Edit tour

Windows Analysis Report
up.dll

Overview

General Information

Sample name:	up.dll
Analysis ID:	1533003
MD5:	96b46f6f511442e7a1b5daa125ced491
SHA1:	337f4b6d92b567c30b90de1666f8adb32b457ee2
SHA256:	5546076ae6554a76b243471a4a3c3d002ef80b7504282c05c2a4fb923c8b77fd
Tags:	dlluser-4k95m
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6732 cmdline: loaddll32.exe "C:\Users\user\Desktop\up.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6712 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4388 cmdline: rundll32.exe "C:\Users\user\Desktop\up.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: up.dll	ReversingLabs: Detection: 39%
Source: up.dll	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: up.dll

Joe Sandbox ML: detected

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

4_2_6D3E7B99

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

4_2_6D3ADF00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D3ADFE0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3ADF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

4_2_6D3ADF00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D27B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D27B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_6D3D2625

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BFD00	4_2_6D3BFD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3ABDC0	4_2_6D3ABDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38CC20	4_2_6D38CC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C75	4_2_6D397C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397C69	4_2_6D397C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EEC55	4_2_6D3EEC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CB6	4_2_6D397CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397CE1	4_2_6D397CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399F10	4_2_6D399F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90	4_2_6D3C5F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C0FF0	4_2_6D3C0FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397E34	4_2_6D397E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D1EA0	4_2_6D3D1EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CDEF0	4_2_6D3CDEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DC900	4_2_6D3DC900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397959	4_2_6D397959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38A9D0	4_2_6D38A9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5850	4_2_6D3B5850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A08B0	4_2_6D3A08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0	4_2_6D3BD8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3DA8D0	4_2_6D3DA8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFB20	4_2_6D3EFB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BCBF0	4_2_6D3BCBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F1BCE	4_2_6D3F1BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D397A74	4_2_6D397A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EFA50	4_2_6D3EFA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B5AB0	4_2_6D3B5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B4AB0	4_2_6D3B4AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38DAF0	4_2_6D38DAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C3500	4_2_6D3C3500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B0560	4_2_6D3B0560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F2549	4_2_6D3F2549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BA580	4_2_6D3BA580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3975E9	4_2_6D3975E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CE5C0	4_2_6D3CE5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BC420	4_2_6D3BC420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AC460	4_2_6D3AC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D490	4_2_6D39D490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AF490	4_2_6D3AF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3F048B	4_2_6D3F048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39D700	4_2_6D39D700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D399700	4_2_6D399700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2760	4_2_6D3D2760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C97A0	4_2_6D3C97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D17F0	4_2_6D3D17F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39763E	4_2_6D39763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D2625	4_2_6D3D2625
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39767E	4_2_6D39767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3AA6C0	4_2_6D3AA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BF160	4_2_6D3BF160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3921D0	4_2_6D3921D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3EB002	4_2_6D3EB002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A070	4_2_6D39A070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D38D370	4_2_6D38D370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C23B0	4_2_6D3C23B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3CA3A0	4_2_6D3CA3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B53F0	4_2_6D3B53F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39A260	4_2_6D39A260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3B1240	4_2_6D3B1240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3E12A1	4_2_6D3E12A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3972E0	4_2_6D3972E0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D391E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3BFBC0 appears 36 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D3D5970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D38B6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D390DC0 appears 47 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776

Source: up.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D38CC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D38CC20

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4388

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b3b7dabf-3edc-40e7-8ac2-6b857ee17e59

Jump to behavior

Source: up.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: up.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1

Source: up.dll	ReversingLabs: Detection: 39%
Source: up.dll	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\up.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: up.dll

Static file information: File size 47943680 > 1048576

Source: up.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: up.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D3D1500

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39AF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C84DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3C5F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3C8DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3A7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D3A8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39E990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39EAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3BD8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D3BD956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39ABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39ACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D545E push ecx; ret	4_2_6D3D5471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D39B000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D39B688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E7B99 FindFirstFileExW,

4_2_6D3E7B99

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D381920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D381920

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D3D5853

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D1500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D3D1500

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3E8D9A GetProcessHeap,

4_2_6D3E8D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D4EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D3D4EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D5853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D5853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D3D8776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D3D8776

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\up.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D566F cpuid

4_2_6D3D566F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,		4_2_6D3D1500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		4_2_6D3D14C0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D3D59B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6D3D59B5

