480615.000000000597D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2225501466.000000000597F000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e36165df1545106837280dbbdd89df05eec4e20ed3138039d6b4e4555c9e5fb8
Instruction ID: 57fbf628a0963b195cb6ef66c1c39cf7813987eac6506c36f3b9274857eb3c4e
Opcode Fuzzy Hash: e36165df1545106837280dbbdd89df05eec4e20ed3138039d6b4e4555c9e5fb8
Instruction Fuzzy Hash: B7B0923105830CABCA002BD1E80AF98BF28EF84662F000092F60E440608FA29452CA91

Function 033F32C0 Relevance: 2.7, Strings: 1, Instructions: 1481COMMON

Download Yara Rule

Strings

, xrefs: 033F414F

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a4470279a48336228fde924ff18bbe219d090bf31e434a1a5ace179a9b4b31ac
Instruction ID: 0068f641ad24e6523834bead43631900c29ffdd5f83ccf41204ce8b9d3403a1c
Opcode Fuzzy Hash: a4470279a48336228fde924ff18bbe219d090bf31e434a1a5ace179a9b4b31ac
Instruction Fuzzy Hash: 2EC28472F002288BDF58CFADD8916EDB7F2EB88314B19816DE816E7341D639DD418B94

Function 03403440 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(033FD4CC,03418CE0,00000008,033FD6A2,?,00000001,?,03418D00,0000000C,033FD641,?,00000001,?), ref: 03403440

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a82249d5f4d5190140d432a435af39593e152578eaae9cd37679deb18eb9f090
Instruction ID: 75af8b502fd2ecd4d3b4139d204baf5fb053a707cacbf0f212e5d451b0ac614c
Opcode Fuzzy Hash: a82249d5f4d5190140d432a435af39593e152578eaae9cd37679deb18eb9f090
Instruction Fuzzy Hash: AFB012F07019124747081B38761411935E47709201300043D7003D9184FF70C460AB01

Function 033FB1F2 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: cbbb0a3d82b6f037d8815dcb85de1ebee62ee7d15e603aafb6672caa11073ec3
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: F7C183722051534EDF2DCA39C8B407EFAE55E916B235E07ADE5B7CB2D5EF10C1648A10

Function 033FB627 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 50c0b3a27dcd46ed64b76c5969fa7a06d2ab6725692e2b3e25da740338e6c57d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: D5C182722051934DDF2D8639C8B407EFAE55E926B235E07ADE5B7CB2D5EF20C124CA20

Function 033FADBD Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 6ef34da51362a98958aacac7a4e1617505171af3e9ad63d29dbf0eafce59005b
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 9CC172722091930EDF2DC639C8B407EFAE55E916B235E07ADE5B7CB2D5EF10C1249A20

Function 033FA9A5 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: d1db977e587ff478e0aa80491c5051fb50e0c4eb1624684235303c8e50a0fee3
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: E8C172322050930EDF1DC63988B407EFAE55E916B234E17ADE5BBCB2D5EF20C1649E20

Function 033DD4CD Relevance: .1, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4276d584c1f5c006257fe31dd3ef6eb184690ec9de3ac06d1b8c782a16b778f
Instruction ID: b8916a7e0e9e3412c4a465f030ad446c7ef7f55e2985e0b6aaef00598bc7cf15
Opcode Fuzzy Hash: e4276d584c1f5c006257fe31dd3ef6eb184690ec9de3ac06d1b8c782a16b778f
Instruction Fuzzy Hash: 62216053B158290BB788D53D9C8073A72D7DBDC68534DC231E959CB389EA30D923D291

Function 033FA2E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 11f4478d1dcbb3894b800ca402d031cab3076310025c2679cef0faaefc680590
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A5112BB72081814FD704CA2DDCF45BAE399EBC52217EC837BDB8A4B758D222E1459D00

Function 033DC8F0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 319windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033DC989
GetDC.USER32(00000000), ref: 033DC98C
GetTextExtentPointW.GDI32(00000000,?,00000000), ref: 033DC98F
GetSysColorBrush.USER32(0000196A), ref: 033DC9F7
GetDesktopWindow.USER32 ref: 033DCA0E
SetWindowTextW.USER32(00000000), ref: 033DCA11
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,?,?,00000000), ref: 033DCA39
GetDesktopWindow.USER32 ref: 033DCA98
SetDlgItemInt.USER32(00000000,?,00000000), ref: 033DCA9B
GetDesktopWindow.USER32 ref: 033DCABE
GetDC.USER32(00000000), ref: 033DCAC1
SetViewportExtEx.GDI32(00000000,?,00000000), ref: 033DCAC4
_memset.LIBCMT ref: 033DCB4D
_memset.LIBCMT ref: 033DCBA1

Strings

jt, xrefs: 033DCC0D, 033DCC1D
jt, xrefs: 033DCADF, 033DCB03, 033DCAE2, 033DCB49, 033DCB9D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text_memset$BrushColorExtentFormatItemMessagePointViewport
String ID: jt$jt
API String ID: 967997722-2819724509
Opcode ID: ae8c183187b41c1640bda7e0478b2d7313f8773c2a359461aa0f1f2b232bc9ef
Instruction ID: 790642a2a4f39d7f5c6f17248400e405dbd02cfa0c4b6d4525ce02f7d1101cf1
Opcode Fuzzy Hash: ae8c183187b41c1640bda7e0478b2d7313f8773c2a359461aa0f1f2b232bc9ef
Instruction Fuzzy Hash: 06C1D1B1D5834AAADB15CFA8E8C47EDFFB9FF85304F189199D4416B281C3704686CB90

Function 033C8D0E Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 284libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 033C90FE

Strings

;, xrefs: 033C8F33
4, xrefs: 033C8F13
A, xrefs: 033C8D91
W, xrefs: 033C8D7D
B, xrefs: 033C8D45
%, xrefs: 033C8F6B
T, xrefs: 033C8D89
V, xrefs: 033C8D75
', xrefs: 033C8D4D
", xrefs: 033C8F5B
., xrefs: 033C8D55
(, xrefs: 033C8F0B
^, xrefs: 033C8D6D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: "$%$'$($.$4$;$A$B$T$V$W$^
API String ID: 190572456-504311776
Opcode ID: f80374c12d7376f2b64a057fec01b6efc6f7fed6e3ed162e6ec0ffd9e89f9857
Instruction ID: a4637b4e4f946aff0518c0ef4321160d7accfb15fb1588520befa649a7b19643
Opcode Fuzzy Hash: f80374c12d7376f2b64a057fec01b6efc6f7fed6e3ed162e6ec0ffd9e89f9857
Instruction Fuzzy Hash: 03E17B309182DDCEDF15CBB8D9987EDBFB0AF06305F1441ADD495AB282D3790A44CB21

Function 033DFAE6 Relevance: 19.7, APIs: 13, Instructions: 185windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033DFAEB
GetDesktopWindow.USER32 ref: 033DFB7F
GetDC.USER32(00000000), ref: 033DFB82
GetTextExtentPointW.GDI32(00000000), ref: 033DFB89
GetSysColorBrush.USER32(0000196A), ref: 033DFC04
GetDesktopWindow.USER32 ref: 033DFC1B
SetWindowTextW.USER32(00000000), ref: 033DFC1E
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,?,00000002), ref: 033DFC46
GetDesktopWindow.USER32 ref: 033DFCC8
SetDlgItemInt.USER32(00000000), ref: 033DFCCB
GetDesktopWindow.USER32 ref: 033DFCEE
GetDC.USER32(00000000), ref: 033DFCF1
SetViewportExtEx.GDI32(00000000), ref: 033DFCF8

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatH_prologItemMessagePointViewport
String ID:
API String ID: 3397956014-0
Opcode ID: a564e5540167363e4b52042aabe720df89fc27d976cefcac8c670ed3e1de28ff
Instruction ID: a2aa12201c6dc544272c1f782c4ddc17469c74273332eb3308191cd50519f9ee
Opcode Fuzzy Hash: a564e5540167363e4b52042aabe720df89fc27d976cefcac8c670ed3e1de28ff
Instruction Fuzzy Hash: 07716EB5D0425AEFDF14EFA8E9896BEFBB8EF48305F144459D506BB280D7344680CBA1

Function 033D41D7 Relevance: 19.7, APIs: 13, Instructions: 179windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D41DC
GetDesktopWindow.USER32 ref: 033D4270
GetDC.USER32(00000000), ref: 033D4273
GetTextExtentPointW.GDI32(00000000), ref: 033D427A
GetSysColorBrush.USER32(0000196A), ref: 033D4303
GetDesktopWindow.USER32 ref: 033D431A
SetWindowTextW.USER32(00000000), ref: 033D431D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033D4345
GetDesktopWindow.USER32 ref: 033D43AE
SetDlgItemInt.USER32(00000000), ref: 033D43B1
GetDesktopWindow.USER32 ref: 033D43D3
GetDC.USER32(00000000), ref: 033D43D6
SetViewportExtEx.GDI32(00000000), ref: 033D43DD

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatH_prologItemMessagePointViewport
String ID:
API String ID: 3397956014-0
Opcode ID: 70e1b83a219ee7389b8267a30b6bb3db730c28a59c5a219be959011184641f86
Instruction ID: f8dd4534f20fa928403a49193806df760d9b643439ba27f469c28ab923adab9b
Opcode Fuzzy Hash: 70e1b83a219ee7389b8267a30b6bb3db730c28a59c5a219be959011184641f86
Instruction Fuzzy Hash: E171AF75D00249EFDB14DFA9E9885EEBBB5FF48311F24855AE8157B280CB304B80CBA1

Function 033E1281 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 370COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033E1346
_memmove.LIBCMT ref: 033E1378
_memmove.LIBCMT ref: 033E13AD
_memmove.LIBCMT ref: 033E1435
_memmove.LIBCMT ref: 033E14AC
_memmove.LIBCMT ref: 033E1517
_memmove.LIBCMT ref: 033E155B
_memmove.LIBCMT ref: 033E1598
std::_Xinvalid_argument.LIBCPMT ref: 033E15C5

Strings

DwKoYBuJCEyytDi, xrefs: 033E15C0
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E15CA

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: eda37bda52846bda73902b69640fc7329a2b3c8f640bb127c34699ef462d85dc
Instruction ID: 69df6cb07e8a0a9ca6ecdb119c7aaefe8dbe4a593516a718544a6382016b10c7
Opcode Fuzzy Hash: eda37bda52846bda73902b69640fc7329a2b3c8f640bb127c34699ef462d85dc
Instruction Fuzzy Hash: 3DD12875F00729DFCB20CF58D9C199AB7F9BF48740B14492AE9568B780D730EA91CBA1

Function 033D53DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D5434
GetDesktopWindow.USER32 ref: 033D5448
SetWindowTextW.USER32(00000000), ref: 033D544B
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,null,00000000,00000000), ref: 033D5470
GetDesktopWindow.USER32 ref: 033D54DD
SetDlgItemInt.USER32(00000000), ref: 033D54E0
GetDesktopWindow.USER32 ref: 033D5502
GetDC.USER32(00000000), ref: 033D5505
SetViewportExtEx.GDI32(00000000), ref: 033D550C

Strings

\u%04X, xrefs: 033D555B
null, xrefs: 033D5410

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID: \u%04X$null
API String ID: 654738355-3369567502
Opcode ID: be81b57ad9411885a58121872e738ea3ce07ea2a0fcba25992406924ad5f0460
Instruction ID: 87ddff1468ef3ee2fc3c23062fc08173ed956c18eccc5f8f2e466e52926516fb
Opcode Fuzzy Hash: be81b57ad9411885a58121872e738ea3ce07ea2a0fcba25992406924ad5f0460
Instruction Fuzzy Hash: D651BEB6D44348BFEF11DFA9E8849AEBFB9BF02315F188499E4527B281C7314684CB51

Function 033D55A1 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D55F6
GetDesktopWindow.USER32 ref: 033D560A
SetWindowTextW.USER32(00000000), ref: 033D560D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,null,00000000,00000000), ref: 033D5632
GetDesktopWindow.USER32 ref: 033D569F
SetDlgItemInt.USER32(00000000), ref: 033D56A2
GetDesktopWindow.USER32 ref: 033D56C4
GetDC.USER32(00000000), ref: 033D56C7
SetViewportExtEx.GDI32(00000000), ref: 033D56CE

Strings

\u%04X, xrefs: 033D571D
null, xrefs: 033D55D2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID: \u%04X$null
API String ID: 654738355-3369567502
Opcode ID: 08e839e4ce981c478dc5d07b9f5eb78870e5295d875ac483430f71c050d7d721
Instruction ID: 455ffb9652967e5790f2ee4d24864467ff3757b2552a33e3f439a8d782eeb1ca
Opcode Fuzzy Hash: 08e839e4ce981c478dc5d07b9f5eb78870e5295d875ac483430f71c050d7d721
Instruction Fuzzy Hash: 0B51ACB6E85349FBEF10DFA8E8C49ADBFB8AF06314F188499E4517B281C7314684CB50

Function 033E0120 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 033E0171

Part of subcall function 033C1070: std::exception::exception.LIBCMT ref: 033F8848
Part of subcall function 033C1070: __CxxThrowException@8.LIBCMT ref: 033F885D

_memset.LIBCMT ref: 033E0189
_memmove.LIBCMT ref: 033E0199
_memmove.LIBCMT ref: 033E01AC
_memmove.LIBCMT ref: 033E01F3
_memset.LIBCMT ref: 033E020B
_memmove.LIBCMT ref: 033E0230
_memmove.LIBCMT ref: 033E024E
_memset.LIBCMT ref: 033E025B
std::_Xinvalid_argument.LIBCPMT ref: 033E027B

Strings

EQsxisSNUMqiHowmSY, xrefs: 033E0276

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$_memset$AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2080731275-3797114014
Opcode ID: d5eba139731be5ad23f3a26c3a166d82336c1f541ee6bfe7a79ea62bfe1a8a64
Instruction ID: 8dd8d669e3f757a9bae54da49fd86a2caa5e0169936a1c546e5a393a9b20ae38
Opcode Fuzzy Hash: d5eba139731be5ad23f3a26c3a166d82336c1f541ee6bfe7a79ea62bfe1a8a64
Instruction Fuzzy Hash: D84121B590121AAFCB08DF6DCDC49AEBBA9FF49210B148529F919DB640D770ED20CB94

Function 033D92F3 Relevance: 18.2, APIs: 12, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033D9385
GetDC.USER32(00000000), ref: 033D9388
GetTextExtentPointW.GDI32(00000000), ref: 033D938F
GetDesktopWindow.USER32 ref: 033D93E8
SetDlgItemInt.USER32(00000000), ref: 033D93EB
GetDesktopWindow.USER32 ref: 033D940E
GetDC.USER32(00000000), ref: 033D9411
SetViewportExtEx.GDI32(00000000), ref: 033D9418
GetSysColorBrush.USER32(0000196A), ref: 033D94B0
GetDesktopWindow.USER32 ref: 033D94C7
SetWindowTextW.USER32(00000000), ref: 033D94CA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,Function_00010C5B,00000000), ref: 033D94F2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: ec944a3025d0835daea70d01fe836f4a904ae64adb17c55530918b1ccb464804
Instruction ID: fe33d6a3ce4ebf78e5b9d142c64d1f6c65ee0a3fa6e1cdd7e45a0ce9612ddc3a
Opcode Fuzzy Hash: ec944a3025d0835daea70d01fe836f4a904ae64adb17c55530918b1ccb464804
Instruction Fuzzy Hash: D77159B1D04248FADB11DFA4E888BEEBBB8EF44315F14C4A9E855AA281D3348684CF50

Function 033D9536 Relevance: 18.2, APIs: 12, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033D95C8
GetDC.USER32(00000000), ref: 033D95CB
GetTextExtentPointW.GDI32(00000000), ref: 033D95D2
GetDesktopWindow.USER32 ref: 033D962B
SetDlgItemInt.USER32(00000000), ref: 033D962E
GetDesktopWindow.USER32 ref: 033D9651
GetDC.USER32(00000000), ref: 033D9654
SetViewportExtEx.GDI32(00000000), ref: 033D965B
GetSysColorBrush.USER32(0000196A), ref: 033D96F3
GetDesktopWindow.USER32 ref: 033D970A
SetWindowTextW.USER32(00000000), ref: 033D970D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,Function_00010C5B,00000000,?,00000000,00003CD6), ref: 033D9735

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: 60f0cac0832e6c2e733e02b41425b0a85e1552e182b8e182039e9f5aee7f0823
Instruction ID: f0f6c1dada26496a194e8ff80cc38dd44f73bcd94547699d83d79308ba0ce8d6
Opcode Fuzzy Hash: 60f0cac0832e6c2e733e02b41425b0a85e1552e182b8e182039e9f5aee7f0823
Instruction Fuzzy Hash: 7B714871D04248FEDB11DFA4E888BEEBFB9EF45315F1484A9E855AA281D7358680CF50

Function 033E68CB Relevance: 18.2, APIs: 12, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033E695D
GetDC.USER32(00000000), ref: 033E6960
GetTextExtentPointW.GDI32(00000000), ref: 033E6967
GetSysColorBrush.USER32(0000196A), ref: 033E69DF
GetDesktopWindow.USER32 ref: 033E69F3
SetWindowTextW.USER32(00000000), ref: 033E69F6
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,FFFFFFFE,?,00000000,00003B8A,?,00000001), ref: 033E6A1B
GetDesktopWindow.USER32 ref: 033E6A77
SetDlgItemInt.USER32(00000000), ref: 033E6A7A
GetDesktopWindow.USER32 ref: 033E6A9C
GetDC.USER32(00000000), ref: 033E6A9F
SetViewportExtEx.GDI32(00000000), ref: 033E6AA6

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: 607aad59366488f6ae55aa378cebf7811b8a2c1c783d98e534b56646a1d6ec33
Instruction ID: a8276f9ff34b77e378a9decf6f20b90c8cfa02858c9d13412e1f0871dd9d9b0b
Opcode Fuzzy Hash: 607aad59366488f6ae55aa378cebf7811b8a2c1c783d98e534b56646a1d6ec33
Instruction Fuzzy Hash: 356155B4E843A8EFDF10DFA4C8969AEFFB8EB15305F148499E5617B281C2354A85CF50

Function 033FE92E Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00000001,033FD56B,03418CE0,00000008,033FD6A2,?,00000001,?,03418D00,0000000C,033FD641,?,00000001,?), ref: 033FE936
_free.LIBCMT ref: 033FE94F

Part of subcall function 033FC414: RtlFreeHeap.NTDLL(00000000,00000000,?,033FFB6E,00000000,00000001,00000000,00000003,00000000,?,033FBCEB,033F887B,?), ref: 033FC428
Part of subcall function 033FC414: GetLastError.KERNEL32(00000000,?,033FFB6E,00000000,00000001,00000000,00000003,00000000,?,033FBCEB,033F887B,?), ref: 033FC43A

_free.LIBCMT ref: 033FE962
_free.LIBCMT ref: 033FE980
_free.LIBCMT ref: 033FE992
_free.LIBCMT ref: 033FE9A3
_free.LIBCMT ref: 033FE9AE
_free.LIBCMT ref: 033FE9D2
EncodePointer.KERNEL32(034748D0), ref: 033FE9D9
_free.LIBCMT ref: 033FE9EE
_free.LIBCMT ref: 033FEA04
_free.LIBCMT ref: 033FEA2C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 4ff7ea172fda66c1d76fc2e0c7894bdcb3dd603b960cd51a2da7347e53e8903c
Instruction ID: 36c9c2d30347b281d9346f7d95fb3842de7033efb8dbdb1be86eb895c923db7a
Opcode Fuzzy Hash: 4ff7ea172fda66c1d76fc2e0c7894bdcb3dd603b960cd51a2da7347e53e8903c
Instruction Fuzzy Hash: 5D21A57AD01A618FD622FF25E9C052677E4FB05760388593ADA857F258DB3848C1CBA0

Function 033EC20F Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 429COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033EC214
QueryDosDeviceW.KERNEL32(00000000,00000000,00000752,00000000), ref: 033EC239
char_traits.LIBCPMT ref: 033EC338

Strings

\, xrefs: 033EC3BC
\..\, xrefs: 033EC32F, 033EC337, 033EC340, 033EC603, 033EC618, 033EC718

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DeviceH_prologQuerychar_traits
String ID: \$\..\
API String ID: 1264856077-605892584
Opcode ID: 5e6b0a548c63ed009dda9de61a92acecf49d6bc5ccb883da57d9e15eb7accc52
Instruction ID: c170466a5b74e8916b403575948e4f25dbc6a4c120245c7dd9c84762e3ffb222
Opcode Fuzzy Hash: 5e6b0a548c63ed009dda9de61a92acecf49d6bc5ccb883da57d9e15eb7accc52
Instruction Fuzzy Hash: 91F14AB5E04229AFDF14DFA8C8C5AEEBBB9EB08304F145069E515BA2C1D7745E80CF61

Function 033F48CB Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033F491F
GetDesktopWindow.USER32 ref: 033F4933
SetWindowTextW.USER32(00000000), ref: 033F4936
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033F495B
GetDesktopWindow.USER32 ref: 033F49DB
SetDlgItemInt.USER32(00000000), ref: 033F49DE
GetDesktopWindow.USER32 ref: 033F4A08
GetDC.USER32(00000000), ref: 033F4A0B
SetViewportExtEx.GDI32(00000000), ref: 033F4A12
_abort.LIBCMT ref: 033F4A18

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport_abort
String ID:
API String ID: 50134168-0
Opcode ID: b6be79c296d25467a7d27852670a75a97c1b56ed13afeac7497ceb2a70bd0e40
Instruction ID: 27f4c29045509327dda4162e91ff4b3c37f85310e7802096b5552d4d4b83f2c0
Opcode Fuzzy Hash: b6be79c296d25467a7d27852670a75a97c1b56ed13afeac7497ceb2a70bd0e40
Instruction Fuzzy Hash: E0416DB4E88388BEDF10DFE9D88999EBF78AB01315F448599E6517A281D2354684CF50

Function 033D5173 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D51E8
GetDesktopWindow.USER32 ref: 033D51FC
SetWindowTextW.USER32(00000000), ref: 033D51FF
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000400,?,00000000,75A89CE0,00000000), ref: 033D5224
GetDesktopWindow.USER32 ref: 033D528C
SetDlgItemInt.USER32(00000000,?,00000000,75A89CE0), ref: 033D528F
GetDesktopWindow.USER32 ref: 033D52B1
GetDC.USER32(00000000), ref: 033D52B4
SetViewportExtEx.GDI32(00000000,?,00000000,75A89CE0), ref: 033D52BB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID:
API String ID: 654738355-0
Opcode ID: 80e458f3643f25050b72bbeaba1e7d642b237cc27d35a7ee843ae5ab012f7a47
Instruction ID: d7dc16a4c4c112876849b02ce58942f4f09fad743c2ac1d72d7a2c709e4e9d83
Opcode Fuzzy Hash: 80e458f3643f25050b72bbeaba1e7d642b237cc27d35a7ee843ae5ab012f7a47
Instruction Fuzzy Hash: 0841A0B5941389EFEF10DF98ED889AEBBB8EF02305F044459F8116F281C7708A58DB90

Function 033D4ADE Relevance: 13.6, APIs: 9, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D4B4A
GetDesktopWindow.USER32 ref: 033D4B61
SetWindowTextW.USER32(00000000), ref: 033D4B64
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,00000000,00000002), ref: 033D4B8C
GetDesktopWindow.USER32 ref: 033D4BF6
SetDlgItemInt.USER32(00000000,?,00000000,00000002), ref: 033D4BF9
GetDesktopWindow.USER32 ref: 033D4C1C
GetDC.USER32(00000000), ref: 033D4C1F
SetViewportExtEx.GDI32(00000000,?,00000000,00000002), ref: 033D4C26

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID:
API String ID: 654738355-0
Opcode ID: 1ea390054a0f76c8673074b5734a42b1861182603e7cfcf0bf05bc3a72da47ed
Instruction ID: 02e2f9771195d72f99404f7e1ff07a7fcfda7d8a0d853bea04621083cb2005d9
Opcode Fuzzy Hash: 1ea390054a0f76c8673074b5734a42b1861182603e7cfcf0bf05bc3a72da47ed
Instruction Fuzzy Hash: 0441ADB1D04348FEEB14DFAAE888BADFFB8AF94305F08C599E4546A181CA754685CB10

Function 033C13C5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 033C1417

Part of subcall function 033DD594: std::exception::exception.LIBCMT ref: 033F8848
Part of subcall function 033DD594: __CxxThrowException@8.LIBCMT ref: 033F885D

_Ucopy.LIBCPMT ref: 033C1436
_Ucopy.LIBCPMT ref: 033C1444
_Ucopy.LIBCPMT ref: 033C1428

Part of subcall function 033C1575: _memmove.LIBCMT ref: 033C1589

_Ucopy.LIBCPMT ref: 033C147D
std::_Xinvalid_argument.LIBCPMT ref: 033C14A8

Strings

EQsxisSNUMqiHowmSY, xrefs: 033C14A3

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Ucopy$AllocateException@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 1826209128-3797114014
Opcode ID: e28e8759e1d3d048229942dd7d50e29293b17c0478dca618293cdf2056d9e8ea
Instruction ID: a405a993ee323c89bb6c2714a44a0f711c17158ff66fc12a7c753e11eaa7ac9b
Opcode Fuzzy Hash: e28e8759e1d3d048229942dd7d50e29293b17c0478dca618293cdf2056d9e8ea
Instruction Fuzzy Hash: 872182B6E20249BFCB15DF68CC85CAABBA9FB44310B14462DF8159B251DB31ED20DB90

Function 033FD30D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 033FD32E
FindMITargetTypeInstance.LIBCMT ref: 033FD367

Part of subcall function 033FCFCD: PMDtoOffset.LIBCMT ref: 033FD05F

FindVITargetTypeInstance.LIBCMT ref: 033FD36E
PMDtoOffset.LIBCMT ref: 033FD37F
std::bad_exception::bad_exception.LIBCMT ref: 033FD3A8
__CxxThrowException@8.LIBCMT ref: 033FD3B6

Strings

ekLDdEOoyHpNjyypF, xrefs: 033FD3A0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Find$InstanceOffsetTargetType$CompleteException@8ObjectThrowstd::bad_exception::bad_exception
String ID: ekLDdEOoyHpNjyypF
API String ID: 1565299582-2829376797
Opcode ID: a9f5fd25fb4702b7fc773c85323063fd7a4660628394e3dc1635d1a5f80780e1
Instruction ID: 2682b1698add4a2819a5d424c482d41f2b101e3eca0a69f21d1cc14d995ac1af
Opcode Fuzzy Hash: a9f5fd25fb4702b7fc773c85323063fd7a4660628394e3dc1635d1a5f80780e1
Instruction Fuzzy Hash: 5421A5B6E007099FCB14DFA4CDC9AAEB768AF48710F94444AEB159B285DB34D901CB50