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
up.dll	39%	ReversingLabs	Win32.PUA.GameHack
up.dll	37%	Virustotal		Browse
up.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
s-part-0017.t-0009.fb-t-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533003
Start date and time:	2024-10-14 09:45:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	up.dll
Detection:	MAL
Classification:	mal56.winDLL@7/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:46:17	API Interceptor	1x Sleep call for process: loaddll32.exe modified
03:46:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	file.exe	Get hash	malicious	Stealc	Browse	13.107.253.45
	https://verfiy-blue-badge-sign-up.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shaw-104167.square.site/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://attmailmanagementupdates2024.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://business.helpcaseappealcenter.eu/community-standard/346299132520232	Get hash	malicious	Unknown	Browse	13.107.253.45
	http://bervokter-pdf.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shawcawebmailserver.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shaw-104167.square.site/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://businesssupport248.mfb72024.click/	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_45b27b9ae4bdc5533369f53128e793cbabf13_7522e4b5_8c897256-56e2-4a6b-a5a5-c2b09c66c44c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9327584585565574
Encrypted:	false
SSDEEP:	192:i597ciHOKu0BU/wjeTPczuiFqZ24IO84ci:SciuKVBU/wjeAzuiFqY4IO84ci
MD5:	974101619483A019D6CE77504DA51426
SHA1:	BD6E0D14C4336090CC350BE307E0C6EDBF4F5587
SHA-256:	7A931F2FCFD6354E7974F6181B2ECAD040F4A79CB00DBAED0A21D4AC0438461B
SHA-512:	26A84719C0D8F226E9A0E7847BE5D3937D07E08FA6422795C731F7A124914177202E0FEBD378DAB03A93DF73E1B488C01FE8C7A3680A5524B23346DE3D7033A9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.6.5.5.8.0.0.9.0.4.4.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.6.5.5.8.0.5.7.4.8.1.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.8.9.7.2.5.6.-.5.6.e.2.-.4.a.6.b.-.a.5.a.5.-.c.2.b.0.9.c.6.6.c.4.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.7.d.f.4.9.5.-.3.e.9.7.-.4.5.4.5.-.9.2.c.8.-.1.a.a.5.2.9.8.3.d.6.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.2.4.-.0.0.0.1.-.0.0.1.5.-.9.f.1.e.-.1.c.2.7.0.d.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER485.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 14 07:46:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55072
Entropy (8bit):	2.2060503413637296
Encrypted:	false
SSDEEP:	768:ren5fCykRdn/////L1d9///d9//LTE7dn/////L1d9///d9//LTET7npiCM:rv7pm
MD5:	FABCBF545BA1E12D8D08FA8BD921DEB0
SHA1:	96E4EAA8E389B836DA31791A86D3EE1C743070D9
SHA-256:	9F9D0305B0E80A392109C5026F31A34C67B4C64CCCDB80ED614A03596F241536
SHA-512:	D45F30BA23C23B41F7D3FBBA896F2E04777F9999D08BAF82181ECCCB2DCABCE5D28C0582803A8AADDD42777E28773C4314416A5A528D8C2F3270AD0C9D160732
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......L..g........................l...........$....1..........T.......8...........T...............H...........8...........$...............................................................................eJ..............GenuineIntel............T.......$...I..g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER590.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8376
Entropy (8bit):	3.6946011481414103
Encrypted:	false
SSDEEP:	192:R6l7wVeJCB6cae6YRZ66Bgmf8j9prR889bV2sfScHm:R6lXJk6g6Yv6cgmf8jRpVVfSB
MD5:	42FE2EA495CCBA3B337E0453D27BCB08
SHA1:	7B6FA033E86A65D1BA7922E134F4922F5A6E91B0
SHA-256:	66504C7FDEACF5AA369F82A605A9493A04765DC61FFD60F27C509595D3D47EC8
SHA-512:	729CFA9A6BC5BF3DEB3FAEB0233FD8D3017D322FB074EAA49130EAF8DAF1CC46ECC909CF0DB573BE07EA9282B7671FD68A5534BE4E265AB1F2BF49E581C3D242
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.482644733403888
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9p+WpW8VYCYm8M4JCdP7FFB+q8vjPdvnGScSMd:uIjf0I77/7VaJoBKNJ3Md
MD5:	6506E4F5881768D0951E0A85E556B493
SHA1:	B1B6AAE77E0EA9D4E005E988C74736754E43B6E3
SHA-256:	D0D8A885F0CC83FB5C747D9657B71CB310F33CA8A9B37DC6343601A7BA4B4E9B
SHA-512:	8906ADB8353B83540DB5C33C93D1147074DF266B88424AAC9F03200ACA95F58572748EE0A761B37CBFDE5396FE0368D3E2A102F9D78C5DB27C1DD251CEF68B98
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542809" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469364143022623
Encrypted:	false
SSDEEP:	6144:czZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:iZHtYZWOKnMM6bFpHj4
MD5:	12795901F4D5CC6AD8AF52B995476B38
SHA1:	85DF24E3FC1903712EFE4576AF29BF252B458EA5
SHA-256:	8B724CBEFF1D8D029BEEE09A5AA4E27D6B044DCCAA733218079CFFF91D0516E5
SHA-512:	74CEC429CFBCA75D90F90E7D6BF80B86831F94FA4A273EB7D28DC55295303F86671F8460C949594B4A2DDD31E4A4DFC2FA73C374E0465FDDF9F251D50875EAC1
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;w(................................................................................................................................................................................................................................................................................................................................................-Oa.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.22731154329707412
TrID:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14% Win32 Dynamic Link Library (generic) (1002004/3) 49.67% Generic Win/DOS Executable (2004/3) 0.10% DOS Executable Generic (2002/1) 0.10% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	up.dll
File size:	47'943'680 bytes
MD5:	96b46f6f511442e7a1b5daa125ced491
SHA1:	337f4b6d92b567c30b90de1666f8adb32b457ee2
SHA256:	5546076ae6554a76b243471a4a3c3d002ef80b7504282c05c2a4fb923c8b77fd
SHA512:	e5b359cac7eaaf7255734a86e562706061ed133c09b3ca6a54c3aa2cdae36e60e8766b38dc4d31ca74bff768f6a4a63e90baeca10e64ce7819927effddd6686e
SSDEEP:	24576:ab5Wyc+GYmc0guuEtMQxmbW0dH580xYIwzO0Zzp:ab8ysYm5ax580/wK0Zzp
TLSH:	F8B7CF40B9E380B5C46D20703028BBAF593E35844F2869F7B7D829ED5FE02D256F7966
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G........................E............'.......'.......'..................1....'.......'......Rich...........................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1005543b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x663EA19F [Fri May 10 22:37:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	121cde6d75e4ec93f689fa0e0c5acf93