Function 033E15D5 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033E1669
_memmove.LIBCMT ref: 033E16C9
_memmove.LIBCMT ref: 033E16F1
std::_Xinvalid_argument.LIBCPMT ref: 033E1727

Strings

DwKoYBuJCEyytDi, xrefs: 033E15C0, 033E1722
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E15CA, 033E1718

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: 23766bb10d799ec04aa413c1f598e50d7db9e73dcaa958bbea0f1b959572a83a
Instruction ID: 4e822c15629680bc6e7abcff133d5e9713b9349fa2e570fbfcf40c5579f4dcaa
Opcode Fuzzy Hash: 23766bb10d799ec04aa413c1f598e50d7db9e73dcaa958bbea0f1b959572a83a
Instruction Fuzzy Hash: CA51C235F10325DBDB24CE5CDDC0A6AB7AAEF80A00B18092DF8528B6C0C770DD51DBA1

Function 033D44E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033D4550
std::_Xinvalid_argument.LIBCPMT ref: 033D4588
_memmove.LIBCMT ref: 033D45FE
std::_Xinvalid_argument.LIBCPMT ref: 033D462A

Strings

DwKoYBuJCEyytDi, xrefs: 033D4583, 033D4625
xbftzkZErMGIHumMcosuOxQ, xrefs: 033D4579

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: cbae6a63d969238cb35c50a235ee46780133ffb5117625a3d2820ec9d9ecc5ab
Instruction ID: 2b32120ab661d246720fcba529b57d83423702e8cee436fa7401bca5ed45f6c0
Opcode Fuzzy Hash: cbae6a63d969238cb35c50a235ee46780133ffb5117625a3d2820ec9d9ecc5ab
Instruction Fuzzy Hash: 2941D8367003059FD734DE6EECC4A5AB7AAEB41620B04092DF996CB781CF70E845CB95

Function 033E7907 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033E7982
_memmove.LIBCMT ref: 033E79C5
_memmove.LIBCMT ref: 033E79EF
std::_Xinvalid_argument.LIBCPMT ref: 033E7A1B

Strings

DwKoYBuJCEyytDi, xrefs: 033E7A16
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E7A20

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: ca06594b892571769106b4f64b6732f33997ec6fd6af2842c89a699726ca5625
Instruction ID: 65379cfd6536b3b2a261aa44eda7cb82d8d83bb7c07803e024ea3e507a22bce5
Opcode Fuzzy Hash: ca06594b892571769106b4f64b6732f33997ec6fd6af2842c89a699726ca5625
Instruction Fuzzy Hash: FE418035610225DFDB38CF5CD8C096AB7A6EF846407244A2EF9A28B7C5D731E941CBA1

Function 033D77FC Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D7801
GetDesktopWindow.USER32 ref: 033D7834
SetDlgItemInt.USER32(00000000,?,00000000), ref: 033D783B
GetDesktopWindow.USER32 ref: 033D785D
GetDC.USER32(00000000), ref: 033D7864
SetViewportExtEx.GDI32(00000000,?,00000000), ref: 033D786B
__aulldvrm.LIBCMT ref: 033D78C5

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: c2265dd6a925263f7767e547d4e32d60f5d414bd3600fefbf7397dd9c1796100
Instruction ID: 00f9a9636435e690af7b4770d44ce8cdc9a72b8ef893263fdb2ab74f00a5e69e
Opcode Fuzzy Hash: c2265dd6a925263f7767e547d4e32d60f5d414bd3600fefbf7397dd9c1796100
Instruction Fuzzy Hash: 1D315C76E40258FFDF14DFA8E895AEDFBB9EF48305F148459E605BB280C6305A84CB61

Function 033D75C7 Relevance: 10.6, APIs: 7, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D75CC
GetDesktopWindow.USER32 ref: 033D75FF
SetDlgItemInt.USER32(00000000), ref: 033D7606
GetDesktopWindow.USER32 ref: 033D7628
GetDC.USER32(00000000), ref: 033D762F
SetViewportExtEx.GDI32(00000000), ref: 033D7636
__aulldvrm.LIBCMT ref: 033D7688

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: c4e80f2b75435ee6fe9af664f537012d3dee18f87a6059526d37f37e9173ead6
Instruction ID: 830eacb254533ab633b0697a5a8a2f1d87a899caba29f9dc32bb82b95cff677a
Opcode Fuzzy Hash: c4e80f2b75435ee6fe9af664f537012d3dee18f87a6059526d37f37e9173ead6
Instruction Fuzzy Hash: F5318F76E00248BFDF10DFA8E895AEDFBB8EB48310F184459F605BB281C6304A84CB61

Function 033D7929 Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D792E
GetDesktopWindow.USER32 ref: 033D7961
SetDlgItemInt.USER32(00000000), ref: 033D7968
GetDesktopWindow.USER32 ref: 033D798A
GetDC.USER32(00000000), ref: 033D7991
SetViewportExtEx.GDI32(00000000), ref: 033D7998
__aulldvrm.LIBCMT ref: 033D79E4

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: 5db8434ba0deae73a0b2c493c7d5ab867f196aa5f38b07344ac13930e23ba2ec
Instruction ID: 7701c50b294332fed887edb24c7212ec882bbff034bdf108008daa1704b76a4a
Opcode Fuzzy Hash: 5db8434ba0deae73a0b2c493c7d5ab867f196aa5f38b07344ac13930e23ba2ec
Instruction Fuzzy Hash: 37313AB6E00248EFDF10DFE8E894AEDBBB8EF08345F144459E505BB290D7305A84CB61

Function 033C9713 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033C9740
GetDC.USER32(00000000), ref: 033C9747
GetTextExtentPoint32W.GDI32(00000000,?,?,033C981D), ref: 033C974E
GetDesktopWindow.USER32 ref: 033C976E
SetWindowTextW.USER32(00000000), ref: 033C9775
GetDesktopWindow.USER32 ref: 033C97EB
SetDlgItemInt.USER32(00000000,?,?,033C981D), ref: 033C97F2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$ExtentItemPoint32
String ID:
API String ID: 1801697257-0
Opcode ID: 68f597ba2e2648ed26da5dc63ab046e891ffc69138aa841a6690fae8a8e96e9d
Instruction ID: a7c529538dd09f9df9956c9828d501da26081af597c0f34c9b3cd9b8dd869740
Opcode Fuzzy Hash: 68f597ba2e2648ed26da5dc63ab046e891ffc69138aa841a6690fae8a8e96e9d
Instruction Fuzzy Hash: 06319EB4E01249AFDB40DFA9D984AADBBF4BB09311F18445AF955FB380D7349A508F60

Function 033E6E25 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033E6E48
GetDC.USER32(00000000), ref: 033E6E4F
SetViewportExtEx.GDI32(00000000,?,033E6BDB,00003BF0), ref: 033E6E56
GetDesktopWindow.USER32 ref: 033E6E6F
GetDC.USER32(00000000), ref: 033E6E76
GetTextExtentPointW.GDI32(00000000,?,033E6BDB,00003BF0), ref: 033E6E7D
GetSysColorBrush.USER32(0000196A), ref: 033E6E90

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$BrushColorExtentPointTextViewport
String ID:
API String ID: 3221472952-0
Opcode ID: a0ec911a073180b1f6dc926d765d902ddcfe35f212ec10235d8aa4f5c170d282
Instruction ID: 4fd0b06f6fe415def9003038410d191ea852064f4bb3599963f96f20081adab3
Opcode Fuzzy Hash: a0ec911a073180b1f6dc926d765d902ddcfe35f212ec10235d8aa4f5c170d282
Instruction Fuzzy Hash: 3D018071644744AFEB15AFA4EE4EB9A7B94AB49705F0C0880F1186F1E1C3B594A0C751

Function 033FFC30 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 033FFC30

Part of subcall function 033FEAFE: EncodePointer.KERNEL32(00000000,00000001,033FFC35,033FD4DC,03418CE0,00000008,033FD6A2,?,00000001,?,03418D00,0000000C,033FD641,?,00000001,?), ref: 033FEB01
Part of subcall function 033FEAFE: __initp_misc_winsig.LIBCMT ref: 033FEB1C
Part of subcall function 033FEAFE: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 034059AD
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 034059C1
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 034059D4
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 034059E7
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 034059FA
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 03405A0D
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 03405A20
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 03405A33
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 03405A46
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 03405A59
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 03405A6C
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 03405A7F
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 03405A92
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 03405AA5
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 03405AB8
Part of subcall function 033FEAFE: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 03405ACB

__mtinitlocks.LIBCMT ref: 033FFC35
__mtterm.LIBCMT ref: 033FFC3E

Part of subcall function 033FFCA6: DeleteCriticalSection.KERNEL32(?,?,?,?,033FD5A7,033FD58D,03418CE0,00000008,033FD6A2,?,00000001,?,03418D00,0000000C,033FD641,?), ref: 034060BE
Part of subcall function 033FFCA6: _free.LIBCMT ref: 034060C5
Part of subcall function 033FFCA6: DeleteCriticalSection.KERNEL32(0341C4B8,?,?,033FD5A7,033FD58D,03418CE0,00000008,033FD6A2,?,00000001,?,03418D00,0000000C,033FD641,?,00000001), ref: 034060E7

__calloc_crt.LIBCMT ref: 033FFC63
__initptd.LIBCMT ref: 033FFC85
GetCurrentThreadId.KERNEL32 ref: 033FFC8C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 4e47744d14f4934be8e879223f248b1588b0928b64896592646b2caea19d90d1
Instruction ID: 9d8e99c416262a31bff68db6f68b033535c16c7b688a62d24bc2c5eb695024c4
Opcode Fuzzy Hash: 4e47744d14f4934be8e879223f248b1588b0928b64896592646b2caea19d90d1
Instruction Fuzzy Hash: 46F0BB36A197311DF638F7757E81A5B6AC4CF41770B54072AEEA4DD1E8FF2084414594

Function 033D5CC2 Relevance: 9.4, APIs: 6, Instructions: 412COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D5CC7
GetDesktopWindow.USER32 ref: 033D5F4F
SetDlgItemInt.USER32(00000000), ref: 033D5F56

Part of subcall function 033D621B: GetDesktopWindow.USER32 ref: 033D6246
Part of subcall function 033D621B: SetWindowTextW.USER32(00000000), ref: 033D624D

GetDesktopWindow.USER32 ref: 033D61E4
GetDC.USER32(00000000), ref: 033D61EB
SetViewportExtEx.GDI32(00000000), ref: 033D61F2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$H_prologItemTextViewport
String ID:
API String ID: 2267899263-0
Opcode ID: 55f1ba67acb100fdd72c33e6aee9fcc7c042912dbae74a273b621f8c319c313b
Instruction ID: a541dc02295d52651b4009d6d914e6adf9f4e8dd66338001a8faf0b017d356f6
Opcode Fuzzy Hash: 55f1ba67acb100fdd72c33e6aee9fcc7c042912dbae74a273b621f8c319c313b
Instruction Fuzzy Hash: 7BF19EB2D40349AEEB20EF94DCC6FEEBB78AB01304F544099E6157A1C1DB755A88CB61

Function 033D76E5 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D76EA
GetDesktopWindow.USER32 ref: 033D771C
SetDlgItemInt.USER32(00000000), ref: 033D7723
GetDesktopWindow.USER32 ref: 033D7745
GetDC.USER32(00000000), ref: 033D774C
SetViewportExtEx.GDI32(00000000), ref: 033D7753

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 74dcb86ffd7aeee2c9d1ec308833791d09ddc315604dff578524920607b5af4a
Instruction ID: 85a4ea8cf85616979e37b3b69167f742584cd87e8b323014b85d36b62652fa44
Opcode Fuzzy Hash: 74dcb86ffd7aeee2c9d1ec308833791d09ddc315604dff578524920607b5af4a
Instruction Fuzzy Hash: F1315C76E42258EBCB10DFA8E995AEDBBB5FF08340F148559F905BF280D7305A44CB90

Function 033D68D3 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D68D8
GetDesktopWindow.USER32 ref: 033D690B
SetDlgItemInt.USER32(00000000), ref: 033D6912
GetDesktopWindow.USER32 ref: 033D6934
GetDC.USER32(00000000), ref: 033D693B
SetViewportExtEx.GDI32(00000000), ref: 033D6942

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: d85f1dc1436cd3f5b5c2e74f0725e6eb264bb4dbff3d06b34b62fc438c6a162a
Instruction ID: 4e0d0f31c6df7edfe504fa37db03957704c319d42c41762a03341f9cd7238375
Opcode Fuzzy Hash: d85f1dc1436cd3f5b5c2e74f0725e6eb264bb4dbff3d06b34b62fc438c6a162a
Instruction Fuzzy Hash: 3431C477D00258ABCB21EFA4D9C69EEFB79EB44310F444559E6267B181CA355E40CBA0

Function 033D73D2 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D73D7
GetDesktopWindow.USER32 ref: 033D7409
SetDlgItemInt.USER32(00000000), ref: 033D7410
GetDesktopWindow.USER32 ref: 033D7432
GetDC.USER32(00000000), ref: 033D7439
SetViewportExtEx.GDI32(00000000), ref: 033D7440

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 0b05236c9dad035d3ef6f861bc7f9cb0b45a2b5771f138fcb75a3f689012e488
Instruction ID: 54927abb5dc9f7344e55e341f00d2c84c123f6f6af1f0fc2b6c7830677dace34
Opcode Fuzzy Hash: 0b05236c9dad035d3ef6f861bc7f9cb0b45a2b5771f138fcb75a3f689012e488
Instruction Fuzzy Hash: E431CF72E42248EFDF01DFA8E9D5AEDBBBAEF08304F188559E5006F280C7754A44CB61

Function 033D74D6 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D74DB
GetDesktopWindow.USER32 ref: 033D750D
SetDlgItemInt.USER32(00000000), ref: 033D7514
GetDesktopWindow.USER32 ref: 033D7536
GetDC.USER32(00000000), ref: 033D753D
SetViewportExtEx.GDI32(00000000), ref: 033D7544

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 7b0b4b4a221e1ff68d0314231aa1df602e09176369e264bdb91e3763af8de1cb
Instruction ID: 287795061414ca4e2bae6c3182d85f062ce9f3518942617aae9e50c53e09f167
Opcode Fuzzy Hash: 7b0b4b4a221e1ff68d0314231aa1df602e09176369e264bdb91e3763af8de1cb
Instruction Fuzzy Hash: DC314F75E01248EFDF00DFA8E9D5AEDFBBAEB08305F148559E5056A280C7754A44CB51

Function 033F857E Relevance: 9.0, APIs: 6, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegUnLoadKeyW.ADVAPI32(00000000,00000000,?,033F8104,?,00000001,000073CF,?), ref: 033F8599
GetDesktopWindow.USER32 ref: 033F85AD
SetWindowTextW.USER32(00000000), ref: 033F85B4
GetDesktopWindow.USER32 ref: 033F85CE
GetDC.USER32(00000000), ref: 033F85D5
SetViewportExtEx.GDI32(00000000,?,033F8104,?), ref: 033F85DC

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$LoadTextViewport
String ID:
API String ID: 145119710-0
Opcode ID: 93e667194da22122cdc293ba0cac2bf1231cbfd1d5e46e05abd3241906a2889c
Instruction ID: 7956f15a976cbd6508c75866b03b2c45559a3effafc090a5fa21fa81b041517c
Opcode Fuzzy Hash: 93e667194da22122cdc293ba0cac2bf1231cbfd1d5e46e05abd3241906a2889c
Instruction Fuzzy Hash: BA01A2B0244748AFEB169FA4ED4CBA97B94AB05309F0C0844F60D6E2D0C2B485E0CB51

Function 033E11E9 Relevance: 9.0, APIs: 6, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033E11FA
GetDC.USER32(00000000), ref: 033E1201
DrawFocusRect.USER32(00000000), ref: 033E1208
GetDesktopWindow.USER32 ref: 033E1221
GetDC.USER32(00000000), ref: 033E1228
GetTextExtentPointW.GDI32(00000000,?,033E1063,00000000), ref: 033E122F

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$DrawExtentFocusPointRectText
String ID:
API String ID: 3079162497-0
Opcode ID: ccf66419c07e19279404292dc969e5c47c8e97a20559c359603556312699bf5f
Instruction ID: 59bbb842aa1cfd1390d2266b6680d799c060a4c01833d1ec9cd3a8c91d97a23e
Opcode Fuzzy Hash: ccf66419c07e19279404292dc969e5c47c8e97a20559c359603556312699bf5f
Instruction Fuzzy Hash: 20F05472A48744ABEB11BFE0ED4DB5D7B98AB09316F0C0C44F20C9D1C0C77950A0C711

Function 033D4CB5 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D4CBA
__floor_pentium4.LIBCMT ref: 033D4DA4

Strings

false, xrefs: 033D4D0B
true, xrefs: 033D4D10, 033D4D18, 033D4D23
null, xrefs: 033D4CDD, 033D4CE2, 033D4CED

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog__floor_pentium4
String ID: false$null$true
API String ID: 2354235884-2913297407
Opcode ID: 6796d1f30bc4bedd90c097cb417ef7aa978fde618c7183929501b1697d5f2612
Instruction ID: f333215463b1a5aa33c633e7ee562c1c6d05ae38c104c074f864194f75cf45bd
Opcode Fuzzy Hash: 6796d1f30bc4bedd90c097cb417ef7aa978fde618c7183929501b1697d5f2612
Instruction Fuzzy Hash: 3281E176D04208AFDF15DFA5E8D4ADEBBB9EF16320F04421AF415AB181DB709A85CB60

Function 033E6B29 Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033E6DEC
SetWindowTextW.USER32(00000000), ref: 033E6DF3

Part of subcall function 033E6E25: GetDesktopWindow.USER32 ref: 033E6E48
Part of subcall function 033E6E25: GetDC.USER32(00000000), ref: 033E6E4F
Part of subcall function 033E6E25: SetViewportExtEx.GDI32(00000000,?,033E6BDB,00003BF0), ref: 033E6E56

Part of subcall function 033E6B29: FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033E6CD4

GetDesktopWindow.USER32 ref: 033E6E11
SetDlgItemInt.USER32(00000000), ref: 033E6E18

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$FormatItemMessageTextViewport
String ID:
API String ID: 424236427-0
Opcode ID: ec22ecc89a707f5e0ebaee1c90f16393d547bd6ee38ce0866413f7b6b551c43d
Instruction ID: d356f7eeaa58882e49ecf0ef1108dd364b6bcf98eb04c9267abd18e0e20fabb1
Opcode Fuzzy Hash: ec22ecc89a707f5e0ebaee1c90f16393d547bd6ee38ce0866413f7b6b551c43d
Instruction Fuzzy Hash: C0918B74E44369BBEB10DF94CDC2AEDBB78EB24704F148099EA557B2C1D3B14A80CB51

Function 034061FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0340620B

Part of subcall function 033FC44C: __FF_MSGBANNER.LIBCMT ref: 033FC463
Part of subcall function 033FC44C: __NMSG_WRITE.LIBCMT ref: 033FC46A
Part of subcall function 033FC44C: RtlAllocateHeap.NTDLL(03430000,00000000,00000001,00000001,033E18DB,033E18DB,?,033FBDB1,00000001,00000000,00000003,00000000,?,033FBCEB,033F887B,?), ref: 033FC48F

_free.LIBCMT ref: 0340621E

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 00309b90bf4bb486b196c6431b1caa816c58e71414643100a808af2eb4caade0
Instruction ID: 5f53db86235f71cc0c481159e34ad057ac221c001866a1d687e2ecb22603afc5
Opcode Fuzzy Hash: 00309b90bf4bb486b196c6431b1caa816c58e71414643100a808af2eb4caade0
Instruction Fuzzy Hash: CD112B31E04715AECF21FF70AC44A5A7BD8EF00260B550A3BEA069E2C0DE3C84A08654

Function 033D91BE Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033D9120
SetDlgItemInt.USER32(00000000), ref: 033D9127
GetDesktopWindow.USER32 ref: 033D9149
GetDC.USER32(00000000), ref: 033D9150
SetViewportExtEx.GDI32(00000000), ref: 033D9157

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ItemViewport
String ID:
API String ID: 1989583774-0
Opcode ID: 397ba50d6a642b152ae270afe65d80818fd971d91acd6e12d01be960c88cc255
Instruction ID: f60d665ee670aaa34fb7caf7783d3860236b37fb17c9e265736dffa45360ee19
Opcode Fuzzy Hash: 397ba50d6a642b152ae270afe65d80818fd971d91acd6e12d01be960c88cc255
Instruction Fuzzy Hash: 22117CB6A48384FFCB00EFA4E8CDA59BFB8AB05345F088598E6056F361C7758644CB51

Function 033E3C46 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00002292,?,033E3D1B,00004322,00000000,00002A47,00000000,00000000,00000001,00003654,?,033E3A0E,00000BFB,00000000,?,00000000), ref: 033E3C62
GetDesktopWindow.USER32 ref: 033E3CAB
GetDC.USER32(00000000), ref: 033E3CB2
SetViewportExtEx.GDI32(00000000,?,033E3D1B,00004322), ref: 033E3CB9

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopErrorLastViewportWindow
String ID:
API String ID: 3126713311-0
Opcode ID: 53fc44f054cb9c5432d6f2c09d2b4206e7e2216571b2b497c8d3cffcb47d4352
Instruction ID: 77c640fbd4443d752129025f920d1ff82fcf8ed35690cd294303f973853758f2
Opcode Fuzzy Hash: 53fc44f054cb9c5432d6f2c09d2b4206e7e2216571b2b497c8d3cffcb47d4352
Instruction Fuzzy Hash: C601C0B9700265AFEB11AF94D94CB99BBA4AB0A729F0C4480F9486F2D1C374C4D1CB50

Function 033DD3D4 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033DD3EF
SetDlgItemInt.USER32(00000000,?,033DCE40,00000000), ref: 033DD3F6
GetDesktopWindow.USER32 ref: 033DD40F
GetDC.USER32(00000000), ref: 033DD416
GetTextExtentPointW.GDI32(00000000,?,033DCE40,00000000), ref: 033DD41D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ExtentItemPointText
String ID:
API String ID: 4061458486-0
Opcode ID: 06b56f3b20873a357009e398a93b7a50ff439a16fee54af0df8668ba42d4c6d2
Instruction ID: 88a7fdd31bf60fa6b795ee424c9cca599cc5f50e61890ae7d72eadb222f46dab
Opcode Fuzzy Hash: 06b56f3b20873a357009e398a93b7a50ff439a16fee54af0df8668ba42d4c6d2
Instruction Fuzzy Hash: 6DF030B2A80748BBEB126FE4FD4EB99BB996B04705F0C4840F7096D5D1C6B551E0CB51

Function 033DE1AC Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033DE1D7
SetDlgItemInt.USER32(00000000), ref: 033DE1DE
GetDesktopWindow.USER32 ref: 033DE200
GetDC.USER32(00000000), ref: 033DE207
SetViewportExtEx.GDI32(00000000), ref: 033DE20E

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ItemViewport
String ID:
API String ID: 1989583774-0
Opcode ID: 781e2471c6eee51de31a21d16ce0612eee5958c6ede31afcf5167c546c03f065
Instruction ID: e2c68329a7d3096c6130955fa36d060972c5adacfc7eb3858c506ba46784249b
Opcode Fuzzy Hash: 781e2471c6eee51de31a21d16ce0612eee5958c6ede31afcf5167c546c03f065
Instruction Fuzzy Hash: FCF044B1E88744BBDB10FFF0A94D55DFFB89B05705F088895A141AE185D5354258CB61

Function 033D1E98 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033D1ED5
GetDC.USER32(00000000), ref: 033D1EDC
SetViewportExtEx.GDI32(00000000,?,033D1ACD,00001163), ref: 033D1EE3

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopViewportWindow
String ID:
API String ID: 1263604042-0
Opcode ID: d13182abf7cd4e896bc2680c360ec368311bcb4a2deb76fe13af8143786ed2d7
Instruction ID: 2f12d4a0fa253328d14d933323dfd2dea6bdbcb68b02e5fb32dbdc07af96efd0
Opcode Fuzzy Hash: d13182abf7cd4e896bc2680c360ec368311bcb4a2deb76fe13af8143786ed2d7
Instruction Fuzzy Hash: 8AF0B4B2A40749BBEF12AFE4FD4DBAA7B686B08306F0C4840F6095D0E1C67581F0C751

Function 033E2EEC Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033E2EF1
GetDesktopWindow.USER32 ref: 033E3245
SetWindowLongW.USER32(00000000), ref: 033E324C

Strings

x(, xrefs: 033E319B

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$DesktopH_prologLong
String ID: x(
API String ID: 1792819551-2475313659
Opcode ID: 2cf618dcb529c4b560792982b3f4bb6fe8697b310eb6992779633fbfec31135c
Instruction ID: 45e598c59ef19503ea87d9d477f75b2e26b9dd040ccfd15a061f18db36daa6b9
Opcode Fuzzy Hash: 2cf618dcb529c4b560792982b3f4bb6fe8697b310eb6992779633fbfec31135c
Instruction Fuzzy Hash: 69C157B8E4035DAFDB10DF98C885AEEBBB8FF05314F508059F905AB281D7749A54CBA1

Function 033DF608 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033DF60D
std::_Xinvalid_argument.LIBCPMT ref: 033DF660

Part of subcall function 033F8863: std::exception::exception.LIBCMT ref: 033F8876
Part of subcall function 033F8863: __CxxThrowException@8.LIBCMT ref: 033F888B

_Allocate.LIBCPMT ref: 033DF676

Strings

EQsxisSNUMqiHowmSY, xrefs: 033DF65B

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateException@8H_prologThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 1962182295-3797114014
Opcode ID: 53add84d7cd2b368eae6c4ae600e3f3dd229e803167feb440d971ae682fe25cd
Instruction ID: 41b5807d8d4b22ce50b470844a9a28194bec8752b5ad8a95fa8268a12d9243ee
Opcode Fuzzy Hash: 53add84d7cd2b368eae6c4ae600e3f3dd229e803167feb440d971ae682fe25cd
Instruction Fuzzy Hash: E3515E76A10209AFCF15DF68C9C59AA7BA9FF88210F048669FC1A9B245D730ED10CB60

Function 033D31E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D31ED

Strings

false, xrefs: 033D3295
true, xrefs: 033D3222
null, xrefs: 033D3269

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: false$null$true
API String ID: 3519838083-2913297407
Opcode ID: 44662a8aebe5168b38ffcac99989ee8020bc01e9641d2eb145ff28550f1a3c52
Instruction ID: 2bb944bd326f407aa4982cc046b09d8df1604fab093b062b6f2bb2f52cd7099e
Opcode Fuzzy Hash: 44662a8aebe5168b38ffcac99989ee8020bc01e9641d2eb145ff28550f1a3c52
Instruction Fuzzy Hash: 5F21E57BF403046ADA28DB64FCC2BADB3955B01B20F48442DE505AF9C1DBB2DD4186C6

Function 033D4703 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033D4767
std::_Xinvalid_argument.LIBCPMT ref: 033D47A9