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F54086E30D7h
call 00007F54086E368Eh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F54086E2F83h
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F54086E2706h
jmp 00007F54086E30B2h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100B3100h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100B3100h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1584	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb9000	0x4d04	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xadc58	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xadc80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xadb98	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x75000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x73c58	0x73e00	68764eb186630d00bbaea0eae1a71d26	False	0.5364456917475728	data	6.675785525089795	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x75000	0x3d368	0x3d400	5061f20512dd222c15fb4541ba229533	False	0.6918925382653062	data	6.723426334145537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb3000	0x5880	0x2c00	c9bc63a30a9cbfd13c16c08a2eb6b509	False	0.1768465909090909	data	4.4110269978489445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb9000	0x4d04	0x4e00	c2c8bf72306f8c9f53b02ec069001b42	False	0.7590645032051282	data	6.7013028056733654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WINHTTP.dll	WinHttpConnect, WinHttpSendRequest, WinHttpCloseHandle, WinHttpOpenRequest, WinHttpReadData, WinHttpReceiveResponse, WinHttpOpen, WinHttpQueryDataAvailable
OPENGL32.dll	wglGetCurrentDC
USER32.dll	EnumWindows, WindowFromDC, GetWindowThreadProcessId, GetKeyState, GetMessageExtraInfo, ScreenToClient, ClientToScreen, TrackMouseEvent, GetKeyboardLayout, GetForegroundWindow, LoadCursorW, SetCursor, GetClientRect, IsWindowUnicode, SetCursorPos, GetCursorPos, OpenClipboard, CloseClipboard, EmptyClipboard, GetClipboardData, SetClipboardData, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, GetSystemMetrics, SendInput
OLEAUT32.dll	SysStringLen, SafeArrayPutElement, SysAllocString, SysFreeString, SafeArrayGetLBound, SafeArrayDestroy, VariantInit, SafeArrayGetUBound, SafeArrayGetElement, SafeArrayCreateVector
KERNEL32.dll	GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetFileSizeEx, GetConsoleOutputCP, WriteFile, FlushFileBuffers, ReadConsoleW, GetConsoleMode, SetFilePointerEx, GetFileType, GetStdHandle, LCMapStringW, HeapFree, HeapAlloc, ReadFile, ExitProcess, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, SetLastError, InterlockedFlushSList, RtlUnwind, VirtualFree, GetCurrentProcess, GetModuleHandleA, Sleep, CloseHandle, CreateThread, GetProcAddress, GetCurrentProcessId, FreeLibrary, WideCharToMultiByte, K32QueryWorkingSetEx, VirtualProtect, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, GetStringTypeW, MultiByteToWideChar, GetLastError, IsProcessorFeaturePresent, DeleteCriticalSection, CreateToolhelp32Snapshot, Module32FirstW, GetModuleHandleW, Module32NextW, VirtualQuery, GetModuleFileNameW, VirtualFreeEx, GetCurrentThreadId, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, LoadLibraryA, GetLocaleInfoA, QueryPerformanceFrequency, QueryPerformanceCounter, RaiseException, FreeLibraryWhenCallbackReturns, DecodePointer, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, LocalFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, SetStdHandle, CreateFileW, HeapSize, HeapReAlloc, SetEndOfFile, WriteConsoleW, CreateThreadpoolWork
IMM32.dll	ImmSetCompositionWindow, ImmSetCandidateWindow, ImmReleaseContext, ImmGetContext