Strings

DwKoYBuJCEyytDi, xrefs: 033D47A4
xbftzkZErMGIHumMcosuOxQ, xrefs: 033D479A

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: 51d2a67d348f0e05060c6bf187924830aeaf9234020c60dfa9318dbedd41949e
Instruction ID: 3805ba056e01848fa3ac0e2b3a5285586d4d86b600a8915ecb28bd72ced3ddae
Opcode Fuzzy Hash: 51d2a67d348f0e05060c6bf187924830aeaf9234020c60dfa9318dbedd41949e
Instruction Fuzzy Hash: FE21B27AB007049FCB24DE6AECC0D6AB7ADEB42610B24492EF5768F641CB71E94187D0

Function 033C438B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033C43EF
std::_Xinvalid_argument.LIBCPMT ref: 033C4431

Strings

DwKoYBuJCEyytDi, xrefs: 033C442C
xbftzkZErMGIHumMcosuOxQ, xrefs: 033C4422

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: 8b0565250687a0fc4b7c9da3d01a1a3bae5e9c249c0d3461a4d30cbea7360f05
Instruction ID: 9602343d056185df34afc6506a66ed1d5321632fa34f4d8c90656d8700aa5250
Opcode Fuzzy Hash: 8b0565250687a0fc4b7c9da3d01a1a3bae5e9c249c0d3461a4d30cbea7360f05
Instruction Fuzzy Hash: F0110635B207449FC735DE5EDCD099AF7ADEB81610B200A2EE5528F681C771EC91C790

Function 033C7EFE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033C7F66
std::_Xinvalid_argument.LIBCPMT ref: 033C7F9E

Strings

DwKoYBuJCEyytDi, xrefs: 033C7F99
xbftzkZErMGIHumMcosuOxQ, xrefs: 033C7F8F

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: a5911dcf6f33dd713e4bf909456774b4a1e0ee5217a27c983c0c35b84b7f1f7e
Instruction ID: 22fb69146c93bbe3939e68b42b5b59c29073229a94903360d81b502935c8d5c5
Opcode Fuzzy Hash: a5911dcf6f33dd713e4bf909456774b4a1e0ee5217a27c983c0c35b84b7f1f7e
Instruction Fuzzy Hash: 8D11AC36720345AFD728DF6DD8C0A5ABBAAAB41660B140A2DF925CB281C770EC54CB94

Function 033D1268 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D126D

Part of subcall function 033D0F96: __EH_prolog.LIBCMT ref: 033D0F9B
Part of subcall function 033D0F96: char_traits.LIBCPMT ref: 033D10B7

char_traits.LIBCPMT ref: 033D129D
char_traits.LIBCPMT ref: 033D12B7

Strings

. , xrefs: 033D1297, 033D129C, 033D12A5

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: char_traits$H_prolog
String ID: .
API String ID: 3393116018-3640953465
Opcode ID: 20303f1bbe28a400448bc043eb3141ba724544cda7fa48a7667fe2c65c218394
Instruction ID: 36f12bf0de1ba96cf6602e7f943bf848136223ed608c7474bb4521c84cfc6a2a
Opcode Fuzzy Hash: 20303f1bbe28a400448bc043eb3141ba724544cda7fa48a7667fe2c65c218394
Instruction Fuzzy Hash: 240180B7E006195FDB54EAA8BCC19FEFB7CAB40220F64066FE415AB680C7316D4186E5

Function 033DCC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033DCC77
GetDC.USER32(00000000), ref: 033DCC7E
SetViewportExtEx.GDI32(00000000,?,033DD459,000058F1), ref: 033DCC85

Strings

un2l, xrefs: 033DCC54

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopViewportWindow
String ID: un2l
API String ID: 1263604042-2526548122
Opcode ID: 60a46a1db1158e95cf43bf93d88b67b0e3eca83bb3f622563a6269b8e9430e17
Instruction ID: 405f09fe02c1ed4e3eb69faf8adac6ed9d5a88d236483379f835418c043463ed
Opcode Fuzzy Hash: 60a46a1db1158e95cf43bf93d88b67b0e3eca83bb3f622563a6269b8e9430e17
Instruction Fuzzy Hash: F0F082B2640649BBEF11AFA4ED4DBDA7B986B05705F0C4440F7085E4D1C7B194A1D791

Function 033FE1E8 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 033FE279
_memmove.LIBCMT ref: 033FE2ED
___AdjustPointer.LIBCMT ref: 033FE33E
_memmove.LIBCMT ref: 033FE347

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 84b3a33f9824510bbbae21d88d5994a64e52f29c667c8f164d5865906786f2fc
Instruction ID: 65007a1de0d7ad0635c6c1afafe851e052dd22c401f67d9aadc100657f2c386d
Opcode Fuzzy Hash: 84b3a33f9824510bbbae21d88d5994a64e52f29c667c8f164d5865906786f2fc
Instruction Fuzzy Hash: 1F41943A6083039FEB38EE25DDC4B66B7A89F41750F68446FEA408E5F0EB31D580D611

Function 033F07C6 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 033F086F
GetDesktopWindow.USER32 ref: 033F0971
GetDC.USER32(00000000), ref: 033F0978
SetViewportExtEx.GDI32(00000000), ref: 033F097F

Part of subcall function 033F468E: GetDesktopWindow.USER32 ref: 033F4690
Part of subcall function 033F468E: SetWindowTextW.USER32(00000000), ref: 033F4697

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$Desktop$TextViewport_memset
String ID:
API String ID: 89821065-0
Opcode ID: 3fdb0f391af48224d1e84444611116281ea9625548a52da55f1147ee0f85a269
Instruction ID: 98799bba9c161367f733e04185d2877e5d69273ea0b915025cc124733ad07d37
Opcode Fuzzy Hash: 3fdb0f391af48224d1e84444611116281ea9625548a52da55f1147ee0f85a269
Instruction Fuzzy Hash: DE5137B9C04349EEDF04DFD8C8858EEFB78FF04315F9485AADA516A242D7354A48CB90

Function 033D6AAF Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D6AB4
GetDesktopWindow.USER32 ref: 033D6BB3
GetDC.USER32(00000000), ref: 033D6BBA
GetTextExtentPointW.GDI32(00000000), ref: 033D6BC1

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPointTextWindow
String ID:
API String ID: 170700240-0
Opcode ID: c6c82461365e59f58cd7408386c4730a9952dd4e083a11b9619b4f7b686c006e
Instruction ID: e7d26f34fa3c73a755f4a103da41289ebcea53b5bdd1ec5be0ec913c2a20a4c1
Opcode Fuzzy Hash: c6c82461365e59f58cd7408386c4730a9952dd4e083a11b9619b4f7b686c006e
Instruction Fuzzy Hash: 75412CB6E44249EBDB10EF95EC82AADBB74FB04714F80C519FA296E281C3748650CF91

Function 0340B800 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0340B836
__isleadbyte_l.LIBCMT ref: 0340B864
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000002,00000000,?,00000000,00000000,?,00005234), ref: 0340B892
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000002,00000000,?,00000000,00000000,?,00005234), ref: 0340B8C8

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e087f4143e1d68020b8f4267fd96a620683f12a9c083318692309e756b333d75
Instruction ID: 84845d14435498250f55ef251eac5de1052d934b6c05273c2f90225e457754bc
Opcode Fuzzy Hash: e087f4143e1d68020b8f4267fd96a620683f12a9c083318692309e756b333d75
Instruction Fuzzy Hash: 96318232B00256AFDB21DF65CC84A7BBBA5FF41210F19457AE4649F2E0D730D851DB98

Function 033F437E Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033F43C8
_memmove.LIBCMT ref: 033F43E6
_memset.LIBCMT ref: 033F440B
_memmove.LIBCMT ref: 033F4445

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: d0a66a7d6acb7acb60fa4a8b92752cbd559b609400514f1492ace66b6d358352
Instruction ID: 0d26c94201ad186e73d11d7416d97d516ffaf422756554d853477ceabf2991ea
Opcode Fuzzy Hash: d0a66a7d6acb7acb60fa4a8b92752cbd559b609400514f1492ace66b6d358352
Instruction Fuzzy Hash: 4521C1B69002046FDB10DF19DCC0AAB7769AF40724F954169EE19AB206E734D950CA94

Function 033F30CE Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 033F3118
_memmove.LIBCMT ref: 033F3136
_memset.LIBCMT ref: 033F315B
_memmove.LIBCMT ref: 033F3195

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: 83208bb365ac6273134597c007199f908af698a054711ead73dd72d1acbf0f5e
Instruction ID: 562d6be9c22ca40109a17491719572959711bf33a55e1a64f53d3dd35794f90e
Opcode Fuzzy Hash: 83208bb365ac6273134597c007199f908af698a054711ead73dd72d1acbf0f5e
Instruction Fuzzy Hash: 1C21917AA003056FDF18EE19CCC5A6B7769EF40324F848169EE199A206D734D915CB94

Function 033D2B88 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D2B8D
GetDesktopWindow.USER32 ref: 033D2C76
GetDC.USER32(00000000), ref: 033D2C7D
GetTextExtentPointW.GDI32(00000000,?,033DF486), ref: 033D2C84

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPointTextWindow
String ID:
API String ID: 170700240-0
Opcode ID: 9e7fc41d569f15648f7dfe035dbd3bfc5c1a3b8e62cc81cea6749764e44e0982
Instruction ID: 22277bf6c306abb9b5549f332a892e320f81f57154a609bbbeba0adb498d4287
Opcode Fuzzy Hash: 9e7fc41d569f15648f7dfe035dbd3bfc5c1a3b8e62cc81cea6749764e44e0982
Instruction Fuzzy Hash: 93314AB6D0425ADFDB15DF94EDC4AEFBBB4FF08305F50095AE516AA280C3B14A40CBA0

Function 033DFF98 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 033DFDB5: _memmove.LIBCMT ref: 033DFDEF

GetSysColorBrush.USER32(0000196A), ref: 033E0002
GetDesktopWindow.USER32 ref: 033E0016
SetWindowTextW.USER32(00000000), ref: 033E001D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033E0042

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText_memmove
String ID:
API String ID: 3230339316-0
Opcode ID: decfd6642b7f4f28dc21706ffa04d8ecaba114a29e789f378c1666a1ca76b4c1
Instruction ID: 80bbc0346d63484ca604119118b433c8a247de1f987c675e81aeb6b5cb61d848
Opcode Fuzzy Hash: decfd6642b7f4f28dc21706ffa04d8ecaba114a29e789f378c1666a1ca76b4c1
Instruction Fuzzy Hash: 8E3169B4500248FFDB04DF14D8C49ADBBA8EB0532AF14C15AFC695F385C27A8A84CB50

Function 033D873C Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D878C
GetDesktopWindow.USER32 ref: 033D87A3
SetWindowTextW.USER32(00000000), ref: 033D87AA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 033D87D2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 29a82a3282b3028bbf4db97eac2ddaa9c98ab414d8655c67fa5466af103f3e03
Instruction ID: 1fc3cb007d5b250d6903b5d03687ef0ce0e17b5fa8917e2943de4859f6f0fcfd
Opcode Fuzzy Hash: 29a82a3282b3028bbf4db97eac2ddaa9c98ab414d8655c67fa5466af103f3e03
Instruction Fuzzy Hash: AB315CB5D04308FBEB14CFA9E8886ADFFB5BB84305F54C5A9E4646E281D7712685CB10

Function 033EBABF Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033EBAC4
GetDesktopWindow.USER32 ref: 033EBAFE
GetDC.USER32(00000000), ref: 033EBB05
GetTextExtentPoint32W.GDI32(00000000), ref: 033EBB0C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPoint32TextWindow
String ID:
API String ID: 4235267150-0
Opcode ID: 660383626a69fc730dcc4f9c1c91d03356f74b4c399b2b97a24f251fad39370f
Instruction ID: 3ef7c2648c4d674225eb0af8fbaacdc84be67d88d0a429edd3d0eeb32028e721
Opcode Fuzzy Hash: 660383626a69fc730dcc4f9c1c91d03356f74b4c399b2b97a24f251fad39370f
Instruction Fuzzy Hash: DE21AF72D00248BBDB11EFA4ED88EDFBBB9EF85700F044509F505AB1D0CA755A50CBA1

Function 033D8669 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033D86B6
GetDesktopWindow.USER32 ref: 033D86CA
SetWindowTextW.USER32(00000000), ref: 033D86D1
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 033D86F6

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 59fa2b3a04da688a87a2e801e0773af469cdc1d23405dea83b2f22b3850f6ebc
Instruction ID: ce09837c90446db4306ca4acf01cf6684acde45358e32427a025e91d277e4143
Opcode Fuzzy Hash: 59fa2b3a04da688a87a2e801e0773af469cdc1d23405dea83b2f22b3850f6ebc
Instruction Fuzzy Hash: E62116B5D4434CFFDB00DFA8E8885ADFFB8BB04329F548599E6507A281D3316695CB50

Function 033DE23E Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033DE28B
GetDesktopWindow.USER32 ref: 033DE29F
SetWindowTextW.USER32(00000000), ref: 033DE2A6
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033DE2CB

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 8c33cbb0ffd69857778252315f606974fb2f2122a73f4219801966f58a502d42
Instruction ID: b51488814096d22ed5215b05f739e82e05425be760320b50dcde2d1c2794b2bc
Opcode Fuzzy Hash: 8c33cbb0ffd69857778252315f606974fb2f2122a73f4219801966f58a502d42
Instruction Fuzzy Hash: E62114B5D48348BEEB10EFE8E8895ADFFB8AB05319F548699E5607A681C3310685CB50

Function 033CBB5E Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033CBBD0
SetWindowLongW.USER32(00000000), ref: 033CBBD7
SetLastError.KERNEL32(00002292), ref: 033CBC00
GetUserDefaultUILanguage.KERNEL32 ref: 033CBC08

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$DefaultDesktopErrorLanguageLastLongUser
String ID:
API String ID: 1756640285-0
Opcode ID: 80da67366e8d00f0e2a5c0725e5fbc8b4ca48a571eeb405d575f87508e984b89
Instruction ID: a011047bea1748344966eff8d806eff5402bef8e9db3cd60436596d39ded38d3
Opcode Fuzzy Hash: 80da67366e8d00f0e2a5c0725e5fbc8b4ca48a571eeb405d575f87508e984b89
Instruction Fuzzy Hash: AB21B4B4E142599FDB40DFA9D985AADFBF4AB08200F04846AE855E7340D7349A50CF61

Function 033CF97D Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 033CF9BF
GetDC.USER32(00000000), ref: 033CF9C6
DrawFocusRect.USER32(00000000), ref: 033CF9CD
GetSysColorBrush.USER32(0000196A), ref: 033CF9F0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: BrushColorDesktopDrawFocusRectWindow
String ID:
API String ID: 2851196967-0
Opcode ID: 0a607d92f62bbef098ed26a27b49ce764149167c8ce5715e04f398121e7c93ea
Instruction ID: 83bada07a6fd4f02a5caeaa280a564fc4c0a0c3d5b7d62d176c791bdc9deb7af
Opcode Fuzzy Hash: 0a607d92f62bbef098ed26a27b49ce764149167c8ce5715e04f398121e7c93ea
Instruction Fuzzy Hash: C821D8B4E04249AFDF40DFA9D985AAEFBF4AF09700F18445AF954FB280D634DA508B61

Function 033CB9C7 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000000), ref: 033CBA0D
GetDesktopWindow.USER32 ref: 033CBA34
GetDC.USER32(00000000), ref: 033CBA3B
GetTextExtentPointW.GDI32(00000000,?,033CBFFD,00000718), ref: 033CBA42

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentLookupPointPrivilegeTextValueWindow
String ID:
API String ID: 2870449056-0
Opcode ID: da97105aa422b1bbe82dedf9f7d414a426ccd7bfe30c3bee0ddb9d4409fd90e8
Instruction ID: 995aeb9089c1ce0bc80a21071fb66f0cb41e0e32a134d3ae21042c7195d1b97a
Opcode Fuzzy Hash: da97105aa422b1bbe82dedf9f7d414a426ccd7bfe30c3bee0ddb9d4409fd90e8
Instruction Fuzzy Hash: 8D11F674E04249AFDB50DFA5D986BAEBFF4AB08701F14449AF954FB280D634AA508F60

Function 033FDB2C Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 033FDB43

Part of subcall function 033FE15A: ___AdjustPointer.LIBCMT ref: 033FE1A3

_UnwindNestedFrames.LIBCMT ref: 033FDB5A
___FrameUnwindToState.LIBCMT ref: 033FDB6C
CallCatchBlock.LIBCMT ref: 033FDB90

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8b30573c538f3b1fc18e63ca7426e9ddefb9c98fc61009f8d964c6abd2916d26
Instruction ID: 545c74ad42052f627dc1b86a520d743ba2055492714874a6b5a1351c761d3148
Opcode Fuzzy Hash: 8b30573c538f3b1fc18e63ca7426e9ddefb9c98fc61009f8d964c6abd2916d26
Instruction Fuzzy Hash: 2501E932400209BFCF12AF55CC84EEA7BBAFF49754F454115FE1866124D332E961DBA0

Function 033FFF0E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 033FFF32

Part of subcall function 03400619: __fltout2.LIBCMT ref: 03400642

__cftog_l.LIBCMT ref: 033FFF58
__cftoe_l.LIBCMT ref: 033FFF8A

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c0785080e1b335cfc343132c16e5d8ec9297fca503a3d5fcac0940d88b53f00a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 26017B3600424EBFCF129E84CC818EE3F26BB19350B888625FE1858171C632C5B2AB85

Function 033EB42F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033EB434
GetDesktopWindow.USER32 ref: 033EB497
GetDC.USER32(00000000), ref: 033EB49E
GetTextExtentPoint32W.GDI32(00000000,?,033EA53B,?), ref: 033EB4A5

Part of subcall function 033EB820: __EH_prolog.LIBCMT ref: 033EB825

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog$DesktopExtentPoint32TextWindow
String ID:
API String ID: 2853833731-0
Opcode ID: 3f96f7d883ff3e81607fb2c88a06f28c70090ec55992dcd1e367413a555757ab
Instruction ID: f60e0192123393c6c44c370e0177c61fd74e8b35713ff40c81354e609164e775
Opcode Fuzzy Hash: 3f96f7d883ff3e81607fb2c88a06f28c70090ec55992dcd1e367413a555757ab
Instruction Fuzzy Hash: 46117935D0424DABEF06EFA0DA89BECBB74AF00308F148048F4092E1D1DB795A54CF51

Function 033E3353 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000000), ref: 033E33A3

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 17f3962e9a9138dd3823915ff00fa8bdcc19e9ae4d65266ff8fb8447e7857c87
Instruction ID: 17752b3042cd9efeb3f854faa4f7e1c05dab60c5a305948c4a2eb1d9c6ab51e8
Opcode Fuzzy Hash: 17f3962e9a9138dd3823915ff00fa8bdcc19e9ae4d65266ff8fb8447e7857c87
Instruction Fuzzy Hash: 96018475604254EFDB01EF64E848BA9BBF8FB06325F0C0485F8498B291C73488D0CB50

Function 033C1F3C Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 033C1F65
GetDesktopWindow.USER32 ref: 033C1F8F
SetWindowTextW.USER32(00000000), ref: 033C1F96
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033C1FC2

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 146fbd1cf6f20334cea05aadb344c47d28fab1fda3269a2d5cfa2d292c2dec26
Instruction ID: b982f4ed2ebec9c0d2617b7829d3e9b819fd2f75d32d37892ff3aa953a8c3e4c
Opcode Fuzzy Hash: 146fbd1cf6f20334cea05aadb344c47d28fab1fda3269a2d5cfa2d292c2dec26
Instruction Fuzzy Hash: 7D015274E587A89AEF20EBA8DD99BADFEB47B05709F080709F145BE1C3C7748400A720

Function 033D62EB Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,033D63C0,00000000,00003AF7,000005E3,00000003,?,033D6385,00000000), ref: 033D6327

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 08bb23d69783dcd09398526d0c3cb7d17b4d3c16fb0701f79fc2c0423585f7db
Instruction ID: 6249542a3d440684117537636785546ba489eee69ded57ecb2a9be13fd470319
Opcode Fuzzy Hash: 08bb23d69783dcd09398526d0c3cb7d17b4d3c16fb0701f79fc2c0423585f7db
Instruction Fuzzy Hash: 9BF036B2685744BFFB01AAA0EE4EF7A7A9C9704705F4C0844FA1D9D4D2D67545A08660

Function 033E3DCD Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 033E3DF4
GetDesktopWindow.USER32 ref: 033E3E0B
GetDC.USER32(00000000), ref: 033E3E12
GetTextExtentPointW.GDI32(00000000), ref: 033E3E19

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentFormatMessagePointTextWindow
String ID:
API String ID: 2513662917-0
Opcode ID: 26708f4955df7a05a05a8746d7821e25bc9974f08c3f568fec87e8f45c08d1f9
Instruction ID: cdbb0a7083d8749d48a51a1089f2a45a387f8ed0f0f7c98db3939b24fef40434
Opcode Fuzzy Hash: 26708f4955df7a05a05a8746d7821e25bc9974f08c3f568fec87e8f45c08d1f9
Instruction Fuzzy Hash: 55F096B5645749BBFB11BFF09D49EBB7E5CAB04714F080840FA08AE1D2C27185A08761

Function 033F8694 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,033F8114), ref: 033F86BB
GetDesktopWindow.USER32 ref: 033F86D2
GetDC.USER32(00000000), ref: 033F86D9
GetTextExtentPointW.GDI32(00000000,?,033F8114), ref: 033F86E0

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: DesktopExtentFormatMessagePointTextWindow
String ID:
API String ID: 2513662917-0
Opcode ID: f9c68a14843f2aa92cb8ee6034390662f11b82af14d0102b9696152927b55dbc
Instruction ID: f699bc55e0a711c33377c75185fc6aac32a31bdf2d045c8a93012768b922e4c9
Opcode Fuzzy Hash: f9c68a14843f2aa92cb8ee6034390662f11b82af14d0102b9696152927b55dbc
Instruction Fuzzy Hash: 1EF082B1685748BEFB00BBF0AD49F7A7B9C9B04615F4C8845F70CAD1C2C57582908724

Function 033DD613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033DD732
__EH_prolog.LIBCMT ref: 033DD73D

Strings

NDEkzAepEGOKPahJWoW, xrefs: 033DD72D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prologXinvalid_argumentstd::_
String ID: NDEkzAepEGOKPahJWoW
API String ID: 4014091808-2683528191
Opcode ID: 992fa8e9900bf0d242ee08b4b822c4c637ad94640f5f4b17d9b57d3fb3295d90
Instruction ID: f76c92008e768f19dda50a701d9d7653f3b71bc89117498de08a30de9a56c1c2
Opcode Fuzzy Hash: 992fa8e9900bf0d242ee08b4b822c4c637ad94640f5f4b17d9b57d3fb3295d90
Instruction Fuzzy Hash: 81615436A00245DFCB11DF19E8C4A69BBE9EF49314F19C49AE8198F362C771EC51CB90

Function 033D6605 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033D672E

Strings

DwKoYBuJCEyytDi, xrefs: 033D6729
xbftzkZErMGIHumMcosuOxQ, xrefs: 033D6733

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: a97dae764d24fb611ad1d4d4bb2b59fa8e4c78596dc4e8a6a3c079f37e57448d
Instruction ID: b0d057d02343d09c4e3ed6616d42d312dcd5748d1f200b97260e1c52c594fd70
Opcode Fuzzy Hash: a97dae764d24fb611ad1d4d4bb2b59fa8e4c78596dc4e8a6a3c079f37e57448d
Instruction Fuzzy Hash: 62419236A10209DFCB24DF5CE8C589AB3FAFF44744750452EE862CB611DB30E915CBA1

Function 033E70C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033E70C5
std::_Xinvalid_argument.LIBCPMT ref: 033E7118

Part of subcall function 033F8863: std::exception::exception.LIBCMT ref: 033F8876
Part of subcall function 033F8863: __CxxThrowException@8.LIBCMT ref: 033F888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 033E7113

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Exception@8H_prologThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 935663214-3797114014
Opcode ID: 3c04fd9fe51ceddd7f5696c2f0d4e3401671d1adab19ea5689b38ca365f43c9f
Instruction ID: 6d28c04f82b5ef39ede95ca8f72c84f0d6b623bd1cd2bfa897dbabf8a63a17b1
Opcode Fuzzy Hash: 3c04fd9fe51ceddd7f5696c2f0d4e3401671d1adab19ea5689b38ca365f43c9f
Instruction Fuzzy Hash: 934180B6E0031AAFDF05DF68CD859ADFBAAFF48310F10451AF9159B290DB719920CB90

Function 033D673E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033D67E9

Strings

DwKoYBuJCEyytDi, xrefs: 033D67E4
xbftzkZErMGIHumMcosuOxQ, xrefs: 033D67DA

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: bc76276a7787a6242971ab1d4b0a71a2f3496cfb6fb9b535a13b3cfd91af1154
Instruction ID: b776ccd4fa6b2950cbc27b5811c7feaff2c0e082686f2e2800f38a9a91703fce
Opcode Fuzzy Hash: bc76276a7787a6242971ab1d4b0a71a2f3496cfb6fb9b535a13b3cfd91af1154
Instruction Fuzzy Hash: 0F11AF3AB103099FC724DE68E8C585AB7ADFF80B50760092EF4628B641DB30E959C7A0

Function 033C4476 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033C4521

Strings

DwKoYBuJCEyytDi, xrefs: 033C451C
xbftzkZErMGIHumMcosuOxQ, xrefs: 033C4512

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: cbcfb756c4aa8705f462025187135687ac3664fd1c0618b31fd572b94dea1753
Instruction ID: 3d61a6f678f1276c6396841db0a68468f2e593d2ddb9889857d5134375c2f643
Opcode Fuzzy Hash: cbcfb756c4aa8705f462025187135687ac3664fd1c0618b31fd572b94dea1753
Instruction Fuzzy Hash: 7A11DF387203449BC735DE5EC8D099AB7B9EF80750B244A2EE4568B645DB31EC45C7A0

Function 033E777C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033E781C

Strings

DwKoYBuJCEyytDi, xrefs: 033E7817
xbftzkZErMGIHumMcosuOxQ, xrefs: 033E780D

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: 39bf66872b3ce262139b2b2f9143e14b7de839184ec4f60ea3076c7270cceee0
Instruction ID: 01e9c7fd662d1cc175f3d136aefb09e509d71ec8e0896c95ec49a1b325cb25bd
Opcode Fuzzy Hash: 39bf66872b3ce262139b2b2f9143e14b7de839184ec4f60ea3076c7270cceee0
Instruction Fuzzy Hash: E311BE38710329AFC728DE6CDCC096AB7A9BF45711710092EF925CB690CB30ED59CBA1

Function 033D6487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 033D6527

Strings

DwKoYBuJCEyytDi, xrefs: 033D6522
xbftzkZErMGIHumMcosuOxQ, xrefs: 033D6518

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: e3345935a57b416c840877f35c3481a2f209ba36ed3e8a5dea6e3189d8fa4eea
Instruction ID: ba4b6add1542f157e5aeb1ddce8b859602e9881a0afa2e3d4ff4dc5359bf13ab
Opcode Fuzzy Hash: e3345935a57b416c840877f35c3481a2f209ba36ed3e8a5dea6e3189d8fa4eea
Instruction Fuzzy Hash: F011D63AB107199FC724DF6CE8D095AB7BABF44710790093DE526CB641C730E9A5CB90

Function 033D7A37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 033D7A3C

Strings

true, xrefs: 033D7A4B
null, xrefs: 033D7A4C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: null$true
API String ID: 3519838083-1304502921
Opcode ID: ccacedeebe91629fb868d038bf78476f9e17023289e87e3659bbf2cf1972c9cd
Instruction ID: b011c67730be5bdcacf12527dcacaa8ae494d7e323b2f31e1bf1f00930f012c1
Opcode Fuzzy Hash: ccacedeebe91629fb868d038bf78476f9e17023289e87e3659bbf2cf1972c9cd
Instruction Fuzzy Hash: 61014075E44318BADB14DA95CC89FDFBF7CEF49B64F004115B508BA281C7749604C7A1

Function 033C315C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 033C3182
std::_Xinvalid_argument.LIBCPMT ref: 033C31A1

Part of subcall function 033F8863: std::exception::exception.LIBCMT ref: 033F8876
Part of subcall function 033F8863: __CxxThrowException@8.LIBCMT ref: 033F888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 033C319C

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: f27958892ac2fb3823f58a163c08c51e1e459b204101e9807e458b22f1a68223
Instruction ID: e71c9af23be665cf3d53049b5e772dcac6051e592b2598da288f08a19da8f21d
Opcode Fuzzy Hash: f27958892ac2fb3823f58a163c08c51e1e459b204101e9807e458b22f1a68223
Instruction Fuzzy Hash: E9F0E57A504745AF8724EF29D88046BB7ECDE46630328C83FD5A9C7640E730E8418B64

Function 033C31A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 033C31CD
std::_Xinvalid_argument.LIBCPMT ref: 033C31EC

Part of subcall function 033F8863: std::exception::exception.LIBCMT ref: 033F8876
Part of subcall function 033F8863: __CxxThrowException@8.LIBCMT ref: 033F888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 033C31E7

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: 5200a255b01213f7febe9ce01a89abcfeb3952fcc9f2bc230d5bce9e0cac5a52
Instruction ID: 2555e82cea6a340a961c3513df2b9ae8cfca4b8cd0abaca1edea1b9839c788ba
Opcode Fuzzy Hash: 5200a255b01213f7febe9ce01a89abcfeb3952fcc9f2bc230d5bce9e0cac5a52
Instruction Fuzzy Hash: 8FF0E57A914745AF8320EF29D880867BBECEE45630324C83FD5E9C7640EB36A8414BA0

Function 033D6A47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 033D6A6A
std::_Xinvalid_argument.LIBCPMT ref: 033D6A88

Part of subcall function 033F8863: std::exception::exception.LIBCMT ref: 033F8876
Part of subcall function 033F8863: __CxxThrowException@8.LIBCMT ref: 033F888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 033D6A83

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: a0b0c9ec81b54794f300422ec817507ad53323a65021db58cb1241c51e1cf0e0
Instruction ID: 3ae0b98b12841037f1b6d5ee2226fd83855048a3bab58456b1414f8772216409
Opcode Fuzzy Hash: a0b0c9ec81b54794f300422ec817507ad53323a65021db58cb1241c51e1cf0e0
Instruction Fuzzy Hash: F1F0E5B76007056F8320DF69E881567F7ECDA85670328C93FD5F8C7740E630A44147A4

Function 033FD3CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 033FD3B6

Part of subcall function 033F9254: RaiseException.KERNEL32(?,?,033F8890,033E18DB,00000003,?,?,?,?,?,033F8890,033E18DB,03418A94,00000003), ref: 033F92A9

std::bad_exception::bad_exception.LIBCMT ref: 033FD3DD

Part of subcall function 033FBC44: std::bad_exception::bad_exception.LIBCMT ref: 033FBC4D

Strings

VzGQCIbqrdwuIsGHNdRpxKtwJdXpetLf, xrefs: 033FD3D5

Memory Dump Source

Source File: 00000003.00000002.2224073636.00000000033C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 033C0000, based on PE: true

Associated: 00000003.00000002.2224041712.00000000033C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224113401.000000000340E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2224137402.000000000341A000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_33c0000_rundll32.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8RaiseThrow
String ID: VzGQCIbqrdwuIsGHNdRpxKtwJdXpetLf
API String ID: 1432139112-2565811093
Opcode ID: 41024437ec6ad25b4b55fd14f1655ffdb612a5cf648eeefcf1e7e2362dc3ad77
Instruction ID: 88df3766c8099a179e2918e1b9ecdf96de68651cba9112d81bc23dc4f317959b
Opcode Fuzzy Hash: 41024437ec6ad25b4b55fd14f1655ffdb612a5cf648eeefcf1e7e2362dc3ad77
Instruction Fuzzy Hash: FFE01275E00208DFCF04DBA0C881BEEB7B4AB05302F550055E612BB554D774A954CF55

Analysis Process: rundll32.exePID: 6544, Parent PID: 6552COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	444
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05542C29 Relevance: 3.0, APIs: 2, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoEx.KERNELBASE(?,?,00000002,?,?,055436FA,?,?,?,00000002,?,?,?), ref: 05542C45
GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,055436FA,?,?,?,00000002,?,?,?), ref: 05542C50

Memory Dump Source

Source File: 00000004.00000002.2222899587.0000000005421000.00000020.00001000.00020000.00000000.sdmp, Offset: 05420000, based on PE: true

Associated: 00000004.00000002.2222881843.0000000005420000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2223020055.000000000557A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2223457756.00000000059ED000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2223482203.00000000059EF000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5420000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 826b54ae92500ec36698c75b96a888e57edca56e5c6f3628d65a8c2ae31257f6
Instruction ID: 28fe9d2828e21f2d718f95ce9ff27c0aa8139e8ac87689d6b257e1a19b891355
Opcode Fuzzy Hash: 826b54ae92500ec36698c75b96a888e57edca56e5c6f3628d65a8c2ae31257f6
Instruction Fuzzy Hash: 8DD0623641411DBF8F059FD0F806C6A3F69FB4C254F044405F51845110DA32A5209B55

Analysis Process: rundll32.exePID: 2300, Parent PID: 1408COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1603
Total number of Limit Nodes:	57

Executed Functions

Function 04D97A3F Relevance: 84.5, APIs: 6, Strings: 41, Instructions: 2223COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D97B54
__EH_prolog.LIBCMT ref: 04D97B69

Strings

r, xrefs: 04D99DC6
i, xrefs: 04D99A3E
PO, xrefs: 04D98D00
hL4, xrefs: 04D97BCA
D, xrefs: 04D9A227
r8, xrefs: 04D97BB8
f, xrefs: 04D98A9D
|h=1, xrefs: 04D985DC
>, xrefs: 04D9A079
^, xrefs: 04D99DBF
]K, xrefs: 04D99341
r, xrefs: 04D992AD
x(, xrefs: 04D9868E
r, xrefs: 04D987AB
Y, xrefs: 04D9A2A2
n, xrefs: 04D998FD
h1, xrefs: 04D985F4
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
h}?, xrefs: 04D9A23A
xbftzkZErMGIHumMcosuOxQ, xrefs: 04D97B59
e, xrefs: 04D99185
W, xrefs: 04D9A23F
h";, xrefs: 04D985EF
S4, xrefs: 04D97D99
t, xrefs: 04D997E4
hS, xrefs: 04D9A215
h8, xrefs: 04D97BD4
hPQ, xrefs: 04D97BA6
ht, xrefs: 04D97CDD
f, xrefs: 04D99383
2, xrefs: 04D97F5A
"5, xrefs: 04D97BE1
PhOg, xrefs: 04D98993
h&}, xrefs: 04D98E6F
Y, xrefs: 04D992A6
r, xrefs: 04D99CAB
h4R, xrefs: 04D97BC0
DwKoYBuJCEyytDi, xrefs: 04D97B4F
C@, xrefs: 04D994C5
Sh;l, xrefs: 04D97BB2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prologXinvalid_argumentstd::_
String ID: C@$'`5x$2$>$D$DwKoYBuJCEyytDi$PO$PhOg$Sh;l$Y$Y$]K$^$e$f$f$h8$h";$h&}$h4R$hL4$hPQ$ht$h}?$h1$hS$i$n$r$r$r$r$t$t$x($xbftzkZErMGIHumMcosuOxQ$|h=1$"5$S4$W$r8
API String ID: 4014091808-959085074
Opcode ID: 414bc61bd3cfc9142c2a374ee631ee33bef2a1723e2123d88dfc1527da3dcda3
Instruction ID: 7eb65ce0907aadd25548d417f41912b3bdc8cec54ba37af37988d7e919f22ad1
Opcode Fuzzy Hash: 414bc61bd3cfc9142c2a374ee631ee33bef2a1723e2123d88dfc1527da3dcda3
Instruction Fuzzy Hash: CD2348B0A042699EEF21DF54CC95BEEBBB4EB05308F1041E9E549B7281DB716E84CF61

Function 04D9C786 Relevance: 83.5, APIs: 5, Strings: 41, Instructions: 2976COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D9C78B
ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 04D9F5E1

Part of subcall function 04D9BABF: __EH_prolog.LIBCMT ref: 04D9BAC4

GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000001,00000003,00000000,00000002,00000000,?,?,0DFE9F48,?,00000000,?,?,00000002), ref: 04D9CF4F
GetDesktopWindow.USER32 ref: 04D9D1D6
SetWindowLongW.USER32(00000000), ref: 04D9D1DD

Part of subcall function 04D738F8: _memmove.LIBCMT ref: 04D73918

Part of subcall function 04D84630: __EH_prolog.LIBCMT ref: 04D84635

Part of subcall function 04D73943: _memmove.LIBCMT ref: 04D73963

Strings

AA, xrefs: 04D9E55A
PO, xrefs: 04D9D772
v, xrefs: 04D9E167
l, xrefs: 04D9E93F
[, xrefs: 04D9E476
!, xrefs: 04D9E2C4
t, xrefs: 04D9DEBA
p, xrefs: 04D9E67C
*, xrefs: 04D9F4A6
!'E, xrefs: 04D9EB95
, xrefs: 04D9EE08
<, xrefs: 04D9E3BA
{, xrefs: 04D9EA26
p, xrefs: 04D9CF9B
'`5x, xrefs: 04D9D817
b, xrefs: 04D9E73A
u, xrefs: 04D9F3B8
t, xrefs: 04D9EF2A
p, xrefs: 04D9D3F7
<, xrefs: 04D9E0D2
:, xrefs: 04D9F0DB
m, xrefs: 04D9DF94
e, xrefs: 04D9E80C
r, xrefs: 04D9DA7D
*, xrefs: 04D9F31B
(, xrefs: 04D9E592
v, xrefs: 04D9E47D
#, xrefs: 04D9D968
e, xrefs: 04D9F285
G, xrefs: 04D9E039
h&}, xrefs: 04D9D94E
H, xrefs: 04D9ED40
R, xrefs: 04D9E3B3
!, xrefs: 04D9D56E
*, xrefs: 04D9EFEC
t, xrefs: 04D9F199
s, xrefs: 04D9ED47
n, xrefs: 04D9E1F5
m, xrefs: 04D9EC94
, xrefs: 04D9EAF1
t, xrefs: 04D9EBA6

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog$Window_memmove$CreateDesktopLongOverlappedRegionResult
String ID: $ $!$!$!'E$'`5x$($*$*$*$:$<$<$AA$G$H$PO$R$[$b$e$e$h&}$l$m$m$n$p$p$p$r$s$t$t$t$t$u$v$v${$#
API String ID: 4063478863-2971129802
Opcode ID: a8d2b4e8dfa690370a989b939dbeab372a9d1e0b50fc46ed5e653c0b9347d609
Instruction ID: c3d4a7fc63b41e53aa29048f3bf29b79f14ecb4f6ff8888edf1cf5ac765d6f33
Opcode Fuzzy Hash: a8d2b4e8dfa690370a989b939dbeab372a9d1e0b50fc46ed5e653c0b9347d609
Instruction Fuzzy Hash: F5539D70E442699EEF21DF98CC95BEDBBB5AB09304F1040E9D548BB281D7B16E84CF61

Function 04D97C37 Relevance: 44.9, APIs: 4, Strings: 21, Instructions: 1189COMMON

Download Yara Rule

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
h";, xrefs: 04D985EF
S4, xrefs: 04D97D99
f, xrefs: 04D98A9D
|h=1, xrefs: 04D985DC
]K, xrefs: 04D99341
ht, xrefs: 04D97CDD
2, xrefs: 04D97F5A
r, xrefs: 04D992AD
f, xrefs: 04D99383
x(, xrefs: 04D9868E
PhOg, xrefs: 04D98993
r, xrefs: 04D987AB
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
h1, xrefs: 04D985F4
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Ucopy$Allocate
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$ht$h1$r$r$t$x($|h=1$S4
API String ID: 1811393872-1841768753
Opcode ID: 7635ec59ae483fe9d73852fef1cda097dd1446b354a4b994895ddb034cfa83f3
Instruction ID: 2cbecc0e5ccadc19723609a0b458a8bbe1759fbfe3d968bb7823c7836a623580
Opcode Fuzzy Hash: 7635ec59ae483fe9d73852fef1cda097dd1446b354a4b994895ddb034cfa83f3
Instruction Fuzzy Hash: F9C236B0E00269DEEF21DF94CC95BEEBBB4BB05304F1441A9E549B7281E7716A84CF61

Function 04D97E69 Relevance: 41.4, APIs: 4, Strings: 19, Instructions: 1135COMMON

Download Yara Rule

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
h";, xrefs: 04D985EF
f, xrefs: 04D98A9D
|h=1, xrefs: 04D985DC
]K, xrefs: 04D99341
f, xrefs: 04D99383
2, xrefs: 04D97F5A
r, xrefs: 04D992AD
x(, xrefs: 04D9868E
PhOg, xrefs: 04D98993
r, xrefs: 04D987AB
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
h1, xrefs: 04D985F4
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID:
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 0-247542439
Opcode ID: b9f142c5962a70634a9656121db262726a056bacbe1bd797f08ac7510941e834
Instruction ID: f9aafab6bc99b0984c1c0e1a61eec7d7deaace9624e34f8b562eaf7357b359a0
Opcode Fuzzy Hash: b9f142c5962a70634a9656121db262726a056bacbe1bd797f08ac7510941e834
Instruction Fuzzy Hash: 2DB246B0E00269DEEF21DF94CC95AEEBBB4BB05308F1441A9E549B7281D7706E84DF61

Function 04D97F15 Relevance: 41.3, APIs: 4, Strings: 19, Instructions: 1079COMMON

Download Yara Rule

APIs

Part of subcall function 04D713C5: _Allocate.LIBCPMT ref: 04D71417
Part of subcall function 04D713C5: _Ucopy.LIBCPMT ref: 04D71428
Part of subcall function 04D713C5: _Ucopy.LIBCPMT ref: 04D71436
Part of subcall function 04D713C5: _Ucopy.LIBCPMT ref: 04D71444

ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 04D983BC

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
h";, xrefs: 04D985EF
f, xrefs: 04D98A9D
|h=1, xrefs: 04D985DC
]K, xrefs: 04D99341
f, xrefs: 04D99383
2, xrefs: 04D97F5A
r, xrefs: 04D992AD
x(, xrefs: 04D9868E
PhOg, xrefs: 04D98993
r, xrefs: 04D987AB
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
h1, xrefs: 04D985F4
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Ucopy$AllocateCreateRegion
String ID: C@$#$'`5x$2$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 2216468127-247542439
Opcode ID: e3edeb45877e9968d2ae061842c179aa32992bcd6bfdca6320f6fbf67259bdb0
Instruction ID: 781027ab458bbe8d8a47d7349538ce7e4ad86caed97a747fab67d30ab4cb3f1e
Opcode Fuzzy Hash: e3edeb45877e9968d2ae061842c179aa32992bcd6bfdca6320f6fbf67259bdb0
Instruction Fuzzy Hash: 8FB246B0E00269DEEF21DF94CC95BEEBBB4AB05308F1041A9E549B7281D7716E84DF61

Function 04D98060 Relevance: 39.7, APIs: 4, Strings: 18, Instructions: 1178COMMON

Download Yara Rule

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
h";, xrefs: 04D985EF
f, xrefs: 04D98A9D
|h=1, xrefs: 04D985DC
]K, xrefs: 04D99341
f, xrefs: 04D99383
r, xrefs: 04D992AD
x(, xrefs: 04D9868E
PhOg, xrefs: 04D98993
r, xrefs: 04D987AB
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
h1, xrefs: 04D985F4
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Ucopy$Allocate
String ID: C@$#$'`5x$PO$PhOg$Y$]K$e$f$f$h";$h&}$h1$r$r$t$x($|h=1
API String ID: 1811393872-3020287246
Opcode ID: da0202215328dfc5df4b1b3fd286dfaa80c90d5abd41475c9e8117687c55a628
Instruction ID: 51bc1a897dfa560a6aa0554fd956a27c5a79614e393275ac9474ce32a20f9f6e
Opcode Fuzzy Hash: da0202215328dfc5df4b1b3fd286dfaa80c90d5abd41475c9e8117687c55a628
Instruction Fuzzy Hash: 7FB247B0E10269DEEF21DF94CC95AEEBBB4BB05304F1041A9E549B7281E7706E84DF61

Function 04D98926 Relevance: 28.7, APIs: 3, Strings: 13, Instructions: 716COMMON

Download Yara Rule

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
f, xrefs: 04D98A9D
]K, xrefs: 04D99341
f, xrefs: 04D99383
r, xrefs: 04D992AD
PhOg, xrefs: 04D98993
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID:
String ID: C@$#$'`5x$PO$PhOg$Y$]K$e$f$f$h&}$r$t
API String ID: 0-446310366
Opcode ID: 57d6346f4f23aa74cedef5ad5d1a675f90517f9515f50c9c1ebbc1758f668ced
Instruction ID: 69c0937cc9251c67f9218d83684761981be3cf04cbe3040f987095f21d133e43
Opcode Fuzzy Hash: 57d6346f4f23aa74cedef5ad5d1a675f90517f9515f50c9c1ebbc1758f668ced
Instruction Fuzzy Hash: 0E6235B0E002699EEF21DF54CC94AEEBBB4BB15308F5440EAD549B7241EB706E84DF61

Function 04D94BDD Relevance: 14.6, APIs: 3, Strings: 5, Instructions: 598
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 04D94BE2
RegUnLoadKeyW.ADVAPI32(00000000,00000000,04D719D1,00000001,00000000), ref: 04D953EA

Part of subcall function 04D942FC: QueryDosDeviceW.KERNEL32(00000000,00000000,00000752), ref: 04D94318

EndMenu.USER32(04D719D1,00000001,00000000), ref: 04D9541E

Strings

#, xrefs: 04D94F9A
'`5x, xrefs: 04D94EB5
h&}, xrefs: 04D94F7A
Xx, xrefs: 04D94D62
PO, xrefs: 04D94E3C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DeviceH_prologLoadMenuQuery
String ID: '`5x$PO$Xx$h&}$#
API String ID: 2890571477-3551381960
Opcode ID: 92a08e9b0a675057034c71a62aa55a3f177f05a807d707e5a1f542ea469b6c73
Instruction ID: f392b8a8228158817737e19e78c4fb7b02cdd68029cdf5d7417da40fb0f3c7ed
Opcode Fuzzy Hash: 92a08e9b0a675057034c71a62aa55a3f177f05a807d707e5a1f542ea469b6c73
Instruction Fuzzy Hash: 27426AB1A01209EFDF14CF98D951AEDBBF5FB08308F5142AAE919BA281D770AD41CF54

Function 04D925BB Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 664
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 04D925C0

Strings

#, xrefs: 04D92A90
!, xrefs: 04D92814
'`5x, xrefs: 04D92E2F
PO, xrefs: 04D92DBF
h&}, xrefs: 04D92A79
Xx, xrefs: 04D9297C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: !$'`5x$PO$Xx$h&}$#
API String ID: 3519838083-2769257566
Opcode ID: 9f04767a7744db994432ce11b95548045b4ed67d0a980f755f6a1e37ddefd2b8
Instruction ID: a1e38c232a479d08cc3bda580666a58228acc04cf31f5d8a909b370ca87ffccd
Opcode Fuzzy Hash: 9f04767a7744db994432ce11b95548045b4ed67d0a980f755f6a1e37ddefd2b8
Instruction Fuzzy Hash: C1525EB0E0021AEFDF14CF94C885AEEBBB5FB45304F208569E515BB280D7756A85CFA1

Function 04D94590 Relevance: 8.0, APIs: 5, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 04D94595
GetDesktopWindow.USER32 ref: 04D94686
GetDC.USER32(00000000), ref: 04D9468D
GetTextExtentPointW.GDI32(00000000), ref: 04D94694
GetSysColorBrush.USER32(0000196A), ref: 04D94713

Part of subcall function 04D95FC5: GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000001,?,04D96141), ref: 04D95FDB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: BrushColorDesktopExtentH_prologOverlappedPointResultTextWindow
String ID:
API String ID: 251452265-0
Opcode ID: 2b5453814b4345033dd0c29ace4eeacf6e2f3d1df171427d37fe53fcb8bb4f24
Instruction ID: 22a873538f5aadd4136902aebe5e5b354271399edb5b50fedd9866e9484a7436
Opcode Fuzzy Hash: 2b5453814b4345033dd0c29ace4eeacf6e2f3d1df171427d37fe53fcb8bb4f24
Instruction Fuzzy Hash: 79125CB1A4434AAFEF14DF98D885AEE77F5FF05318F100519E921AB281D770AE51CBA0

Function 05262C29 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,00000002,?,?,052636FA,?,?,?,00000002,?,?,?), ref: 05262C45
GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,052636FA,?,?,?,00000002,?,?,?), ref: 05262C50

Memory Dump Source

Source File: 00000006.00000002.2292494766.0000000005141000.00000020.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000006.00000002.2292472579.0000000005140000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292599957.000000000529A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292889798.000000000570D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292916262.000000000570F000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5140000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3380c3e1711379748e4851ff1f634e08b48afb4093220cb0a0b35ee5a664fb53
Instruction ID: bf4b742a6b8b5f8d72febbdf2a4fbdcacbc2590d64488397abc5b719cb3fed5f
Opcode Fuzzy Hash: 3380c3e1711379748e4851ff1f634e08b48afb4093220cb0a0b35ee5a664fb53
Instruction Fuzzy Hash: 29D06736424209FF8F019FE1F80AC6A3FA9FF49224B058845F91C85151DE32A560AB65

Function 04D98A5B Relevance: 28.7, APIs: 3, Strings: 13, Instructions: 657
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PO, xrefs: 04D98D00
#, xrefs: 04D996F1
e, xrefs: 04D99185
f, xrefs: 04D98A9D
]K, xrefs: 04D99341
!, xrefs: 04D98A6C
f, xrefs: 04D99383
r, xrefs: 04D992AD
Y, xrefs: 04D992A6
h&}, xrefs: 04D98E6F
t, xrefs: 04D994DA
'`5x, xrefs: 04D98D9D
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopItemTextWindow
String ID: C@$!$#$'`5x$PO$Y$]K$e$f$f$h&}$r$t
API String ID: 2254304967-3921538676
Opcode ID: b8f915cb1852bf0a6bdb5d77aaf45cb56940db87457ed4d16f37d8a4150865df
Instruction ID: 71c85faa1e9f2ad0a572ecb63831c088e65ac49706e409006c9164b175d778e4
Opcode Fuzzy Hash: b8f915cb1852bf0a6bdb5d77aaf45cb56940db87457ed4d16f37d8a4150865df
Instruction Fuzzy Hash: 246224B0D002699EEF21DF54CC94BEEBBB4AB19308F5440E9D549B7241EB716E84CFA1

Function 04DB41F5 Relevance: 23.0, APIs: 15, Instructions: 504fileCOMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?), ref: 04DB421B
ReadConsoleW.KERNEL32(?,?,?,?,00000000), ref: 04DB4247
GetLastError.KERNEL32 ref: 04DB4251
__dosmaperr.LIBCMT ref: 04DB4258
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 04DB428B
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 04DB4351
GetLastError.KERNEL32 ref: 04DB435B
__lseeki64_nolock.LIBCMT ref: 04DB43C6
__lseeki64_nolock.LIBCMT ref: 04DB44D5
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 04DB44F4
_free.LIBCMT ref: 04DB4527
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 04DB465A
GetLastError.KERNEL32 ref: 04DB4664
__lseeki64_nolock.LIBCMT ref: 04DB46FE
GetLastError.KERNEL32(?,?,00000000), ref: 04DB4757

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: ErrorLastRead$File__lseeki64_nolock$Console$ByteCharModeMultiWide__dosmaperr_free
String ID:
API String ID: 3177247492-0
Opcode ID: 6cca11e7112e0426004a7b6084d8692f69dbc916b9251ed904bedfe8a030a46a
Instruction ID: ee7908cab1b05617acf2e35f15f4f9622a45011dc69e0e8019d1e83209db6110
Opcode Fuzzy Hash: 6cca11e7112e0426004a7b6084d8692f69dbc916b9251ed904bedfe8a030a46a
Instruction Fuzzy Hash: 3C02D231A04256DBDF20CFA8D844BEDBBB1FF05314F18855AD9D69B282D674A842CBE1

Function 04D82852 Relevance: 21.3, APIs: 14, Instructions: 260
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 04D828E0
GetDC.USER32(00000000), ref: 04D828E7
GetTextExtentPointW.GDI32(00000000), ref: 04D828EE
CreateFileMappingW.KERNELBASE(00000000,00000002,00000000,00000000,00000000,00000003,75A89CE0,?,00000000), ref: 04D82945
GetSysColorBrush.USER32(0000196A), ref: 04D82994
GetDesktopWindow.USER32 ref: 04D829A8
SetWindowTextW.USER32(00000000), ref: 04D829AF
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 04D829D4
GetDesktopWindow.USER32 ref: 04D82A41
SetDlgItemInt.USER32(00000000), ref: 04D82A48
GetDesktopWindow.USER32 ref: 04D82A6A
GetDC.USER32(00000000), ref: 04D82A71
SetViewportExtEx.GDI32(00000000), ref: 04D82A78
MapViewOfFile.KERNEL32(00000004,04D82769,?,?,?,?,?,?,?,04DCCF60,00000000), ref: 04D82B44