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 09:46:15.321306944 CEST	1.1.1.1	192.168.2.6	0xce23	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:15.321306944 CEST	1.1.1.1	192.168.2.6	0xce23	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:15.321306944 CEST	1.1.1.1	192.168.2.6	0xce23	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\up.dll"
Imagebase:	0x590000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:46:17
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\up.dll",#1
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:46:19
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
Imagebase:	0x3f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	91
Total number of Limit Nodes:	6

Executed Functions

Function 6D381920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130
librarysleeploaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 6D38195D
GetProcAddress.KERNEL32(00000000,wglSwapBuffers), ref: 6D38196B
Sleep.KERNELBASE(000003E8), ref: 6D3819AF

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

GetModuleHandleA.KERNEL32(d3d9.dll), ref: 6D3819D1
LdrInitializeThunk.NTDLL(00000000,Direct3DCreate9), ref: 6D3819D9
EnumWindows.USER32(6D3818E0,00000000), ref: 6D381A15

Strings

`#v, xrefs: 6D38192D
Direct3DCreate9, xrefs: 6D3819D3
opengl32.dll, xrefs: 6D381934
d3d9.dll, xrefs: 6D3819CC
wglSwapBuffers, xrefs: 6D381965

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$HandleModuleProtect$AddressEnumFreeInitializeProcSleepThunkWindows
String ID: Direct3DCreate9$`#v$d3d9.dll$opengl32.dll$wglSwapBuffers
API String ID: 1689101902-273430762
Opcode ID: 9369c93cae4cef36e326e6570514f0de2039941d015424ef6df0780b083e10fb
Instruction ID: 552771dcd39e7e3c7bf1edf154b5b61ecab29f99ee5dd97dff9e551800a3574d
Opcode Fuzzy Hash: 9369c93cae4cef36e326e6570514f0de2039941d015424ef6df0780b083e10fb
Instruction Fuzzy Hash: DC51EEB5A08341AFD710DF29C845F5B7BF8AF89344F02890DF9889B281DB71E944CB96

Function 6D3D5255 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D3D529C
___scrt_uninitialize_crt.LIBCMT ref: 6D3D52B6

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c3f8263faf24be70def3c05402a08e8f21478a8d4c584b4955ff11e194da1865
Instruction ID: acbccdadced50ce71a39538c119792ed118556758d1b08904bbcf804690b6d59
Opcode Fuzzy Hash: c3f8263faf24be70def3c05402a08e8f21478a8d4c584b4955ff11e194da1865
Instruction Fuzzy Hash: 2741D633D09666AFDB919F59C801BBF36B4EF867A9F028519EA9497140C771CD018FA0

Function 6D3D5305 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D3D5342
dllmain_crt_dispatch.LIBCMT ref: 6D3D5359
dllmain_raw.LIBCMT ref: 6D3D53A1
dllmain_crt_dispatch.LIBCMT ref: 6D3D53B4
dllmain_raw.LIBCMT ref: 6D3D53C7