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$FileText$BrushColorCreateExtentFormatItemMappingMessagePointViewViewport
String ID:
API String ID: 2213085167-0
Opcode ID: f8ad10c2bc73af7de6249b27ffaa118e3a904ec599237d62ca181b1b54cd8c41
Instruction ID: 65c42532e9617e20e39ed78d3e6ae80659165456336b61b4d391c69c97f81310
Opcode Fuzzy Hash: f8ad10c2bc73af7de6249b27ffaa118e3a904ec599237d62ca181b1b54cd8c41
Instruction Fuzzy Hash: 16A167B0E40309EFEB10AFA4C8949FDBBB9FF45314F14829DE5516B281D7346A85CBA0

Function 04D820BE Relevance: 19.8, APIs: 13, Instructions: 288
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 04D8214C
GetDC.USER32(00000000), ref: 04D82153
GetTextExtentPointW.GDI32(00000000), ref: 04D8215A
GetSysColorBrush.USER32(0000196A), ref: 04D821D9
GetDesktopWindow.USER32 ref: 04D821F0
SetWindowTextW.USER32(00000000), ref: 04D821F7
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,75A89CE0,?,00000000), ref: 04D8221F
GetDesktopWindow.USER32 ref: 04D8228B
SetDlgItemInt.USER32(00000000), ref: 04D82292
GetDesktopWindow.USER32 ref: 04D822B5
GetDC.USER32(00000000), ref: 04D822BC
SetViewportExtEx.GDI32(00000000), ref: 04D822C3
CreateFileW.KERNEL32(000000F2,00000000,5C6F1BF5,8F93905C,00000000,00000003,75A89CE0,?,00000000), ref: 04D823AE

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorCreateExtentFileFormatItemMessagePointViewport
String ID:
API String ID: 349340697-0
Opcode ID: a80f41ee469a1324eed5f993ce967a9322bacc990dd652b44af2c9c725ba91cd
Instruction ID: 126f5719b3483fb1a2ca63ee7e948207e059189e8f45dc226e9e7aa3bccff362
Opcode Fuzzy Hash: a80f41ee469a1324eed5f993ce967a9322bacc990dd652b44af2c9c725ba91cd
Instruction Fuzzy Hash: CFA1A070E04304EAFB14AF99D8597BD7BB4FF44711F24C4ADE955AA2C0D7789A40CB60

Function 04D98EBB Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04D77C9C: char_traits.LIBCPMT ref: 04D77CB5

_fseek.LIBCMT ref: 04D98FD3
_fseek.LIBCMT ref: 04D98FE7

Part of subcall function 04DACA22: __lock_file.LIBCMT ref: 04DACA67
Part of subcall function 04DACA22: __fseek_nolock.LIBCMT ref: 04DACA76

__fread_nolock.LIBCMT ref: 04D9902D

Strings

]K, xrefs: 04D99341
f, xrefs: 04D99383
r, xrefs: 04D992AD
#, xrefs: 04D996F1
Y, xrefs: 04D992A6
e, xrefs: 04D99185
t, xrefs: 04D994DA
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _fseek$__fread_nolock__fseek_nolock__lock_filechar_traits
String ID: C@$#$Y$]K$e$f$r$t
API String ID: 15111844-2411602883
Opcode ID: 3241dd352ad6c87f7b7aa5b325d757fa4f0f931e758ed4a57b4f2acf04c5f0ae
Instruction ID: 6c768c4412ea1ee061577dde58bc8f1df971dd20365e2175aef23f89038e6e57
Opcode Fuzzy Hash: 3241dd352ad6c87f7b7aa5b325d757fa4f0f931e758ed4a57b4f2acf04c5f0ae
Instruction Fuzzy Hash: B41238B1D0126CAAEF21DB54CC98BDEBBB8AB15304F4041D9D549B7281EB716F88CF61

Function 04D98EAB Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseek.LIBCMT ref: 04D98FD3
_fseek.LIBCMT ref: 04D98FE7
__fread_nolock.LIBCMT ref: 04D9902D

Strings

]K, xrefs: 04D99341
f, xrefs: 04D99383
r, xrefs: 04D992AD
#, xrefs: 04D996F1
Y, xrefs: 04D992A6
e, xrefs: 04D99185
t, xrefs: 04D994DA
C@, xrefs: 04D994C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _fseek$__fread_nolock
String ID: C@$#$Y$]K$e$f$r$t
API String ID: 1795926144-2411602883
Opcode ID: 900d8b4765faa08b8f93b6f77b1a30e8e64cb852209fda78c7e73d2c79bf42cb
Instruction ID: 81210b191a256c73855b73b61dd3f8c22471db31bbaabb7e778571b9e864a558
Opcode Fuzzy Hash: 900d8b4765faa08b8f93b6f77b1a30e8e64cb852209fda78c7e73d2c79bf42cb
Instruction Fuzzy Hash: 281237B1D0126CAAEF21DB54CC98BDEBBB8AB15308F4041D9D549B7241EB716F88CF61

Function 04D825AC Relevance: 18.2, APIs: 12, Instructions: 178
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 04D8263E
GetDC.USER32(00000000), ref: 04D82641
GetTextExtentPointW.GDI32(00000000,?,?), ref: 04D82648
GetSysColorBrush.USER32(0000196A), ref: 04D826E0
GetDesktopWindow.USER32 ref: 04D826F7
SetWindowTextW.USER32(00000000), ref: 04D826FA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000002,00000021,00000003,?,?,?,00000000,00000000), ref: 04D82722
GetDesktopWindow.USER32 ref: 04D8279E
SetDlgItemInt.USER32(00000000,?,?), ref: 04D827A1
GetDesktopWindow.USER32 ref: 04D827C3
GetDC.USER32(00000000), ref: 04D827C6
SetViewportExtEx.GDI32(00000000,?,?), ref: 04D827CD

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: 88e0c22347199db3bad8911975488e66c986957782dc67211ec8446cff9da052
Instruction ID: 5876e4f7e11a7fd8c27d3ab4c5fdd5a0b0801d1f084aea1cc03bf3dfc618209d
Opcode Fuzzy Hash: 88e0c22347199db3bad8911975488e66c986957782dc67211ec8446cff9da052
Instruction Fuzzy Hash: 6F615AB0E00248FFDB11AFA5C8496BEBFB4FF45315F10C49EE855AA281D774A685CB60

Function 04DB4F40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsnicmp.LIBCMT ref: 04DB50F9
__wcsnicmp.LIBCMT ref: 04DB5118

Part of subcall function 04DABF95: __getptd_noexit.LIBCMT ref: 04DABF95

Strings

ccs, xrefs: 04DB50BA
UTF-8, xrefs: 04DB50F3
UNICODE, xrefs: 04DB5131
UTF-16LE, xrefs: 04DB5112

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: __wcsnicmp$__getptd_noexit
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 78897640-3573488595
Opcode ID: 17615e9e6a9f76fefd754ede959f0ae187c9695e0ac657d0e5e4794325628fbc
Instruction ID: ddea9b7e50f53f389da4b3d4b0886b973ccbea67d75a19ffcaffd9c26bfe46fd
Opcode Fuzzy Hash: 17615e9e6a9f76fefd754ede959f0ae187c9695e0ac657d0e5e4794325628fbc
Instruction Fuzzy Hash: 74513372F04702FAEB344E69B825BF53690BB0435CF18456AEDCB97281F6B4F28096D1

Function 04D9600C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 495
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 04D96011
GetVolumeInformationW.KERNEL32(00000002,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000003,00000003), ref: 04D96408
ExtCreateRegion.GDI32(00000000,0000254C,00000000), ref: 04D96664
GetFileSize.KERNEL32(00000000,00000000,00000002,00000004,00000000), ref: 04D9666D

Part of subcall function 04D95CA7: GetDesktopWindow.USER32 ref: 04D95CC6
Part of subcall function 04D95CA7: SetDlgItemTextW.USER32(00000000,?,04D95559), ref: 04D95CCD

Strings

x(, xrefs: 04D96293
!, xrefs: 04D9661B

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: CreateDesktopFileH_prologInformationItemRegionSizeTextVolumeWindow
String ID: !$x(
API String ID: 2925256546-3571294847
Opcode ID: 048d216a037152410d8069d4cfd1f63dbf0bf219969f52b793ec3ab9c7b29e82
Instruction ID: b9a88fc7848cff632e70d840c20782b6be9cea0b871eab3a19c128e2dedade56
Opcode Fuzzy Hash: 048d216a037152410d8069d4cfd1f63dbf0bf219969f52b793ec3ab9c7b29e82
Instruction Fuzzy Hash: EA1245B0E4421AEFEF10DF98C991AEEB7F5FB04304F104469E915BB281D7B5AA44CB61

Function 04D80806 Relevance: 10.6, APIs: 7, Instructions: 135
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 04D80898
GetDC.USER32(00000000), ref: 04D8089B
GetTextExtentPointW.GDI32(00000000), ref: 04D808A2
GetSysColorBrush.USER32(0000196A), ref: 04D80918
GetDesktopWindow.USER32 ref: 04D8092C
SetWindowTextW.USER32(00000000), ref: 04D8092F
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,75A89CE0,?,00000000), ref: 04D80954

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$DesktopText$BrushColorExtentFormatMessagePoint
String ID:
API String ID: 627555471-0
Opcode ID: 9e64fca325f04e780376efd24a93a0f52a05c6e7e158305946de6e2f996842b6
Instruction ID: 1740f555f34d6a5c0a7f2747023d8938547d976a0f8419d8d3f9d73808f6b9ec
Opcode Fuzzy Hash: 9e64fca325f04e780376efd24a93a0f52a05c6e7e158305946de6e2f996842b6
Instruction Fuzzy Hash: E05147B0E0020CFFEB11EF99C4949ADBBB4FB05315F15C15EE9696A241D334A689CF90

Function 04DB8F22 Relevance: 10.6, APIs: 7, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___createFile.LIBCMT ref: 04DB8F53

Part of subcall function 04DB8B74: ___crtIsPackagedApp.LIBCMT ref: 04DB8B7A
Part of subcall function 04DB8B74: GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,?,00000001,?,00000000,00000109), ref: 04DB8B8D
Part of subcall function 04DB8B74: GetProcAddress.KERNEL32(00000000), ref: 04DB8B94

GetLastError.KERNEL32 ref: 04DB8F7C
__dosmaperr.LIBCMT ref: 04DB8F83
GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 04DB8F96
GetLastError.KERNEL32 ref: 04DB8FB9
__dosmaperr.LIBCMT ref: 04DB8FC2
CloseHandle.KERNEL32(?), ref: 04DB8FCB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: ErrorFileHandleLast__dosmaperr$AddressCloseModulePackagedProcType___create___crt
String ID:
API String ID: 569456945-0
Opcode ID: 3b9445919200a701da683f157c2604a5fa54d79e3f392c9b87ff011fca97d56b
Instruction ID: 6b2163d996bb1fb4c95a6fa7bc397f1184abe15bdd17b289f3cf35bb3d9e5a7a
Opcode Fuzzy Hash: 3b9445919200a701da683f157c2604a5fa54d79e3f392c9b87ff011fca97d56b
Instruction Fuzzy Hash: D211E431B00202DFEB096F64DC54AAD7B25FF05214B18421AF9638B3D0DB39F811EB90

Function 04DAFC30 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 04DAFC30

Part of subcall function 04DAEAFE: EncodePointer.KERNEL32(00000000,00000001,04DAFC35,04DAD4DC,04DC8CE0,00000008,04DAD6A2,?,00000001,?,04DC8D00,0000000C,04DAD641,?,00000001,?), ref: 04DAEB01
Part of subcall function 04DAEAFE: __initp_misc_winsig.LIBCMT ref: 04DAEB1C
Part of subcall function 04DAEAFE: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 04DB59AD
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 04DB59C1
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 04DB59D4
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 04DB59E7
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 04DB59FA
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 04DB5A0D
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 04DB5A20
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 04DB5A33
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 04DB5A46
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 04DB5A59
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 04DB5A6C
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 04DB5A7F
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 04DB5A92
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 04DB5AA5
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 04DB5AB8
Part of subcall function 04DAEAFE: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 04DB5ACB

__mtinitlocks.LIBCMT ref: 04DAFC35
__mtterm.LIBCMT ref: 04DAFC3E

Part of subcall function 04DAFCA6: DeleteCriticalSection.KERNEL32(?,?,?,?,04DAD5A7,04DAD58D,04DC8CE0,00000008,04DAD6A2,?,00000001,?,04DC8D00,0000000C,04DAD641,?), ref: 04DB60BE
Part of subcall function 04DAFCA6: _free.LIBCMT ref: 04DB60C5
Part of subcall function 04DAFCA6: DeleteCriticalSection.KERNEL32(04DCC4B8,?,?,04DAD5A7,04DAD58D,04DC8CE0,00000008,04DAD6A2,?,00000001,?,04DC8D00,0000000C,04DAD641,?,00000001), ref: 04DB60E7

__calloc_crt.LIBCMT ref: 04DAFC63
__initptd.LIBCMT ref: 04DAFC85
GetCurrentThreadId.KERNEL32 ref: 04DAFC8C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: ef02e65ff7d81e6768fbe31e1a743ae17d84a112a07221039d3a2607c8b3e8cc
Instruction ID: 0325c575c1b6e1097e361351e01cab1df330faf6fcbb9be26040672a159ee5b4
Opcode Fuzzy Hash: ef02e65ff7d81e6768fbe31e1a743ae17d84a112a07221039d3a2607c8b3e8cc
Instruction Fuzzy Hash: 01F02B3230A3126AF6347B757C52A8B2B80DF01378B100A5DE8A5D61D4EF14F41185F0

Function 04DAC722 Relevance: 6.2, APIs: 4, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04DAC780
_memcpy_s.LIBCMT ref: 04DAC7F2
__filbuf.LIBCMT ref: 04DAC873
_memset.LIBCMT ref: 04DAC8B7

Part of subcall function 04DABF95: __getptd_noexit.LIBCMT ref: 04DABF95

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 489aa8885060dc1f206dc58b40215f1e2c3fff13f482bd878ea38537d7812e47
Instruction ID: d2a3a04fdc6bb372c749cfaaf9f848f675335561d69e7249e30c0ccda470d25f
Opcode Fuzzy Hash: 489aa8885060dc1f206dc58b40215f1e2c3fff13f482bd878ea38537d7812e47
Instruction Fuzzy Hash: B351C230B10309DBEB248F79C88066E77A1BF41B30F148729E875962D0E770F9719B92

Function 04D95B6B Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D95B70
GetDesktopWindow.USER32 ref: 04D95C6C
GetDC.USER32(00000000), ref: 04D95C73
GetTextExtentPoint32W.GDI32(00000000), ref: 04D95C7A

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPoint32TextWindow
String ID:
API String ID: 4235267150-0
Opcode ID: e68d06b41ad6247b2388806c6c1779f07d5541e547b9d44f8989ff6eae5863eb
Instruction ID: eacfbadee57b36ef3c8580422471137a5c814ad1b8567b69c34824092296d562
Opcode Fuzzy Hash: e68d06b41ad6247b2388806c6c1779f07d5541e547b9d44f8989ff6eae5863eb
Instruction Fuzzy Hash: 7531C772905245FEEF11DF60EDA4AEE7BE9EB05318F140169E845E7380D735AD04CBA1

Function 04DA7B07 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04DA7B57
GetDesktopWindow.USER32 ref: 04DA7B6B
SetWindowTextW.USER32(00000000), ref: 04DA7B72
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000002,00000000), ref: 04DA7B97

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: d61e758aa5bbae0c3d7d81d1e974cae70bfe7f50b5408f40a64c11d4515e9d61
Instruction ID: 262518a1cb59fef20d310f010093757a405bf079e4aa30f2ccc97c849fe79f29
Opcode Fuzzy Hash: d61e758aa5bbae0c3d7d81d1e974cae70bfe7f50b5408f40a64c11d4515e9d61
Instruction Fuzzy Hash: 8E2157B0E4430CFFEB00DF98D4949ADBF78EB04315F148199E85167381C3359A98CB50

Function 04D97843 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 04D9787B

Strings

h.I, xrefs: 04D978C2
xbftzkZErMGIHumMcosuOxQ, xrefs: 04D978A0

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memcmp
String ID: h.I$xbftzkZErMGIHumMcosuOxQ
API String ID: 2931989736-3166254412
Opcode ID: 4b7e77bb818eb6550f78a5edf61150678d8b24c53a9da0acf4a4e74350b63b28
Instruction ID: 2f1867b13b6dee0257aed7308e1799633ab63030ad014b2054df64917d9eacc8
Opcode Fuzzy Hash: 4b7e77bb818eb6550f78a5edf61150678d8b24c53a9da0acf4a4e74350b63b28
Instruction Fuzzy Hash: 2A11E23170421EFFEF049E689C41DEA37AAEB04704F104524FE14EB5D1E2B2ED218AE5

Function 04D7315C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 04D73182
std::_Xinvalid_argument.LIBCPMT ref: 04D731A1

Part of subcall function 04DA8863: std::exception::exception.LIBCMT ref: 04DA8876
Part of subcall function 04DA8863: __CxxThrowException@8.LIBCMT ref: 04DA888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D7319C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: 60f60e57e04d8dc213b308a0dabe58bbf2528177431f8ea2f13aab4561af154e
Instruction ID: ada2f777b9a20fadaa7ea606155f0254a1dc63167e56ba73e99cc5c3291c8ade
Opcode Fuzzy Hash: 60f60e57e04d8dc213b308a0dabe58bbf2528177431f8ea2f13aab4561af154e
Instruction Fuzzy Hash: EDF0A072104345AF9720DF29D4404A6B7E8EA56670320883FDDE9C3650FA30F4419B61

Function 04DA7DA6 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04DA7E31
GetDC.USER32(00000000), ref: 04DA7E38
GetTextExtentPointW.GDI32(00000000), ref: 04DA7E3F

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentPointTextWindow
String ID:
API String ID: 2168015606-0
Opcode ID: 71ed35dcb02656b4a4d898e3dd079b510e7d5a9a1d35b94afdf61a4fc8502ac8
Instruction ID: 7d7f3888bec6512eeadf66b7a41c8e0534cf1bebe0f86148dbf0f630e58d48cd
Opcode Fuzzy Hash: 71ed35dcb02656b4a4d898e3dd079b510e7d5a9a1d35b94afdf61a4fc8502ac8
Instruction Fuzzy Hash: B82124B0E00209EFDF119FA4C8959EEFFB8FF04719F5084AAE55566241D734AA91CF90

Function 04DA8A6D Relevance: 4.5, APIs: 3, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04DA8A85

Part of subcall function 04DAC44C: __FF_MSGBANNER.LIBCMT ref: 04DAC463
Part of subcall function 04DAC44C: __NMSG_WRITE.LIBCMT ref: 04DAC46A
Part of subcall function 04DAC44C: RtlAllocateHeap.NTDLL(030F0000,00000000,00000001,00000001,04D918DB,04D918DB,?,04DABDB1,00000001,00000000,00000003,00000000,?,04DABCEB,04DA887B,?), ref: 04DAC48F

std::exception::exception.LIBCMT ref: 04DA8AA3
__CxxThrowException@8.LIBCMT ref: 04DA8AB8

Part of subcall function 04DA9254: RaiseException.KERNEL32(?,?,04DA8890,04D918DB,00000003,?,?,?,?,?,04DA8890,04D918DB,04DC8A94,00000003), ref: 04DA92A9

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: 06b42f43b10f08b5c0b1045d9bd09ab9a8ec7f90a691c54d7750d572fcdbd42c
Instruction ID: 0167a9416660ba57be466d6743f86fc04f728f630cf957b25bd1c3533015d115
Opcode Fuzzy Hash: 06b42f43b10f08b5c0b1045d9bd09ab9a8ec7f90a691c54d7750d572fcdbd42c
Instruction Fuzzy Hash: BEE0307060420AA6EB01FBA4CC008AF7778EF00218F508565AC14A6691EF71FA25A5A1

Function 04DAC902 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04DAC931
__lock_file.LIBCMT ref: 04DAC952

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 52f1cbc98947fa1b8a001d047cb3efa54debe4612aec9751f8b6e13b1b3d4a94
Instruction ID: d2143fe76c3bd05adbb46bf3ec2b150b7343b59b42672e173830aac26ea6067f
Opcode Fuzzy Hash: 52f1cbc98947fa1b8a001d047cb3efa54debe4612aec9751f8b6e13b1b3d4a94
Instruction Fuzzy Hash: 2D01D471A00309EBDF22AF698C0099E7B61FF45735F088515F81416150D731E631DFA1

Function 04DAC6AB Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04DABF95: __getptd_noexit.LIBCMT ref: 04DABF95

__lock_file.LIBCMT ref: 04DAC6F0

Part of subcall function 04DB3959: __lock.LIBCMT ref: 04DB397C

__fclose_nolock.LIBCMT ref: 04DAC6FB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e2de542e199bbb59c7310b0364f9dc59700c941973c4010b0c0549d004cab5b1
Instruction ID: 4d7902c2762a5265bbc9e4aa06401766ece656a3410d91543b07039baed02be1
Opcode Fuzzy Hash: e2de542e199bbb59c7310b0364f9dc59700c941973c4010b0c0549d004cab5b1
Instruction Fuzzy Hash: 1EF0F071A107019BFB21BF35880476E67A0AF40738F1C89099454AB1E0DB7CB5129E66

Function 04DACE35 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 04DACE69
__ftell_nolock.LIBCMT ref: 04DACE74

Part of subcall function 04DABF95: __getptd_noexit.LIBCMT ref: 04DABF95

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: dac625914eb882388da85c3d9b6810f956481dd6930f64a5c30af457a60106d2
Instruction ID: d5c045e0b173e18148008394f0c42f34e24b17dca6ff0118b1a6c97b5f2f8dee
Opcode Fuzzy Hash: dac625914eb882388da85c3d9b6810f956481dd6930f64a5c30af457a60106d2
Instruction Fuzzy Hash: BBF0A771F206019AFB10BF7488017AE77A09F40739F154E059010EB1C0CF78BA529B65

Function 05258BC4 Relevance: 3.0, APIs: 2, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 05258BD8

Part of subcall function 05258EDB: __getptd_noexit.LIBCMT ref: 05258EDB

GetLastError.KERNEL32(00000000), ref: 05258BEA

Memory Dump Source

Source File: 00000006.00000002.2292494766.0000000005141000.00000020.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: true

Associated: 00000006.00000002.2292472579.0000000005140000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292599957.000000000529A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292889798.000000000570D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292916262.000000000570F000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5140000_rundll32.jbxd

Similarity

API ID: ErrorFreeHeapLast__getptd_noexit
String ID:
API String ID: 269751013-0
Opcode ID: 222e2a7e45364701c2da895944ea63534b23412daab3518d5b26c41f77db4570
Instruction ID: bdd8ee98b1b20d22059a08aaf7d245e2c8b9e6aa87b980274be93e33bd14b1f7
Opcode Fuzzy Hash: 222e2a7e45364701c2da895944ea63534b23412daab3518d5b26c41f77db4570
Instruction Fuzzy Hash: 4BE0ECB2224706EBDB256FA4A809B993FE8BF04265F209029F94AD6050EEB485919784

Function 04D9237A Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D9237F

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 934c0878d956f86586ff1062507744a1bc6f3e07d59b4458be1a404c30e033c4
Instruction ID: 434e47d6d2a906affaa90c50ba6cac7e2af133f2ca0aeda111c92373254f62f4
Opcode Fuzzy Hash: 934c0878d956f86586ff1062507744a1bc6f3e07d59b4458be1a404c30e033c4
Instruction Fuzzy Hash: 42616C71E4020AEFDF10CFD8C9859EEBBB5FB04705F20456AE655BA280D370AE41CB91

Function 04DA77D0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04DA77D5

Part of subcall function 04D824D8: __EH_prolog.LIBCMT ref: 04D824DD

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d7b3d7b419587e2c00622b055a21a6b6cff6d052ccdbf1ad7b1f03d5f1d43d13
Instruction ID: 031cd990a8a4003386f3986848d415f346a7b3f8d094eaa7c77adfe44b860b16
Opcode Fuzzy Hash: d7b3d7b419587e2c00622b055a21a6b6cff6d052ccdbf1ad7b1f03d5f1d43d13
Instruction Fuzzy Hash: 1321D271B00209AFEB04EFA888949FE7BA8FF09314F0041ADE855AB341DB70BA11C771

Function 04DA7BE3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04DA7BE8

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bfd8470808671b864b447fd95df1951401748f1a651de1df5ddfd3d1f19af70c
Instruction ID: ddc749c274c3b301e23cc87e947bb54ff25862b105ea5415c6b4ff7147ef8b28
Opcode Fuzzy Hash: bfd8470808671b864b447fd95df1951401748f1a651de1df5ddfd3d1f19af70c
Instruction Fuzzy Hash: 90219336A01208EBDF15FFA4C594AEDBBB5EF59304F24419DD806A7281DB31AF18C6B1

Function 04D93F6E Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D93F73

Part of subcall function 04D95B6B: __EH_prolog.LIBCMT ref: 04D95B70

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de3e0a13ffa4137abcda8ca26dfd299ffd5a55060135a39bafa1c801f464ac14
Instruction ID: 869695514de860df845960c532e7997324a5e95903058d05966175d52a3b5d3d
Opcode Fuzzy Hash: de3e0a13ffa4137abcda8ca26dfd299ffd5a55060135a39bafa1c801f464ac14
Instruction Fuzzy Hash: 36012171E01218BBDB20EA95C849FDF7F7CEB45A78F044159F849A6241C770A604C7F1

Function 04D9B587 Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,04D9B55F,00000002,00000001,00000B83,00005234,00000001,000069A2,00005100), ref: 04D9B5CB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: ba1eb5fe05a45674083ebf7f696d027c669cc83010b1e2fdcbd012f2092ab60e
Instruction ID: f8026b0e131c4562fa8fc5d41cba8581b2a8968d9698d17ee30b78acecb89673
Opcode Fuzzy Hash: ba1eb5fe05a45674083ebf7f696d027c669cc83010b1e2fdcbd012f2092ab60e
Instruction Fuzzy Hash: B1F04F71244249AFFF119E64E84ABFA3BA8EB41718F080185F94DCA5D2C675ACA5C760

Function 04D8DA35 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8DA3A

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 17db06e865cc6cba060df53d4dfffcd13a9b5ef934ce121c111249a8b51ab29c
Instruction ID: a82fe6d6644787a4940a9af7e236a71940566b4564ff66cd57b93a63cb42759c
Opcode Fuzzy Hash: 17db06e865cc6cba060df53d4dfffcd13a9b5ef934ce121c111249a8b51ab29c
Instruction Fuzzy Hash: A8E08CB0A14158CBFB14FF48D4002FDB7B5EB94608F00068EA44A93380DFB47E0087E1

Non-executed Functions

Function 04D8C8F0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 319windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D8C989
GetDC.USER32(00000000), ref: 04D8C98C
GetTextExtentPointW.GDI32(00000000,?,00000000), ref: 04D8C98F
GetSysColorBrush.USER32(0000196A), ref: 04D8C9F7
GetDesktopWindow.USER32 ref: 04D8CA0E
SetWindowTextW.USER32(00000000), ref: 04D8CA11
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,?,?,00000000), ref: 04D8CA39
GetDesktopWindow.USER32 ref: 04D8CA98
SetDlgItemInt.USER32(00000000,?,00000000), ref: 04D8CA9B
GetDesktopWindow.USER32 ref: 04D8CABE
GetDC.USER32(00000000), ref: 04D8CAC1
SetViewportExtEx.GDI32(00000000,?,00000000), ref: 04D8CAC4
_memset.LIBCMT ref: 04D8CB4D
_memset.LIBCMT ref: 04D8CBA1

Strings

jt, xrefs: 04D8CADF, 04D8CB03, 04D8CAE2, 04D8CB49, 04D8CB9D
jt, xrefs: 04D8CC0D, 04D8CC1D

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text_memset$BrushColorExtentFormatItemMessagePointViewport
String ID: jt$jt
API String ID: 967997722-2819724509
Opcode ID: 87e0a8e123b951d0920b95d195849eaa097c9fc702b4a3fb4fae713a438c1c16
Instruction ID: 52b6e6dfac3483619b849939e010832135da081fda9afac589e130d0cd8e8b14
Opcode Fuzzy Hash: 87e0a8e123b951d0920b95d195849eaa097c9fc702b4a3fb4fae713a438c1c16
Instruction Fuzzy Hash: 13C1C1B0E1434AEADB15EFA8C8847BEBFB4FF85B04F14819DD4916B281D3746645CBA0

Function 04D78D0E Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 284libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 04D790FE

Strings

A, xrefs: 04D78D91
;, xrefs: 04D78F33
(, xrefs: 04D78F0B
%, xrefs: 04D78F6B
B, xrefs: 04D78D45
W, xrefs: 04D78D7D
4, xrefs: 04D78F13
T, xrefs: 04D78D89
V, xrefs: 04D78D75
', xrefs: 04D78D4D
., xrefs: 04D78D55
", xrefs: 04D78F5B
^, xrefs: 04D78D6D

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: "$%$'$($.$4$;$A$B$T$V$W$^
API String ID: 190572456-504311776
Opcode ID: 488c34f78fa4749e59f5c102f52d347c34073eb4894beabde1a5147ee2b23483
Instruction ID: 0a1368f59dbefba4048bf6f54defaf8dd71d8412e4650c4bbc6343a45ab9c22e
Opcode Fuzzy Hash: 488c34f78fa4749e59f5c102f52d347c34073eb4894beabde1a5147ee2b23483
Instruction Fuzzy Hash: 52E18C709082DDCEEF05CBB8D5587EDBFF0AB06309F1441AED495A7282E3795A44DB21

Function 04D8FAE6 Relevance: 19.7, APIs: 13, Instructions: 185windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8FAEB
GetDesktopWindow.USER32 ref: 04D8FB7F
GetDC.USER32(00000000), ref: 04D8FB82
GetTextExtentPointW.GDI32(00000000), ref: 04D8FB89
GetSysColorBrush.USER32(0000196A), ref: 04D8FC04
GetDesktopWindow.USER32 ref: 04D8FC1B
SetWindowTextW.USER32(00000000), ref: 04D8FC1E
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,?,00000002), ref: 04D8FC46
GetDesktopWindow.USER32 ref: 04D8FCC8
SetDlgItemInt.USER32(00000000), ref: 04D8FCCB
GetDesktopWindow.USER32 ref: 04D8FCEE
GetDC.USER32(00000000), ref: 04D8FCF1
SetViewportExtEx.GDI32(00000000), ref: 04D8FCF8

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatH_prologItemMessagePointViewport
String ID:
API String ID: 3397956014-0
Opcode ID: f166ed5d9f2b078aa0584721abc1a1180f1548eebfa3a421d5498fb62633fe36
Instruction ID: 78df8054acd18d68bf5881bff7bb740e8f6ff8c30eb179b6c9420822c4880805
Opcode Fuzzy Hash: f166ed5d9f2b078aa0584721abc1a1180f1548eebfa3a421d5498fb62633fe36
Instruction Fuzzy Hash: FF715FB0E0425ADFDB14EFA8D9596FEBBB4FF44305F20445DE905B6280D7346A80CBA1

Function 04D841D7 Relevance: 19.7, APIs: 13, Instructions: 179windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D841DC
GetDesktopWindow.USER32 ref: 04D84270
GetDC.USER32(00000000), ref: 04D84273
GetTextExtentPointW.GDI32(00000000), ref: 04D8427A
GetSysColorBrush.USER32(0000196A), ref: 04D84303
GetDesktopWindow.USER32 ref: 04D8431A
SetWindowTextW.USER32(00000000), ref: 04D8431D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D84345
GetDesktopWindow.USER32 ref: 04D843AE
SetDlgItemInt.USER32(00000000), ref: 04D843B1
GetDesktopWindow.USER32 ref: 04D843D3
GetDC.USER32(00000000), ref: 04D843D6
SetViewportExtEx.GDI32(00000000), ref: 04D843DD

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatH_prologItemMessagePointViewport
String ID:
API String ID: 3397956014-0
Opcode ID: e91c9e875b681555a1123e6be8d6999b39ee303497ab4bde373e3cb0f66f4424
Instruction ID: 7829e04c36de35d13f4e0a98e4d3c6973cea6ab4731c29e271a7e67c7404b1f9
Opcode Fuzzy Hash: e91c9e875b681555a1123e6be8d6999b39ee303497ab4bde373e3cb0f66f4424
Instruction Fuzzy Hash: CE714A74E0520AEBDB14EFA8C4496FEBBB5FF44315F20815EE8557B280E7345A40CBA1

Function 04D91281 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 370COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D91346
_memmove.LIBCMT ref: 04D91378
_memmove.LIBCMT ref: 04D913AD
_memmove.LIBCMT ref: 04D91435
_memmove.LIBCMT ref: 04D914AC
_memmove.LIBCMT ref: 04D91517
_memmove.LIBCMT ref: 04D9155B
_memmove.LIBCMT ref: 04D91598
std::_Xinvalid_argument.LIBCPMT ref: 04D915C5

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D915CA
DwKoYBuJCEyytDi, xrefs: 04D915C0

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: 6e7d40ac24d4717de0a3a62eab71dbbd1de287e673dbd9b7d64878d52d342fcf
Instruction ID: 8ea9ac435bcff5311815ca4b58b2380cacea6503703c81019ee7b0b81f4e5d13
Opcode Fuzzy Hash: 6e7d40ac24d4717de0a3a62eab71dbbd1de287e673dbd9b7d64878d52d342fcf
Instruction Fuzzy Hash: 42D12671B0060AEBEF60CF58D98199EB7F5FB48744B144929E986CB600E730FE51CBA1

Function 04D855A1 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D855F6
GetDesktopWindow.USER32 ref: 04D8560A
SetWindowTextW.USER32(00000000), ref: 04D8560D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,null,00000000,00000000), ref: 04D85632
GetDesktopWindow.USER32 ref: 04D8569F
SetDlgItemInt.USER32(00000000), ref: 04D856A2
GetDesktopWindow.USER32 ref: 04D856C4
GetDC.USER32(00000000), ref: 04D856C7
SetViewportExtEx.GDI32(00000000), ref: 04D856CE

Strings

\u%04X, xrefs: 04D8571D
null, xrefs: 04D855D2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID: \u%04X$null
API String ID: 654738355-3369567502
Opcode ID: d126bb7a12fd89e05911a32fac81c600e0fd5894dc03d77165a25dd140e40a70
Instruction ID: 49b1a13f7a6f98978106437954e3b06a3f9f89fc5abe9606893f3b3fe01d2b33
Opcode Fuzzy Hash: d126bb7a12fd89e05911a32fac81c600e0fd5894dc03d77165a25dd140e40a70
Instruction Fuzzy Hash: 325199B0E84349FBEF10EFA4A8A99FDBBB4FF01354F14849DE4516B281D2356A44CB60

Function 04D853DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D85434
GetDesktopWindow.USER32 ref: 04D85448
SetWindowTextW.USER32(00000000), ref: 04D8544B
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,null,00000000,00000000), ref: 04D85470
GetDesktopWindow.USER32 ref: 04D854DD
SetDlgItemInt.USER32(00000000), ref: 04D854E0
GetDesktopWindow.USER32 ref: 04D85502
GetDC.USER32(00000000), ref: 04D85505
SetViewportExtEx.GDI32(00000000), ref: 04D8550C

Strings

\u%04X, xrefs: 04D8555B
null, xrefs: 04D85410

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID: \u%04X$null
API String ID: 654738355-3369567502
Opcode ID: 22c9572caa0d4b94411c2758e81e5be5ec96af33c41cecb8792adae702c46e33
Instruction ID: a0640053ce010e57ae46e8b474094264832366a7ac7c4cfe7a2050978f102354
Opcode Fuzzy Hash: 22c9572caa0d4b94411c2758e81e5be5ec96af33c41cecb8792adae702c46e33
Instruction Fuzzy Hash: 98518BB0E84359FBEF10EFA8A8689BEBFB5FF01315F14809DE4516B281D63566448B60

Function 04D90120 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 04D90171

Part of subcall function 04D71070: std::exception::exception.LIBCMT ref: 04DA8848
Part of subcall function 04D71070: __CxxThrowException@8.LIBCMT ref: 04DA885D

_memset.LIBCMT ref: 04D90189
_memmove.LIBCMT ref: 04D90199
_memmove.LIBCMT ref: 04D901AC
_memmove.LIBCMT ref: 04D901F3
_memset.LIBCMT ref: 04D9020B
_memmove.LIBCMT ref: 04D90230
_memmove.LIBCMT ref: 04D9024E
_memset.LIBCMT ref: 04D9025B
std::_Xinvalid_argument.LIBCPMT ref: 04D9027B

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D90276

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$_memset$AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2080731275-3797114014
Opcode ID: 3b76ceba6d4237f5e15e635ddc5eafc09266ab8689e03417526ee1d3713ae827
Instruction ID: db667004b573eeb01775f24d5960074327d905a1ff5a5f71850f8ca65d545c90
Opcode Fuzzy Hash: 3b76ceba6d4237f5e15e635ddc5eafc09266ab8689e03417526ee1d3713ae827
Instruction Fuzzy Hash: 2C414AB160011AAFDB05EF7CDD949AABBE8FF49214B148629F819D7240D730FD60DBA0

Function 04D89536 Relevance: 18.2, APIs: 12, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D895C8
GetDC.USER32(00000000), ref: 04D895CB
GetTextExtentPointW.GDI32(00000000), ref: 04D895D2
GetDesktopWindow.USER32 ref: 04D8962B
SetDlgItemInt.USER32(00000000), ref: 04D8962E
GetDesktopWindow.USER32 ref: 04D89651
GetDC.USER32(00000000), ref: 04D89654
SetViewportExtEx.GDI32(00000000), ref: 04D8965B
GetSysColorBrush.USER32(0000196A), ref: 04D896F3
GetDesktopWindow.USER32 ref: 04D8970A
SetWindowTextW.USER32(00000000), ref: 04D8970D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,Function_00010C5B,00000000,?,00000000,00003CD6), ref: 04D89735

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: 788dd4fc676051746683beec19a1160e2ea49c8919c88a0f96e73941637ee586
Instruction ID: a2cd474f6e7ef7e6a22140c12222cf76c68f2618531df803b9415f60702f35cd
Opcode Fuzzy Hash: 788dd4fc676051746683beec19a1160e2ea49c8919c88a0f96e73941637ee586
Instruction Fuzzy Hash: 4B7149B0E04248FEDB11EFA4C859AFEBFB4FF45315F108499E895AA281D735A640CF60

Function 04D892F3 Relevance: 18.2, APIs: 12, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D89385
GetDC.USER32(00000000), ref: 04D89388
GetTextExtentPointW.GDI32(00000000), ref: 04D8938F
GetDesktopWindow.USER32 ref: 04D893E8
SetDlgItemInt.USER32(00000000), ref: 04D893EB
GetDesktopWindow.USER32 ref: 04D8940E
GetDC.USER32(00000000), ref: 04D89411
SetViewportExtEx.GDI32(00000000), ref: 04D89418
GetSysColorBrush.USER32(0000196A), ref: 04D894B0
GetDesktopWindow.USER32 ref: 04D894C7
SetWindowTextW.USER32(00000000), ref: 04D894CA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,Function_00010C5B,00000000), ref: 04D894F2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: cae0eeb1b52e789a941adce81c3b27ff0af1a5da02c361c51d18a876156dc3a2
Instruction ID: 36d93eec62ebd8bd7259ad7abd1d8c88b4142865e1a6c0463b023ec91e4eaaa5
Opcode Fuzzy Hash: cae0eeb1b52e789a941adce81c3b27ff0af1a5da02c361c51d18a876156dc3a2
Instruction Fuzzy Hash: 4D7138B0E04248FADF11EFA8C858AFEBFB4EF45315F10C499E895AA291D3349644CB60

Function 04D968CB Relevance: 18.2, APIs: 12, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D9695D
GetDC.USER32(00000000), ref: 04D96960
GetTextExtentPointW.GDI32(00000000), ref: 04D96967
GetSysColorBrush.USER32(0000196A), ref: 04D969DF
GetDesktopWindow.USER32 ref: 04D969F3
SetWindowTextW.USER32(00000000), ref: 04D969F6
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000003,FFFFFFFE,?,00000000,00003B8A,?,00000001), ref: 04D96A1B
GetDesktopWindow.USER32 ref: 04D96A77
SetDlgItemInt.USER32(00000000), ref: 04D96A7A
GetDesktopWindow.USER32 ref: 04D96A9C
GetDC.USER32(00000000), ref: 04D96A9F
SetViewportExtEx.GDI32(00000000), ref: 04D96AA6

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$BrushColorExtentFormatItemMessagePointViewport
String ID:
API String ID: 1998102902-0
Opcode ID: d983f0b58f6e91b6867dcddda83ce7832af6562f4d4b38c65a3a1c39d72c3234
Instruction ID: 07c402c215acaa30fa971377bc59bf721c8f8be971fcdf8a2d61058c28792da2
Opcode Fuzzy Hash: d983f0b58f6e91b6867dcddda83ce7832af6562f4d4b38c65a3a1c39d72c3234
Instruction Fuzzy Hash: 986116B4E84348FFDF10DFA488945AEBFB4FB05315F148499E5A1AB281D235AA45CFA0

Function 04DAE92E Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00000001,04DAD56B,04DC8CE0,00000008,04DAD6A2,?,00000001,?,04DC8D00,0000000C,04DAD641,?,00000001,?), ref: 04DAE936
_free.LIBCMT ref: 04DAE94F

Part of subcall function 04DAC414: RtlFreeHeap.NTDLL(00000000,00000000,?,04DAFB6E,00000000,00000001,00000000,00000003,00000000,?,04DABCEB,04DA887B,?), ref: 04DAC428
Part of subcall function 04DAC414: GetLastError.KERNEL32(00000000,?,04DAFB6E,00000000,00000001,00000000,00000003,00000000,?,04DABCEB,04DA887B,?), ref: 04DAC43A

_free.LIBCMT ref: 04DAE962
_free.LIBCMT ref: 04DAE980
_free.LIBCMT ref: 04DAE992
_free.LIBCMT ref: 04DAE9A3
_free.LIBCMT ref: 04DAE9AE
_free.LIBCMT ref: 04DAE9D2
EncodePointer.KERNEL32(03133B30), ref: 04DAE9D9
_free.LIBCMT ref: 04DAE9EE
_free.LIBCMT ref: 04DAEA04
_free.LIBCMT ref: 04DAEA2C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 545ab8eba0ae5d4026cd85294086c09c6c66e3223b7a1fa2d216216da7476b0e
Instruction ID: e855dae2efbdba2c23174c7ccf95830000e98b71c2ff4ce5fc3ece9dd1b7b17d
Opcode Fuzzy Hash: 545ab8eba0ae5d4026cd85294086c09c6c66e3223b7a1fa2d216216da7476b0e
Instruction Fuzzy Hash: 5021C772A412238BEB20AF24F9A056577A1FB05770318453EE44593385CFBCBC61CBB4

Function 04D9C20F Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 429COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D9C214
QueryDosDeviceW.KERNEL32(00000000,00000000,00000752,00000000), ref: 04D9C239
char_traits.LIBCPMT ref: 04D9C338

Strings

\, xrefs: 04D9C3BC
\..\, xrefs: 04D9C32F, 04D9C337, 04D9C340, 04D9C603, 04D9C618, 04D9C718

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DeviceH_prologQuerychar_traits
String ID: \$\..\
API String ID: 1264856077-605892584
Opcode ID: ce74011c0ae5a505b51d87df627d27b244f242e9f44735be6c7d60f43eb1a9ed
Instruction ID: bd6a4e02d5cd5d80ffdac67f80aa29c26255a89d79e51323b622b77bf98626c0
Opcode Fuzzy Hash: ce74011c0ae5a505b51d87df627d27b244f242e9f44735be6c7d60f43eb1a9ed
Instruction Fuzzy Hash: 2DF13AB1E14219AFEF14DFA8C885AFEBBB8FB09708F144069E515F6280D7746E41CB61

Function 04DA48CB Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04DA491F
GetDesktopWindow.USER32 ref: 04DA4933
SetWindowTextW.USER32(00000000), ref: 04DA4936
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04DA495B
GetDesktopWindow.USER32 ref: 04DA49DB
SetDlgItemInt.USER32(00000000), ref: 04DA49DE
GetDesktopWindow.USER32 ref: 04DA4A08
GetDC.USER32(00000000), ref: 04DA4A0B
SetViewportExtEx.GDI32(00000000), ref: 04DA4A12
_abort.LIBCMT ref: 04DA4A18

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport_abort
String ID:
API String ID: 50134168-0
Opcode ID: fa5495a2ddfa307165b63b57d7661027579ba39f5c2ca6e87fd0b02b4380a09f
Instruction ID: 7cef3db9b141d0c1967b05c4c0cbfc7b553387b91ef55890dfe7190a1cead334
Opcode Fuzzy Hash: fa5495a2ddfa307165b63b57d7661027579ba39f5c2ca6e87fd0b02b4380a09f
Instruction Fuzzy Hash: F2419DB0E88388FBEB00DFE8989999DBF78EB02315F10859DE5517B281D2B56664CF50

Function 04D85173 Relevance: 13.6, APIs: 9, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D851E8
GetDesktopWindow.USER32 ref: 04D851FC
SetWindowTextW.USER32(00000000), ref: 04D851FF
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000400,?,00000000,75A89CE0,00000000), ref: 04D85224
GetDesktopWindow.USER32 ref: 04D8528C
SetDlgItemInt.USER32(00000000,?,00000000,75A89CE0), ref: 04D8528F
GetDesktopWindow.USER32 ref: 04D852B1
GetDC.USER32(00000000), ref: 04D852B4
SetViewportExtEx.GDI32(00000000,?,00000000,75A89CE0), ref: 04D852BB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID:
API String ID: 654738355-0
Opcode ID: db974f6cadbd22b136b006a25ff165a68083b5bc5817c39572a75060747e00e8
Instruction ID: df268fbcd2a7d9475fca9207b448cf6313ff1b4f3c7072673da97311e1315d5e
Opcode Fuzzy Hash: db974f6cadbd22b136b006a25ff165a68083b5bc5817c39572a75060747e00e8
Instruction Fuzzy Hash: C5417C70A40389FBDB10EF98A9689EE7BB8EB01309F54455CE8516B381D774AE14DBA0

Function 04D84ADE Relevance: 13.6, APIs: 9, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D84B4A
GetDesktopWindow.USER32 ref: 04D84B61
SetWindowTextW.USER32(00000000), ref: 04D84B64
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,00000000,00000002), ref: 04D84B8C
GetDesktopWindow.USER32 ref: 04D84BF6
SetDlgItemInt.USER32(00000000,?,00000000,00000002), ref: 04D84BF9
GetDesktopWindow.USER32 ref: 04D84C1C
GetDC.USER32(00000000), ref: 04D84C1F
SetViewportExtEx.GDI32(00000000,?,00000000,00000002), ref: 04D84C26

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$BrushColorFormatItemMessageTextViewport
String ID:
API String ID: 654738355-0
Opcode ID: e9feca81f4193e9181ce030909c8359f465339ebbf5a1583fef25374a95fecff
Instruction ID: a193468ab3b8be221fda1c577f1d64ed59e144613146f88fb4af4a4051cabeaa
Opcode Fuzzy Hash: e9feca81f4193e9181ce030909c8359f465339ebbf5a1583fef25374a95fecff
Instruction Fuzzy Hash: 1341AF70D04349FEEB04AFA8D848BBDBFB8FF94305F04C19DE45466281E2746685CB50

Function 04D713C5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 04D71417

Part of subcall function 04D8D594: std::exception::exception.LIBCMT ref: 04DA8848
Part of subcall function 04D8D594: __CxxThrowException@8.LIBCMT ref: 04DA885D

_Ucopy.LIBCPMT ref: 04D71436
_Ucopy.LIBCPMT ref: 04D71444
_Ucopy.LIBCPMT ref: 04D71428

Part of subcall function 04D71575: _memmove.LIBCMT ref: 04D71589

_Ucopy.LIBCPMT ref: 04D7147D
std::_Xinvalid_argument.LIBCPMT ref: 04D714A8

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D714A3

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Ucopy$AllocateException@8ThrowXinvalid_argument_memmovestd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 1826209128-3797114014
Opcode ID: 37f695e8087a3e37179db14833452ea3d9433976c98889cfb385809326a613aa
Instruction ID: 73d50b66cc4bf401c6d134c5a474bf09d89ca5654141c4885e648e6efe3979d2
Opcode Fuzzy Hash: 37f695e8087a3e37179db14833452ea3d9433976c98889cfb385809326a613aa
Instruction Fuzzy Hash: 85214F75A00119BFDB159F68CC49D6EBBB9FB44314B144729F81597350EB31FD20DA90

Function 04DAD30D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCompleteObject.LIBCMT ref: 04DAD32E
FindMITargetTypeInstance.LIBCMT ref: 04DAD367

Part of subcall function 04DACFCD: PMDtoOffset.LIBCMT ref: 04DAD05F

FindVITargetTypeInstance.LIBCMT ref: 04DAD36E
PMDtoOffset.LIBCMT ref: 04DAD37F
std::bad_exception::bad_exception.LIBCMT ref: 04DAD3A8
__CxxThrowException@8.LIBCMT ref: 04DAD3B6

Strings

ekLDdEOoyHpNjyypF, xrefs: 04DAD3A0

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Find$InstanceOffsetTargetType$CompleteException@8ObjectThrowstd::bad_exception::bad_exception
String ID: ekLDdEOoyHpNjyypF
API String ID: 1565299582-2829376797
Opcode ID: 7634fbc31b31beb87559008602c95feb036adfed66b9550b9a9bb77abdccb05c
Instruction ID: 9d5f5e07201a72886890851d5c5ea179861e7bbd06559ec1868a0bcdeb299b5f
Opcode Fuzzy Hash: 7634fbc31b31beb87559008602c95feb036adfed66b9550b9a9bb77abdccb05c
Instruction Fuzzy Hash: CD219DB2B002059FDF14EFA8CD41AAE7B66FF48714F144449F915A7680DB38F925DBA0

Function 04D915D5 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D91669
_memmove.LIBCMT ref: 04D916C9
_memmove.LIBCMT ref: 04D916F1
std::_Xinvalid_argument.LIBCPMT ref: 04D91727

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D915CA, 04D91718
DwKoYBuJCEyytDi, xrefs: 04D915C0, 04D91722

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: 5c8522a3a60e9e1a6936ffe96cba549c52b63f730a35468289ef32773be46cc6
Instruction ID: f5e7a0985df9d6d8c6256cc869d6b258b3d6e0720feb664745d83ef0619f3ffa
Opcode Fuzzy Hash: 5c8522a3a60e9e1a6936ffe96cba549c52b63f730a35468289ef32773be46cc6
Instruction Fuzzy Hash: D0519B31B00207DBFF24CE58D984A6EB7EAFB81740B080A29E886C7640D770FD55DBA1

Function 04D844E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D84550
std::_Xinvalid_argument.LIBCPMT ref: 04D84588
_memmove.LIBCMT ref: 04D845FE
std::_Xinvalid_argument.LIBCPMT ref: 04D8462A

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D84579
DwKoYBuJCEyytDi, xrefs: 04D84583, 04D84625

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: 2e3c9a58d4f1eb4a04651deb4d6c054e7413b224c0591acf3fd15e1343d349e6
Instruction ID: d5d7a161b9b2d09c95343e97e492dd129f31ba15c24b3ddeba5eb887a7644399
Opcode Fuzzy Hash: 2e3c9a58d4f1eb4a04651deb4d6c054e7413b224c0591acf3fd15e1343d349e6
Instruction Fuzzy Hash: C24194713003029FDB34EE69D884A7EB7A9EF41764B04096DE89687681E770F945CBA1

Function 04D97907 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D97982
_memmove.LIBCMT ref: 04D979C5
_memmove.LIBCMT ref: 04D979EF
std::_Xinvalid_argument.LIBCPMT ref: 04D97A1B

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D97A20
DwKoYBuJCEyytDi, xrefs: 04D97A16

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 1771113911-141594409
Opcode ID: 8cc41154bcc3554ce768399e649361d3d0e71404b011be9a433140c61b5ab744
Instruction ID: 4a8ea49adcd5ebcb98df429bfb87521ef815c47df6d7f49af8ec0a48cf22e8b2
Opcode Fuzzy Hash: 8cc41154bcc3554ce768399e649361d3d0e71404b011be9a433140c61b5ab744
Instruction Fuzzy Hash: 1D417E35320205EBDF24CF58D88099A77E6FB86704B204A2DE896CB281D731FD44CBA1

Function 04D877FC Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D87801
GetDesktopWindow.USER32 ref: 04D87834
SetDlgItemInt.USER32(00000000,?,00000000), ref: 04D8783B
GetDesktopWindow.USER32 ref: 04D8785D
GetDC.USER32(00000000), ref: 04D87864
SetViewportExtEx.GDI32(00000000,?,00000000), ref: 04D8786B
__aulldvrm.LIBCMT ref: 04D878C5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: e48b26cf261ad55c9fdb76818770056530f0d17e959f929bf4512374211b0d68
Instruction ID: 73463af976742ab9801e6cfdbea803f6e282a1f41334da6134048588a2ffe403
Opcode Fuzzy Hash: e48b26cf261ad55c9fdb76818770056530f0d17e959f929bf4512374211b0d68
Instruction Fuzzy Hash: 5A319075E00248EFDF10EFA8D894AEDBBB9FF48744F24845DF505A7280C6306A44CBA1

Function 04D875C7 Relevance: 10.6, APIs: 7, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D875CC
GetDesktopWindow.USER32 ref: 04D875FF
SetDlgItemInt.USER32(00000000), ref: 04D87606
GetDesktopWindow.USER32 ref: 04D87628
GetDC.USER32(00000000), ref: 04D8762F
SetViewportExtEx.GDI32(00000000), ref: 04D87636
__aulldvrm.LIBCMT ref: 04D87688