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: c12f25ebe376d85eb18f36006dcbe2940260ef0387a2c94c32fb03a8e4d350dd
Instruction ID: 08324b66ec43df6883698900a9d0584bb98c4ff4931a0525d725607c0bbac48f
Opcode Fuzzy Hash: c12f25ebe376d85eb18f36006dcbe2940260ef0387a2c94c32fb03a8e4d350dd
Instruction Fuzzy Hash: 0A219173D0465AABDBA18F19C841F7F3A79EB82694F028425F95457210C771CD018FA0

Function 6D381560 Relevance: 4.6, APIs: 3, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000005,00003000,00000040,?,?,7622F550,opengl32.dll), ref: 6D3815BF
VirtualProtect.KERNELBASE(76230A60,00000005,00000040,?,?,?,7622F550,opengl32.dll), ref: 6D381615
VirtualProtect.KERNELBASE(?,00000005,?,?,?,?,?,?,?,7622F550,opengl32.dll), ref: 6D381647

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: 0dbbecd90c7c620706c74494a4796e9c841517adcb415b97c976960e812ad69f
Instruction ID: 18407d79eb3d15c34ee28ac824b1aee93523a0e7f72facea148e322d12152b21
Opcode Fuzzy Hash: 0dbbecd90c7c620706c74494a4796e9c841517adcb415b97c976960e812ad69f
Instruction Fuzzy Hash: E3312771604306AFD700CF78DC80B56BFACFF05258F024229F59987281D771E5188BE1

Function 6D381660 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID:
API String ID: 3866829018-0
Opcode ID: c33c73e1529e25fa7bd18bfa46e235c86347e896780c97642fb7c055c8d1042c
Instruction ID: 009e0db0097ba6cd03fa8296cde328f0278193ad66b13e93e39ad98e35b4db6c
Opcode Fuzzy Hash: c33c73e1529e25fa7bd18bfa46e235c86347e896780c97642fb7c055c8d1042c
Instruction Fuzzy Hash: F0F0AFB2104389BFEB008F50DC44FAB7BACFB89604F148119FE5996141D774E448CB64

Function 6D3D514E Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D3D519B

Part of subcall function 6D3D5A4D: InitializeSListHead.KERNEL32(6D4360F8,6D3D51A5,6D430CC0,00000010,6D3D5136,?,?,?,6D3D535E,?,00000001,?,?,00000001,?,6D430D08), ref: 6D3D5A52

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D3D5205

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: db595f424b6fc1c61e3e18d336a8a8d57f6847a6a303b7cb87bdd79e50481112
Instruction ID: 59788f1d433cd414a325fe7ab73d77e7b5e83bef534716db887d6a9b4405baa9
Opcode Fuzzy Hash: db595f424b6fc1c61e3e18d336a8a8d57f6847a6a303b7cb87bdd79e50481112
Instruction Fuzzy Hash: 8921F037548256AEDBD0ABB8D4067BC3760DF2B2ADF02C01AD6D06B1C2DB324205CF61

Function 6D3E456D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6D3E45B9
GetFileType.KERNELBASE(00000000), ref: 6D3E45CB

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: a382834509f71e414bab97e8db245e274d7966811edd8d1972ba349e42dd227f
Instruction ID: b8319348c2da0195d36992bce7856686d0015fb1397bb476cad220542867aaef
Opcode Fuzzy Hash: a382834509f71e414bab97e8db245e274d7966811edd8d1972ba349e42dd227f
Instruction Fuzzy Hash: 8611E6312087634ACB314E3E8C897327AA9A74F2B0B24071FE5B6975F1C371D982C691

Function 6D381B00 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,6D381920,00000001,00000000,00000000), ref: 6D381B21
CloseHandle.KERNELBASE(00000000,?,6D3D535E,?,00000001,?,?,00000001,?,6D430D08,0000000C,6D3D5457,?,00000001,?), ref: 6D381B28

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 0aa57c4ed6aea803db9c5709c6f9e650b6e26c21c6fc9485c897187d278d37f8
Instruction ID: 976792c0dd769a3c8078cd183ada2dfc4208837adb716eb7f92edbb6bde25cb9
Opcode Fuzzy Hash: 0aa57c4ed6aea803db9c5709c6f9e650b6e26c21c6fc9485c897187d278d37f8
Instruction Fuzzy Hash: 1CD06739648302BBE7605B64DC49F29BBB8EB49711F10C459F