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: fe76c45d43b1282201640ef747eff56cc546aa8f974160f91eb0b7016dd21706
Instruction ID: 658bc233eeb29f7478805d3cacd70ea24971cb6ceb64580143c664c4a764cbb0
Opcode Fuzzy Hash: fe76c45d43b1282201640ef747eff56cc546aa8f974160f91eb0b7016dd21706
Instruction Fuzzy Hash: A4318F71E00248EFEF10EFA8DCA5AEEBBB8EB44754F14405DF505B7281C6345A44CBA1

Function 04D87929 Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8792E
GetDesktopWindow.USER32 ref: 04D87961
SetDlgItemInt.USER32(00000000), ref: 04D87968
GetDesktopWindow.USER32 ref: 04D8798A
GetDC.USER32(00000000), ref: 04D87991
SetViewportExtEx.GDI32(00000000), ref: 04D87998
__aulldvrm.LIBCMT ref: 04D879E4

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport__aulldvrm
String ID:
API String ID: 1873070202-0
Opcode ID: 70191fa6836fdafb57104e111b8a7935eeed2895e1063ba23672f8cdbd43fc7a
Instruction ID: 4ac736543709576056d6269f6c5fa400757dff2b3f339a817cd682701e0fb5c0
Opcode Fuzzy Hash: 70191fa6836fdafb57104e111b8a7935eeed2895e1063ba23672f8cdbd43fc7a
Instruction Fuzzy Hash: 46313871E00248EFEF10EFE8D894AEDBBB8FF08755F24445DE505A7290D6306A44CBA1

Function 04D79713 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D79740
GetDC.USER32(00000000), ref: 04D79747
GetTextExtentPoint32W.GDI32(00000000,?,?,04D7981D), ref: 04D7974E
GetDesktopWindow.USER32 ref: 04D7976E
SetWindowTextW.USER32(00000000), ref: 04D79775
GetDesktopWindow.USER32 ref: 04D797EB
SetDlgItemInt.USER32(00000000,?,?,04D7981D), ref: 04D797F2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$Text$ExtentItemPoint32
String ID:
API String ID: 1801697257-0
Opcode ID: c95715751512b42b4bc76c1178868aed25f9063d01ab32c05094c8e9d3a92bc6
Instruction ID: 0186f356663170b1b3916e8a3c140ecb052d0a9b30a1d362f02741976e7cf656
Opcode Fuzzy Hash: c95715751512b42b4bc76c1178868aed25f9063d01ab32c05094c8e9d3a92bc6
Instruction Fuzzy Hash: 203182B5E01209EFDB40CFA9D894AEDBBF4BB09751F144596F955E7340E734AA008F60

Function 04D96E25 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D96E48
GetDC.USER32(00000000), ref: 04D96E4F
SetViewportExtEx.GDI32(00000000,?,04D96BDB,00003BF0), ref: 04D96E56
GetDesktopWindow.USER32 ref: 04D96E6F
GetDC.USER32(00000000), ref: 04D96E76
GetTextExtentPointW.GDI32(00000000,?,04D96BDB,00003BF0), ref: 04D96E7D
GetSysColorBrush.USER32(0000196A), ref: 04D96E90

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$BrushColorExtentPointTextViewport
String ID:
API String ID: 3221472952-0
Opcode ID: 288b26670c5059c6faa47e1df305f22cc0049405237abc6b06451c5fdb5ddc20
Instruction ID: 938f9f2bad5cd0e8e487482f810c0469d11ab26086dff941cbc1fc5f1411c4fe
Opcode Fuzzy Hash: 288b26670c5059c6faa47e1df305f22cc0049405237abc6b06451c5fdb5ddc20
Instruction Fuzzy Hash: 6D012D71544245EFEF159FA4E81DB9A3BE8BB05701F184884F1199B6E1C3B8E850CB91

Function 04D85CC2 Relevance: 9.4, APIs: 6, Instructions: 412COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D85CC7
GetDesktopWindow.USER32 ref: 04D85F4F
SetDlgItemInt.USER32(00000000), ref: 04D85F56

Part of subcall function 04D8621B: GetDesktopWindow.USER32 ref: 04D86246
Part of subcall function 04D8621B: SetWindowTextW.USER32(00000000), ref: 04D8624D

GetDesktopWindow.USER32 ref: 04D861E4
GetDC.USER32(00000000), ref: 04D861EB
SetViewportExtEx.GDI32(00000000), ref: 04D861F2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$H_prologItemTextViewport
String ID:
API String ID: 2267899263-0
Opcode ID: 3034632af4e6e98d01d46a2c75624c0ede78e795aefb4cd3bbfa635e94a660a2
Instruction ID: b5b92843b153438e02af91d857c689c3ef4bafc7f55f8bbf7f2e75a0751bef98
Opcode Fuzzy Hash: 3034632af4e6e98d01d46a2c75624c0ede78e795aefb4cd3bbfa635e94a660a2
Instruction Fuzzy Hash: 8EF15FB0E40209BEEB10EF94DC95FFEBBB8FB00758F10409DE5556A181EB75AA44CB61

Function 04D876E5 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D876EA
GetDesktopWindow.USER32 ref: 04D8771C
SetDlgItemInt.USER32(00000000), ref: 04D87723
GetDesktopWindow.USER32 ref: 04D87745
GetDC.USER32(00000000), ref: 04D8774C
SetViewportExtEx.GDI32(00000000), ref: 04D87753

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 4e5fdc234d8c4833b6d77b62cd6045c9e4a40baa3d14051fc801446a38cfacd9
Instruction ID: aae128d1739370bb13b64839afff16faa43131a81f61fbe19f7b3ad473594d46
Opcode Fuzzy Hash: 4e5fdc234d8c4833b6d77b62cd6045c9e4a40baa3d14051fc801446a38cfacd9
Instruction Fuzzy Hash: 7C31AD71E41258EBDB10EFA8D895AEDBBB9FF08704F24815DE505AB280C7346A44CBA0

Function 04D868D3 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D868D8
GetDesktopWindow.USER32 ref: 04D8690B
SetDlgItemInt.USER32(00000000), ref: 04D86912
GetDesktopWindow.USER32 ref: 04D86934
GetDC.USER32(00000000), ref: 04D8693B
SetViewportExtEx.GDI32(00000000), ref: 04D86942

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: ceef0f537a9a5d6e05387e4534faf20d09201aaef899afc8caed7ae4f567fae1
Instruction ID: c4f9a715d3d51822101e55be01a47fe02246c9a6cbcc9e50a1386b4f54fb793c
Opcode Fuzzy Hash: ceef0f537a9a5d6e05387e4534faf20d09201aaef899afc8caed7ae4f567fae1
Instruction Fuzzy Hash: 6831C172E00258EBDB21FF94C9559FEBB78EB46764F00419DE9097B280D634AE00CBA0

Function 04D873D2 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D873D7
GetDesktopWindow.USER32 ref: 04D87409
SetDlgItemInt.USER32(00000000), ref: 04D87410
GetDesktopWindow.USER32 ref: 04D87432
GetDC.USER32(00000000), ref: 04D87439
SetViewportExtEx.GDI32(00000000), ref: 04D87440

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 584bef183b4ce32e0b546ace3803e2712583c18321ddbb4d0104545bad388d92
Instruction ID: 0f6655a11f042b62b3ba505f5278576f0a6272fc70c3f263765f38f7192a551a
Opcode Fuzzy Hash: 584bef183b4ce32e0b546ace3803e2712583c18321ddbb4d0104545bad388d92
Instruction Fuzzy Hash: 6A31AF70E42248EFEF00DFA8D895AEDBBBAFF05344F24815DE5056B280C7755A04CBA1

Function 04D874D6 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D874DB
GetDesktopWindow.USER32 ref: 04D8750D
SetDlgItemInt.USER32(00000000), ref: 04D87514
GetDesktopWindow.USER32 ref: 04D87536
GetDC.USER32(00000000), ref: 04D8753D
SetViewportExtEx.GDI32(00000000), ref: 04D87544

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: 7cb9f2596c7aae763c5e8408f54ab66829bdf3133f986f64f1fa712cbcd5dd5b
Instruction ID: c30f3f958b97bfe2cbe9449ed78c51518aed6e8651b8cc524ec84a238cfee6ec
Opcode Fuzzy Hash: 7cb9f2596c7aae763c5e8408f54ab66829bdf3133f986f64f1fa712cbcd5dd5b
Instruction Fuzzy Hash: 95314FB1E01248EFEF00EFA8D8A5AEDBBB9FB04345F24815DE5056B280D7755A04CBA1

Function 04D848BF Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D848C4
GetDesktopWindow.USER32 ref: 04D848F3
SetDlgItemInt.USER32(00000000), ref: 04D848FA
GetDesktopWindow.USER32 ref: 04D8491C
GetDC.USER32(00000000), ref: 04D84923
SetViewportExtEx.GDI32(00000000), ref: 04D8492A

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$H_prologItemViewport
String ID:
API String ID: 582183558-0
Opcode ID: bcbebbcfa8abb5d67d8484f30015d9d366d41164fe367cbbeff198f745f5ffca
Instruction ID: fb3b61e6dbb5057dceade1a5cbe76f1fd023c1a5fdc52672bcac249947e277f8
Opcode Fuzzy Hash: bcbebbcfa8abb5d67d8484f30015d9d366d41164fe367cbbeff198f745f5ffca
Instruction Fuzzy Hash: 3C217C71E0025AEBDB20FFE4D8A4AEDBB78FF01744F04815CE5556B290EA346A04CBA1

Function 04DA857E Relevance: 9.0, APIs: 6, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegUnLoadKeyW.ADVAPI32(00000000,00000000,?,04DA8104,?,00000001,000073CF,?), ref: 04DA8599
GetDesktopWindow.USER32 ref: 04DA85AD
SetWindowTextW.USER32(00000000), ref: 04DA85B4
GetDesktopWindow.USER32 ref: 04DA85CE
GetDC.USER32(00000000), ref: 04DA85D5
SetViewportExtEx.GDI32(00000000,?,04DA8104,?), ref: 04DA85DC

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$LoadTextViewport
String ID:
API String ID: 145119710-0
Opcode ID: 0a6197c6f04444d008d3331017e1a9b413dc7947cd6d39ecb49aa268e3deff0a
Instruction ID: 4fa4fb7579f18b5f401d23820aa528b66726fa01b2668e3c925ae88d6305884c
Opcode Fuzzy Hash: 0a6197c6f04444d008d3331017e1a9b413dc7947cd6d39ecb49aa268e3deff0a
Instruction Fuzzy Hash: 92016270544348EFEB129FA4EC1DBD93B98BB05715F080445FD4D977D1C27899A0DB91

Function 04D911E9 Relevance: 9.0, APIs: 6, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D911FA
GetDC.USER32(00000000), ref: 04D91201
DrawFocusRect.USER32(00000000), ref: 04D91208
GetDesktopWindow.USER32 ref: 04D91221
GetDC.USER32(00000000), ref: 04D91228
GetTextExtentPointW.GDI32(00000000,?,04D91063,00000000), ref: 04D9122F

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$DrawExtentFocusPointRectText
String ID:
API String ID: 3079162497-0
Opcode ID: c5d2681e1b5c8336ddf8c6d8519d6b0c6966cfb1c1b3bd010e5713d60bd7eedf
Instruction ID: e90c082868220b7f49eed655600fa3d4e24083d8b42a47df2d7c4b3ddab45b6d
Opcode Fuzzy Hash: c5d2681e1b5c8336ddf8c6d8519d6b0c6966cfb1c1b3bd010e5713d60bd7eedf
Instruction Fuzzy Hash: B2F03071648244EBFF156BE0A81EB9D3BDCEB05751F180844F20DC67C0877968508B91

Function 04D84CB5 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D84CBA
__floor_pentium4.LIBCMT ref: 04D84DA4

Strings

false, xrefs: 04D84D0B
null, xrefs: 04D84CDD, 04D84CE2, 04D84CED
true, xrefs: 04D84D10, 04D84D18, 04D84D23

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog__floor_pentium4
String ID: false$null$true
API String ID: 2354235884-2913297407
Opcode ID: 888b40f7059f668eb17cff3fb5a854345a7147341f934b9b21c72dd2f4f229da
Instruction ID: 55ad254e2d1540bb9b1048710a1a43a75df4afda75668a4c3edcbda5cefc3898
Opcode Fuzzy Hash: 888b40f7059f668eb17cff3fb5a854345a7147341f934b9b21c72dd2f4f229da
Instruction Fuzzy Hash: E481B071A04109FFEF15EFA4D894AEEBBB8EF15324F14420EE415A7180EB70AA45CB60

Function 04D96B29 Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D96DEC
SetWindowTextW.USER32(00000000), ref: 04D96DF3

Part of subcall function 04D96E25: GetDesktopWindow.USER32 ref: 04D96E48
Part of subcall function 04D96E25: GetDC.USER32(00000000), ref: 04D96E4F
Part of subcall function 04D96E25: SetViewportExtEx.GDI32(00000000,?,04D96BDB,00003BF0), ref: 04D96E56

Part of subcall function 04D96B29: FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D96CD4

GetDesktopWindow.USER32 ref: 04D96E11
SetDlgItemInt.USER32(00000000), ref: 04D96E18

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$FormatItemMessageTextViewport
String ID:
API String ID: 424236427-0
Opcode ID: 2e00efd2d71d773daafc8018b30c6824ef731c9cedc25f25aeb0916741895e4b
Instruction ID: 3e365252bb52cc903fa332134756235acb40b6b88cd2940772dec5c121272e76
Opcode Fuzzy Hash: 2e00efd2d71d773daafc8018b30c6824ef731c9cedc25f25aeb0916741895e4b
Instruction Fuzzy Hash: F6917F70E44249FFEF119F94C891AEDBBB4FB05708F148099F955AB2C1E3B5AA40CB61

Function 04DB61FF Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04DB620B

Part of subcall function 04DAC44C: __FF_MSGBANNER.LIBCMT ref: 04DAC463
Part of subcall function 04DAC44C: __NMSG_WRITE.LIBCMT ref: 04DAC46A
Part of subcall function 04DAC44C: RtlAllocateHeap.NTDLL(030F0000,00000000,00000001,00000001,04D918DB,04D918DB,?,04DABDB1,00000001,00000000,00000003,00000000,?,04DABCEB,04DA887B,?), ref: 04DAC48F

_free.LIBCMT ref: 04DB621E

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 033fb0873780a97a1e384f572a7bbd9c16d9243ae2d5754814767f5b6233c0c8
Instruction ID: 42f0d5e8a4406698a1466d171845f1e36b4f572da04b46e1e268840fc8778a6b
Opcode Fuzzy Hash: 033fb0873780a97a1e384f572a7bbd9c16d9243ae2d5754814767f5b6233c0c8
Instruction Fuzzy Hash: 9011A732604215EEFF252F74AC04BA93B98FF44264B144526F9869A280DE75F8518AE2

Function 04D891BE Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D89120
SetDlgItemInt.USER32(00000000), ref: 04D89127
GetDesktopWindow.USER32 ref: 04D89149
GetDC.USER32(00000000), ref: 04D89150
SetViewportExtEx.GDI32(00000000), ref: 04D89157

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ItemViewport
String ID:
API String ID: 1989583774-0
Opcode ID: 678ff1571be38a2d12e0701135d02696d77e62ee8faf7fd3841a0dadc9aa266c
Instruction ID: e863d39efafc1af486f6eae8d51904cf043e22658f1157cb966fa5c558f83cda
Opcode Fuzzy Hash: 678ff1571be38a2d12e0701135d02696d77e62ee8faf7fd3841a0dadc9aa266c
Instruction Fuzzy Hash: 14115EB4A48344FFCB00EF9498AC9BDBBB8FB01341B0484DCE6895B351D6759A44DB91

Function 04D93C46 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00002292,?,04D93D1B,00004322,00000000,00002A47,00000000,00000000,00000001,00003654,?,04D93A0E,00000BFB,00000000,?,00000000), ref: 04D93C62
GetDesktopWindow.USER32 ref: 04D93CAB
GetDC.USER32(00000000), ref: 04D93CB2
SetViewportExtEx.GDI32(00000000,?,04D93D1B,00004322), ref: 04D93CB9

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopErrorLastViewportWindow
String ID:
API String ID: 3126713311-0
Opcode ID: cc9f9a55a50d61954e723bbfcb0d124e0d4eadb1ae47883c34b7480b9f9fe515
Instruction ID: 74b5fb7a7baac8fe2ea8010dbff5ee07dae158d367fdf64bd993b86c4f006599
Opcode Fuzzy Hash: cc9f9a55a50d61954e723bbfcb0d124e0d4eadb1ae47883c34b7480b9f9fe515
Instruction Fuzzy Hash: BE018075200645EFEF116F98D81CBD93BE8FB4A306F084480F9499B391C378ACA1CB91

Function 04D8D3D4 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D8D3EF
SetDlgItemInt.USER32(00000000,?,04D8CE40,00000000), ref: 04D8D3F6
GetDesktopWindow.USER32 ref: 04D8D40F
GetDC.USER32(00000000), ref: 04D8D416
GetTextExtentPointW.GDI32(00000000,?,04D8CE40,00000000), ref: 04D8D41D

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ExtentItemPointText
String ID:
API String ID: 4061458486-0
Opcode ID: f3e03a2ad856c0e74aa23c68a2ff95c31d0357e11303bc146b394330cbce641e
Instruction ID: be8d46d3ebcfcc246c1945838049f4395ac3864e5f95ed41d43bf34a5d22179f
Opcode Fuzzy Hash: f3e03a2ad856c0e74aa23c68a2ff95c31d0357e11303bc146b394330cbce641e
Instruction Fuzzy Hash: 08F01DB1680348FBEB126BE4AC0EBE93B9AEB04B41F184444F6095A6D1C6B965508B91

Function 04D8E1AC Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D8E1D7
SetDlgItemInt.USER32(00000000), ref: 04D8E1DE
GetDesktopWindow.USER32 ref: 04D8E200
GetDC.USER32(00000000), ref: 04D8E207
SetViewportExtEx.GDI32(00000000), ref: 04D8E20E

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopWindow$ItemViewport
String ID:
API String ID: 1989583774-0
Opcode ID: 1be64608983851703ab681411dad9fc649908cbdc38375b2c8468ef7581e95e3
Instruction ID: b2e6cc3f30d5e83f95fc75f03de221ff6903cc5052308070c2b445086d1f14e0
Opcode Fuzzy Hash: 1be64608983851703ab681411dad9fc649908cbdc38375b2c8468ef7581e95e3
Instruction Fuzzy Hash: 43F04FB0D88344FBDB10AFF0580DAADBBB8AB01701F088499F145EB382D5395648CFA2

Function 04D81E98 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D81ED5
GetDC.USER32(00000000), ref: 04D81EDC
SetViewportExtEx.GDI32(00000000,?,04D81ACD,00001163), ref: 04D81EE3

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopViewportWindow
String ID:
API String ID: 1263604042-0
Opcode ID: 8a9058c97c9bd83fef4bd5e2612e768cdddc9405ba04d8e6986c905effbd20d7
Instruction ID: ada0df86792fe6fa034b5d72be63254e06de447b1b725a75889dde0ec09f1b63
Opcode Fuzzy Hash: 8a9058c97c9bd83fef4bd5e2612e768cdddc9405ba04d8e6986c905effbd20d7
Instruction Fuzzy Hash: 39F0B471540245FBEF126FE4AC1DFEE3B68FB04702F080444F60A4A2D0CA7995A4CBA1

Function 04D92EEC Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D92EF1
GetDesktopWindow.USER32 ref: 04D93245
SetWindowLongW.USER32(00000000), ref: 04D9324C

Strings

x(, xrefs: 04D9319B

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$DesktopH_prologLong
String ID: x(
API String ID: 1792819551-2475313659
Opcode ID: dcf8130f8aa0b323e7f27cb429a17f844a456b2d8da6d5de3a3979b9581358d8
Instruction ID: cb1cd72706a82610c521964b2d63dfc1c2a9655331139f117c1b6a40e0540959
Opcode Fuzzy Hash: dcf8130f8aa0b323e7f27cb429a17f844a456b2d8da6d5de3a3979b9581358d8
Instruction Fuzzy Hash: ABC14C74A40249EFEF11DF98C8859EEBBB8FF49308F504059ED04AB281D771AE54CBA1

Function 04D8F608 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8F60D
std::_Xinvalid_argument.LIBCPMT ref: 04D8F660

Part of subcall function 04DA8863: std::exception::exception.LIBCMT ref: 04DA8876
Part of subcall function 04DA8863: __CxxThrowException@8.LIBCMT ref: 04DA888B

_Allocate.LIBCPMT ref: 04D8F676

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D8F65B

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateException@8H_prologThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 1962182295-3797114014
Opcode ID: 90ec3796fbb72cb738c1a927282aa6729ac5f947c3bb698fd59d4958b0516eec
Instruction ID: a06d09db969bc391e79cd7d32d5640bbc1b306f9fa52c3009fda66e5b6186a8a
Opcode Fuzzy Hash: 90ec3796fbb72cb738c1a927282aa6729ac5f947c3bb698fd59d4958b0516eec
Instruction Fuzzy Hash: 6E515EB2600109EFDF15DF68CD85AAA7BB9FF89214B04866DF8169B254E730E914CB60

Function 04D831E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D831ED

Strings

false, xrefs: 04D83295
null, xrefs: 04D83269
true, xrefs: 04D83222

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: false$null$true
API String ID: 3519838083-2913297407
Opcode ID: 73ce13f2e433c592e64b8310613967c82a6e1ed38bef7c2da4c65456417ac644
Instruction ID: b14ce94224ae32ec41a21dadda4e8af74e7de1aab62d8f5b50e9034c90ce43e7
Opcode Fuzzy Hash: 73ce13f2e433c592e64b8310613967c82a6e1ed38bef7c2da4c65456417ac644
Instruction Fuzzy Hash: 8021C470781308AAEF24FB649851FBD7392AB00F08F44491DED4EAB6C1EBA3F50545A5

Function 04D84703 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D84767
std::_Xinvalid_argument.LIBCPMT ref: 04D847A9

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D8479A
DwKoYBuJCEyytDi, xrefs: 04D847A4

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: 8bcd0ea46705fad7d218b16787431feea80bee35fef36ec7db7e98a0d0030b62
Instruction ID: 21738e59db3a30d8992563b91508820532d545172d44589b15cc9263d2fdbfbb
Opcode Fuzzy Hash: 8bcd0ea46705fad7d218b16787431feea80bee35fef36ec7db7e98a0d0030b62
Instruction Fuzzy Hash: 0721C7353002059BD724EE68DC80DBABBEDEF42714710092DE5568B641E771F941C7E0

Function 04D7438B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D743EF
std::_Xinvalid_argument.LIBCPMT ref: 04D74431

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D74422
DwKoYBuJCEyytDi, xrefs: 04D7442C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: cca59db1669c5e31a718079cf35ddc8c62c3d89838bb0a1647067b800b8892fd
Instruction ID: d51ad7997e94864bf2d52ea8d5d31a234c1fe6b8986fcf6bf011ed39db0f848a
Opcode Fuzzy Hash: cca59db1669c5e31a718079cf35ddc8c62c3d89838bb0a1647067b800b8892fd
Instruction Fuzzy Hash: EB11E9317403049BDB35DE68DC8095BB7EAFF41718B100A2DE4968B681EBB1F445DBA1

Function 04D77EFE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04D77F66
std::_Xinvalid_argument.LIBCPMT ref: 04D77F9E

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D77F8F
DwKoYBuJCEyytDi, xrefs: 04D77F99

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 256744135-141594409
Opcode ID: f6994770d76868b3441fc8eb51ab556846c69c362d38439961ee280d540d781b
Instruction ID: 075401fae672d2a555150ee9d21fa2d097fb40f26683e4df4acd7a4563b713dc
Opcode Fuzzy Hash: f6994770d76868b3441fc8eb51ab556846c69c362d38439961ee280d540d781b
Instruction Fuzzy Hash: 38117C313003159FDB24DF69D980AAAF7AAFF40754B140D2EF856CB281D770F844CAA5

Function 04D81268 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D8126D

Part of subcall function 04D80F96: __EH_prolog.LIBCMT ref: 04D80F9B
Part of subcall function 04D80F96: char_traits.LIBCPMT ref: 04D810B7

char_traits.LIBCPMT ref: 04D8129D
char_traits.LIBCPMT ref: 04D812B7

Strings

. , xrefs: 04D81297, 04D8129C, 04D812A5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: char_traits$H_prolog
String ID: .
API String ID: 3393116018-3640953465
Opcode ID: a53d638fa375bc45a301bc220b414bd201226b580c45b728d75c0ad47aa17375
Instruction ID: 5095e76e95830e1a91b9df9ff36e1cbbbb6afbe6bbc0d35df5a5bdc22ce81068
Opcode Fuzzy Hash: a53d638fa375bc45a301bc220b414bd201226b580c45b728d75c0ad47aa17375
Instruction Fuzzy Hash: E50196B2E001099FAF10BEA8D882AFEF778EB41138F50065FE455F3680D6307D4685B5

Function 04D8CC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D8CC77
GetDC.USER32(00000000), ref: 04D8CC7E
SetViewportExtEx.GDI32(00000000,?,04D8D459,000058F1), ref: 04D8CC85

Strings

un2l, xrefs: 04D8CC54

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopViewportWindow
String ID: un2l
API String ID: 1263604042-2526548122
Opcode ID: c2f7820b5b1c65e0542204a5752455444eaaa96eca0142a0f3dfb9bb50fc2d28
Instruction ID: 6f6955b8b2b540430ac2051e2dce3f4c5b4243bcd3f460ce6c822199c8893a89
Opcode Fuzzy Hash: c2f7820b5b1c65e0542204a5752455444eaaa96eca0142a0f3dfb9bb50fc2d28
Instruction Fuzzy Hash: AFF05EB1650649FBEF116EA4AC09BEA3BA9AB05B05F080044F6094A6D1C7B5A4A0D7E1

Function 04DAE1E8 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 04DAE279
_memmove.LIBCMT ref: 04DAE2ED
___AdjustPointer.LIBCMT ref: 04DAE33E
_memmove.LIBCMT ref: 04DAE347

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 06467994120b788b9b021a513f29278f4560cae34afaf8a3d4e79100c12233a0
Instruction ID: 62cc5a8723f0c57b86d6a1f533a0b8772791386a7976b8532db32edbd01a537d
Opcode Fuzzy Hash: 06467994120b788b9b021a513f29278f4560cae34afaf8a3d4e79100c12233a0
Instruction Fuzzy Hash: F241C635784303AFFF386E69E890BA933E4EF05319F24451DE845861D0EB35F4A0D661

Function 04DA07C6 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04DA086F
GetDesktopWindow.USER32 ref: 04DA0971
GetDC.USER32(00000000), ref: 04DA0978
SetViewportExtEx.GDI32(00000000), ref: 04DA097F

Part of subcall function 04DA468E: GetDesktopWindow.USER32 ref: 04DA4690
Part of subcall function 04DA468E: SetWindowTextW.USER32(00000000), ref: 04DA4697

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$Desktop$TextViewport_memset
String ID:
API String ID: 89821065-0
Opcode ID: dec36ad28fd9700b14eb685c79e43d1b8bd8c978587b604cc8a0cdc366027887
Instruction ID: e4e4dd72a21ebd94a41fdc710075bf107363f5ed6355fef296e08f04c45874ac
Opcode Fuzzy Hash: dec36ad28fd9700b14eb685c79e43d1b8bd8c978587b604cc8a0cdc366027887
Instruction Fuzzy Hash: C9516AB5D4024DEFEB01EFE4C8858EEBB78FF05318F14856AD95167240D734AA58CBA1

Function 04D86AAF Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D86AB4
GetDesktopWindow.USER32 ref: 04D86BB3
GetDC.USER32(00000000), ref: 04D86BBA
GetTextExtentPointW.GDI32(00000000), ref: 04D86BC1

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPointTextWindow
String ID:
API String ID: 170700240-0
Opcode ID: 640664ebbe9fb32d6df429ddb9df7496d03f95dd8cd6863ebb4e4677a5466cae
Instruction ID: b4a66db05958e38a062e4f640fa1d9f36963ab0e3f98a38251d341182de0a985
Opcode Fuzzy Hash: 640664ebbe9fb32d6df429ddb9df7496d03f95dd8cd6863ebb4e4677a5466cae
Instruction Fuzzy Hash: E0416AB0A44249EFEB10AF95D851AFE7B74FB04728F10C51DFA696A280D374E610CF91

Function 04DBB800 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 04DBB836
__isleadbyte_l.LIBCMT ref: 04DBB864
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000002,00000000,?,00000000,00000000,?,00005234), ref: 04DBB892
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000002,00000000,?,00000000,00000000,?,00005234), ref: 04DBB8C8

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8609ff5cd1f73c42619024d2a0bbaf6c9ac3f7510ec0ce3ff9b751c45cbec515
Instruction ID: 7d5e7785a04ec4c014c00403cc203a80081a9678ec9de392a276358f40cfa59c
Opcode Fuzzy Hash: 8609ff5cd1f73c42619024d2a0bbaf6c9ac3f7510ec0ce3ff9b751c45cbec515
Instruction Fuzzy Hash: 6B31C138A00246EFDB258E75C844BFA7BA5FF41310F15452AE4E68B590E730F850DBE0

Function 04DA30CE Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04DA3118
_memmove.LIBCMT ref: 04DA3136
_memset.LIBCMT ref: 04DA315B
_memmove.LIBCMT ref: 04DA3195

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: 83208bb365ac6273134597c007199f908af698a054711ead73dd72d1acbf0f5e
Instruction ID: deece7134aabd11ea6504eacc2529750364e0c039424d0d5b6680e6e6032c16f
Opcode Fuzzy Hash: 83208bb365ac6273134597c007199f908af698a054711ead73dd72d1acbf0f5e
Instruction Fuzzy Hash: E821A8726003056BDF189F19DC89E5B37AAFF40324F044469FC19DB245E634F925CBA4

Function 04DA437E Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 04DA43C8
_memmove.LIBCMT ref: 04DA43E6
_memset.LIBCMT ref: 04DA440B
_memmove.LIBCMT ref: 04DA4445

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: _memmove$_memset
String ID:
API String ID: 1357608183-0
Opcode ID: d0a66a7d6acb7acb60fa4a8b92752cbd559b609400514f1492ace66b6d358352
Instruction ID: 7918432ceb2041309195a30cc3076c6bfd18fbdeee9a0b44688117571fbeba81
Opcode Fuzzy Hash: d0a66a7d6acb7acb60fa4a8b92752cbd559b609400514f1492ace66b6d358352
Instruction Fuzzy Hash: 1821E7B26002056BEF109F18CC85EAA37A9FF44728F154569FD19DB246E6F4F920CBD4

Function 04D82B88 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D82B8D
GetDesktopWindow.USER32 ref: 04D82C76
GetDC.USER32(00000000), ref: 04D82C7D
GetTextExtentPointW.GDI32(00000000,?,04D8F486), ref: 04D82C84

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPointTextWindow
String ID:
API String ID: 170700240-0
Opcode ID: 9f5d21806b915e87e25fc80fcc0a6e9355a3d270925b2aa8768844b5ffe6b580
Instruction ID: 527793e344efa66b5ae87e487e7969a06c100c13030521276195233effad5273
Opcode Fuzzy Hash: 9f5d21806b915e87e25fc80fcc0a6e9355a3d270925b2aa8768844b5ffe6b580
Instruction Fuzzy Hash: 6B316BB4E0521AEFDB10EF94DC84AFEBBB4FF08705F50095EE95666280D3706A40CBA0

Function 04D8FF98 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04D8FDB5: _memmove.LIBCMT ref: 04D8FDEF

GetSysColorBrush.USER32(0000196A), ref: 04D90002
GetDesktopWindow.USER32 ref: 04D90016
SetWindowTextW.USER32(00000000), ref: 04D9001D
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D90042

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText_memmove
String ID:
API String ID: 3230339316-0
Opcode ID: 8361af50945d4b8400e38457fa78b61e859c30af8c813e38d6f003f0d6030922
Instruction ID: 7da7a1fae3daf8967f05446d64bf121a02b54f19cddaeb851752a6280430290f
Opcode Fuzzy Hash: 8361af50945d4b8400e38457fa78b61e859c30af8c813e38d6f003f0d6030922
Instruction Fuzzy Hash: 543158B4604248FFEB01DF14D8949AD7BA4EB05369F14C11EFC689F381D236AA84DB60

Function 04D8873C Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D8878C
GetDesktopWindow.USER32 ref: 04D887A3
SetWindowTextW.USER32(00000000), ref: 04D887AA
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 04D887D2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 292cb94f8a7c4f8a5c8f3aeb6d13fbeb06628a78c74a0dc30affbc74973b73e7
Instruction ID: eb199d00b6142f5d634560438980746df7c93ed9c3132c45a23bc7ec6e3c36a9
Opcode Fuzzy Hash: 292cb94f8a7c4f8a5c8f3aeb6d13fbeb06628a78c74a0dc30affbc74973b73e7
Instruction Fuzzy Hash: 3B315674E04308FFEB10EF9AD8886BDBBB5FB84305F94C1A9E46466281D3752685EB10

Function 04D9BABF Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D9BAC4
GetDesktopWindow.USER32 ref: 04D9BAFE
GetDC.USER32(00000000), ref: 04D9BB05
GetTextExtentPoint32W.GDI32(00000000), ref: 04D9BB0C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentH_prologPoint32TextWindow
String ID:
API String ID: 4235267150-0
Opcode ID: 97a4a68b3f210c42b4d9e5ba559917d0774d6207627e0ffa3ce2a8be599ee9fb
Instruction ID: cf1ac08e552e0e8f03f8291b07e836921aade1f23998aef732b63986f3f9f763
Opcode Fuzzy Hash: 97a4a68b3f210c42b4d9e5ba559917d0774d6207627e0ffa3ce2a8be599ee9fb
Instruction Fuzzy Hash: 8521AC71A00148BBEF10EFA4DC59EEF7BB8EF85708F00414AF505A7290DA75AE14CBA1

Function 04D88669 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D886B6
GetDesktopWindow.USER32 ref: 04D886CA
SetWindowTextW.USER32(00000000), ref: 04D886D1
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,00000000), ref: 04D886F6

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: a64988ca9c8bc53ba9b3c69337cddfe634b66f3228c292d0bf810e27018df733
Instruction ID: d711bb1422d7d20d084385ba7a852a71fe72d2017ddf3761d16f817b5872810f
Opcode Fuzzy Hash: a64988ca9c8bc53ba9b3c69337cddfe634b66f3228c292d0bf810e27018df733
Instruction Fuzzy Hash: B82144B4D44348FEEB00EFA8C8995ADBFB4FB00315F948999E450A6381D2365685DB50

Function 04D8E23E Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D8E28B
GetDesktopWindow.USER32 ref: 04D8E29F
SetWindowTextW.USER32(00000000), ref: 04D8E2A6
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D8E2CB

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: 038a60011d780afdfcdd596a3b69c05312d4c2a2337e6aeac40f9903a98b05cd
Instruction ID: fa8797355d9d6f92677eba62a97d17992a854ce89be9fd0bec6d183c6607bf59
Opcode Fuzzy Hash: 038a60011d780afdfcdd596a3b69c05312d4c2a2337e6aeac40f9903a98b05cd
Instruction Fuzzy Hash: 9A2122B0E4934CFEEB10EFD88499AADBFB4EB05305F508299E560A6382C2356685CF50

Function 04D7BB5E Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D7BBD0
SetWindowLongW.USER32(00000000), ref: 04D7BBD7
SetLastError.KERNEL32(00002292), ref: 04D7BC00
GetUserDefaultUILanguage.KERNEL32 ref: 04D7BC08

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$DefaultDesktopErrorLanguageLastLongUser
String ID:
API String ID: 1756640285-0
Opcode ID: 1d1d31bd3fea092bd284f232e8a377431e4e135a6baceee089a0832215659b40
Instruction ID: 43a73139a490417c190913f0b7b71f1d375c31f071fd258d3b27f6d970a21b9f
Opcode Fuzzy Hash: 1d1d31bd3fea092bd284f232e8a377431e4e135a6baceee089a0832215659b40
Instruction Fuzzy Hash: 38217FB4E04259DFDB40CFA9C994AEDBBF4BB09600F1440AAE855E7340E735AA00CF61

Function 04D7F97D Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04D7F9BF
GetDC.USER32(00000000), ref: 04D7F9C6
DrawFocusRect.USER32(00000000), ref: 04D7F9CD
GetSysColorBrush.USER32(0000196A), ref: 04D7F9F0

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: BrushColorDesktopDrawFocusRectWindow
String ID:
API String ID: 2851196967-0
Opcode ID: edd6567f8eb97178959b71376a7abf5848481eec1d73c924bdd6a5c3da907487
Instruction ID: c6457dd6825f7101492d7d0e74f0af40e9138480fee4a3dea78207d9aa2b682c
Opcode Fuzzy Hash: edd6567f8eb97178959b71376a7abf5848481eec1d73c924bdd6a5c3da907487
Instruction Fuzzy Hash: 3E21F7B0E00209EFDB50CFA9C845AAEBBF4FB09740F14405AF954E7381E734EA109BA1

Function 04D7B9C7 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000000), ref: 04D7BA0D
GetDesktopWindow.USER32 ref: 04D7BA34
GetDC.USER32(00000000), ref: 04D7BA3B
GetTextExtentPointW.GDI32(00000000,?,04D7BFFD,00000718), ref: 04D7BA42

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentLookupPointPrivilegeTextValueWindow
String ID:
API String ID: 2870449056-0
Opcode ID: 97098f63073b151af5f812a51745fecfe5d7150d86d446579c419688f7a79f7d
Instruction ID: 5e7dd4c1d823ae6951c58cad19ee82294acecd14be208413edd0cb536e173766
Opcode Fuzzy Hash: 97098f63073b151af5f812a51745fecfe5d7150d86d446579c419688f7a79f7d
Instruction Fuzzy Hash: 4511C670E04209EFDB50DFA9D845BAEBBF4FB08711F144456F955E7381E674EA008BA0

Function 04DAFF0E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04DAFF32

Part of subcall function 04DB0619: __fltout2.LIBCMT ref: 04DB0642

__cftog_l.LIBCMT ref: 04DAFF58
__cftoe_l.LIBCMT ref: 04DAFF8A

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8a1be8cddb6a3788cfbdc845b4593f5d56e3112413fb936adda96c58ce43824d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 6001893200414EFFCF125F84CC01CEE3F22BB1A344B08899AFA5898171D736E5B6AB91

Function 04DADB2C Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04DADB43

Part of subcall function 04DAE15A: ___AdjustPointer.LIBCMT ref: 04DAE1A3

_UnwindNestedFrames.LIBCMT ref: 04DADB5A
___FrameUnwindToState.LIBCMT ref: 04DADB6C
CallCatchBlock.LIBCMT ref: 04DADB90

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8b30573c538f3b1fc18e63ca7426e9ddefb9c98fc61009f8d964c6abd2916d26
Instruction ID: 73fea17b4a2afff0b0cbc2f5cb7bff2e4b353a9fac50ad4229718060cb683eb0
Opcode Fuzzy Hash: 8b30573c538f3b1fc18e63ca7426e9ddefb9c98fc61009f8d964c6abd2916d26
Instruction Fuzzy Hash: 89011032100108BBDF12AF55CC04EEA7BBAFF89758F058414FA1866520D332F9B1EBA0

Function 04D9B42F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D9B434
GetDesktopWindow.USER32 ref: 04D9B497
GetDC.USER32(00000000), ref: 04D9B49E
GetTextExtentPoint32W.GDI32(00000000,?,04D9A53B,?), ref: 04D9B4A5

Part of subcall function 04D9B820: __EH_prolog.LIBCMT ref: 04D9B825

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog$DesktopExtentPoint32TextWindow
String ID:
API String ID: 2853833731-0
Opcode ID: a20bb41d087de1aff95c4f8350573c455e3edca3be4fa71ae379e4c1cc389932
Instruction ID: fb9f831a7680f7205b0faaa67d90f03dff6deed9aadcd3a4ecfcca331c453734
Opcode Fuzzy Hash: a20bb41d087de1aff95c4f8350573c455e3edca3be4fa71ae379e4c1cc389932
Instruction Fuzzy Hash: 70115E30A00109EBEF05EFA0E959BEC7BB4FF0070CF108149E50666281DB786A14DBA1

Function 04D93353 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000000), ref: 04D933A3

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 97e90c32b27cdc6a0893ccacd1ff84ec07de06be73ad9254ce9e66c3f14777c2
Instruction ID: 7e71e0574cb81261db55cb61a34d5f70b454cc57a0ba640943d5b47425f92015
Opcode Fuzzy Hash: 97e90c32b27cdc6a0893ccacd1ff84ec07de06be73ad9254ce9e66c3f14777c2
Instruction Fuzzy Hash: 3B010871544245EFDF019FA8E848BA97BE8FB4A315F080485FC4987351CB75AC90CB90

Function 04D71F3C Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000196A), ref: 04D71F65
GetDesktopWindow.USER32 ref: 04D71F8F
SetWindowTextW.USER32(00000000), ref: 04D71F96
FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D71FC2

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Window$BrushColorDesktopFormatMessageText
String ID:
API String ID: 4286015720-0
Opcode ID: ba5b90cebbcce6578db1b9d60c37b27ad97191d5aa5b53f0fb059b0e2f311e09
Instruction ID: ed2ecaeaefa2090b51b2c61b84ea88a4a8fe0943f40757854415b57e11573132
Opcode Fuzzy Hash: ba5b90cebbcce6578db1b9d60c37b27ad97191d5aa5b53f0fb059b0e2f311e09
Instruction Fuzzy Hash: AB014075A48768DAEB109FA8DC59BEDFFB0BB05705F040706F145BA3C1E77895009B20

Function 04D862EB Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,04D863C0,00000000,00003AF7,000005E3,00000003,?,04D86385,00000000), ref: 04D86327

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: c6f52d117df45cc631fd66cfa6c9a4dfa900cb73d50d2d02bcdbcddde5c617ad
Instruction ID: 59ee08722fb4310652ecdd29fa2024f518d67a6f80e9763ec25e420f09e38ec9
Opcode Fuzzy Hash: c6f52d117df45cc631fd66cfa6c9a4dfa900cb73d50d2d02bcdbcddde5c617ad
Instruction Fuzzy Hash: 0FF030B1685348FFFB016AA0AD0DFBA3B9CE704715F0C0444FA0DDA6D2D6B9999086A1

Function 04D93DCD Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000), ref: 04D93DF4
GetDesktopWindow.USER32 ref: 04D93E0B
GetDC.USER32(00000000), ref: 04D93E12
GetTextExtentPointW.GDI32(00000000), ref: 04D93E19

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentFormatMessagePointTextWindow
String ID:
API String ID: 2513662917-0
Opcode ID: d55035a9d83f36e36d7efca16e85d635ed686950c41d4b41afdddb876695d21c
Instruction ID: 09f6acc6dd9b6afecab1987460212b06a7de20b8330dfdffcc71ca6509179dd6
Opcode Fuzzy Hash: d55035a9d83f36e36d7efca16e85d635ed686950c41d4b41afdddb876695d21c
Instruction Fuzzy Hash: 98F01271645249FAFF116FA05C1AEBB3BADE704705F080444F909DA6C2D6659D6087A1

Function 04DA8694 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000015F0,00000000,00000CCC,0000056E,00000000,00000917,00000000,?,04DA8114), ref: 04DA86BB
GetDesktopWindow.USER32 ref: 04DA86D2
GetDC.USER32(00000000), ref: 04DA86D9
GetTextExtentPointW.GDI32(00000000,?,04DA8114), ref: 04DA86E0

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: DesktopExtentFormatMessagePointTextWindow
String ID:
API String ID: 2513662917-0
Opcode ID: 684b55cd8c6afcc178a8f6a71c990acefe9ebc20cf06312b88d6349fe9eab253
Instruction ID: 9c48fffa66723243e411ab023129be21a8481d6fe45665a13a944d1bd4e62a96
Opcode Fuzzy Hash: 684b55cd8c6afcc178a8f6a71c990acefe9ebc20cf06312b88d6349fe9eab253
Instruction Fuzzy Hash: C8F082B0686348FAFB007BF0AC0EFBA3B9CD704711F0C8845F90D9A6C3C5699A509765

Function 04D8D613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D8D732
__EH_prolog.LIBCMT ref: 04D8D73D

Strings

NDEkzAepEGOKPahJWoW, xrefs: 04D8D72D

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prologXinvalid_argumentstd::_
String ID: NDEkzAepEGOKPahJWoW
API String ID: 4014091808-2683528191
Opcode ID: d2e4398d4e7bdf8e9bbf6c8992609fc94745d8f61a2e955721212aaea5cd4341
Instruction ID: e2a11ec5c0d169ddce06ab0bb63ff3661387e448661674a93fe59b5368743ab5
Opcode Fuzzy Hash: d2e4398d4e7bdf8e9bbf6c8992609fc94745d8f61a2e955721212aaea5cd4341
Instruction Fuzzy Hash: 7D612534600249DFDB11EF19C484A69BBE6FB45318F19C49DE85A8B2A2C771FC41CBA0

Function 04D86605 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D8672E

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D86733
DwKoYBuJCEyytDi, xrefs: 04D86729

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: fb86cc2adbe064409fae5d5900033baec34f31a6062dc0593f5d8cd0a4a62d81
Instruction ID: eca3ae0faa33b4efae0945fdbd18e3c1d517d2daf8551761d6dc8ab395aaac50
Opcode Fuzzy Hash: fb86cc2adbe064409fae5d5900033baec34f31a6062dc0593f5d8cd0a4a62d81
Instruction Fuzzy Hash: 2C412A70700249DFCB24EF58D9849AA77FAFF84764710496EE8928B610EB30F955CBE1

Function 04D970C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D970C5
std::_Xinvalid_argument.LIBCPMT ref: 04D97118

Part of subcall function 04DA8863: std::exception::exception.LIBCMT ref: 04DA8876
Part of subcall function 04DA8863: __CxxThrowException@8.LIBCMT ref: 04DA888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D97113

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Exception@8H_prologThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 935663214-3797114014
Opcode ID: 6e9898adeb8d5457bfbdffbf7b4f37ccc362da3a5c003ed36a9b2cacf93e2d24
Instruction ID: 3113cfe9c0d970a34eed65acc78ec2b1707be41bbebbc1b6727cd19bab6d6265
Opcode Fuzzy Hash: 6e9898adeb8d5457bfbdffbf7b4f37ccc362da3a5c003ed36a9b2cacf93e2d24
Instruction Fuzzy Hash: 244191B2A0020AEFEF04AF68CC859ADBBE5FF48310F10451AF815D7250DB31AD20DBA0

Function 04D74476 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D74521

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D74512
DwKoYBuJCEyytDi, xrefs: 04D7451C

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: 8c5772eff2a82cf8b0bd56194b1c1050818ac1088027270fab4c871ef28637e0
Instruction ID: 9cffbf2dfe52b2db40d547704b7714c2a992dc05bcca877e70ab7d287f0511a8
Opcode Fuzzy Hash: 8c5772eff2a82cf8b0bd56194b1c1050818ac1088027270fab4c871ef28637e0
Instruction Fuzzy Hash: 1C11B1313003049BCB31DF68C88899AB7E9FF817587200A2EE49687654FB70F918CBE1

Function 04D8673E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D867E9

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D867DA
DwKoYBuJCEyytDi, xrefs: 04D867E4

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: 583b6e71d7c717bd0cec4ac38c4535afbaff0cb8487b73b1e1393a80ae79e77e
Instruction ID: b9f8e2b708039f95afabc056a143ebfc35ab46d13b7b1ad4164461f7fa748f24
Opcode Fuzzy Hash: 583b6e71d7c717bd0cec4ac38c4535afbaff0cb8487b73b1e1393a80ae79e77e
Instruction Fuzzy Hash: 7611A535300204ABC720EE69DC849AAB7E9FF81764710092DE49287A44EB30F919C7E1

Function 04D86487 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D86527

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D86518
DwKoYBuJCEyytDi, xrefs: 04D86522

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: a3b0e46828a229874d2f725702762a16bf24471c459e629a1c6da2936222e467
Instruction ID: 40e4bdfd7a2f71927dfa73635726b6b43afb7547d571f185458201ca94a5ff56
Opcode Fuzzy Hash: a3b0e46828a229874d2f725702762a16bf24471c459e629a1c6da2936222e467
Instruction Fuzzy Hash: B711AC30300219AFC724EE6CD8849AAB7A9FF40764710097DE846CB644DB30F919CBA1

Function 04D9777C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04D9781C

Strings

xbftzkZErMGIHumMcosuOxQ, xrefs: 04D9780D
DwKoYBuJCEyytDi, xrefs: 04D97817

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: DwKoYBuJCEyytDi$xbftzkZErMGIHumMcosuOxQ
API String ID: 909987262-141594409
Opcode ID: 8ec5d75041668873c0643a6f0059fe0f19624e6ffc7a1838491e55e96549786a
Instruction ID: 72a8ca44e8bbdd52a6204c8f6542fd32888d79ab42c37dd6ab1b4c20c692d32f
Opcode Fuzzy Hash: 8ec5d75041668873c0643a6f0059fe0f19624e6ffc7a1838491e55e96549786a
Instruction Fuzzy Hash: 1D117C35310209EBCB24DF6CD88099AB7E9FF44754710092DE856C7650DB70FD58CBA1

Function 04D87A37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04D87A3C

Strings

null, xrefs: 04D87A4C
true, xrefs: 04D87A4B

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: H_prolog
String ID: null$true
API String ID: 3519838083-1304502921
Opcode ID: 2274a5f4e329b3f1c194a435c3dc49496ea01ff04002c236fa04ea4295dcc8e7
Instruction ID: 69d3807a6c338c21a0ebd91fe2131e6b5279d9ebc1046489c592cb1300dfbc54
Opcode Fuzzy Hash: 2274a5f4e329b3f1c194a435c3dc49496ea01ff04002c236fa04ea4295dcc8e7
Instruction Fuzzy Hash: F8014071E44218B6EB10EA95CC49FDFBF7CEB49B68F004119B948B6280C774A648C7B1

Function 04D731A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 04D731CD
std::_Xinvalid_argument.LIBCPMT ref: 04D731EC

Part of subcall function 04DA8863: std::exception::exception.LIBCMT ref: 04DA8876
Part of subcall function 04DA8863: __CxxThrowException@8.LIBCMT ref: 04DA888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D731E7

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: ca1775d4c7d467881ce0fca813880d922b89b521aec942508b4232e43b7f7e52
Instruction ID: 803307f69343992c83f11c47268a9c1842a1a80e0a0f41a38d6698e78fa360d8
Opcode Fuzzy Hash: ca1775d4c7d467881ce0fca813880d922b89b521aec942508b4232e43b7f7e52
Instruction Fuzzy Hash: DAF0A076604305AF9320DF29D4408A6BBECEA456B0320883FD9E9C3740FA32B0419BA0

Function 04D86A47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 04D86A6A
std::_Xinvalid_argument.LIBCPMT ref: 04D86A88

Part of subcall function 04DA8863: std::exception::exception.LIBCMT ref: 04DA8876
Part of subcall function 04DA8863: __CxxThrowException@8.LIBCMT ref: 04DA888B

Strings

EQsxisSNUMqiHowmSY, xrefs: 04D86A83

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: AllocateException@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: EQsxisSNUMqiHowmSY
API String ID: 2227214630-3797114014
Opcode ID: 4d43984083a3814bdbca92cad3aaf299f08b1970c43c42eb1a0dc70b507cd37f
Instruction ID: d4290b32468ae1dfe6e1117721902e0846df524b070360d958e5f8ab49424aa6
Opcode Fuzzy Hash: 4d43984083a3814bdbca92cad3aaf299f08b1970c43c42eb1a0dc70b507cd37f
Instruction Fuzzy Hash: A5F0E576200701AF8320AF7AD8405A7B7E8EA85670320C63FE5E9C3740EA30F4414BA0

Function 04DAD3CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 04DAD3B6

Part of subcall function 04DA9254: RaiseException.KERNEL32(?,?,04DA8890,04D918DB,00000003,?,?,?,?,?,04DA8890,04D918DB,04DC8A94,00000003), ref: 04DA92A9

std::bad_exception::bad_exception.LIBCMT ref: 04DAD3DD

Part of subcall function 04DABC44: std::bad_exception::bad_exception.LIBCMT ref: 04DABC4D

Strings

VzGQCIbqrdwuIsGHNdRpxKtwJdXpetLf, xrefs: 04DAD3D5

Memory Dump Source

Source File: 00000006.00000002.2292140679.0000000004D71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: true

Associated: 00000006.00000002.2292117905.0000000004D70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292184178.0000000004DBE000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2292210435.0000000004DCA000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4d70000_rundll32.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ExceptionException@8RaiseThrow
String ID: VzGQCIbqrdwuIsGHNdRpxKtwJdXpetLf
API String ID: 1432139112-2565811093
Opcode ID: a373771c3bb36525e53903d56f26db9282d3275eecf371d18ba6cea2f6898ad6
Instruction ID: b7f3bb66e052d809990adb8481a331291941c3354f45609942b43c579d66b969
Opcode Fuzzy Hash: a373771c3bb36525e53903d56f26db9282d3275eecf371d18ba6cea2f6898ad6
Instruction Fuzzy Hash: 75E01276B002059FDF04DBA4C941AED7770AB0531AF150459E412B7550D774B968DF61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TsLvuUO.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempXMDGGl

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempjgCdeX

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnShBdn

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js_tempnwhObf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
TsLvuUO.dll

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre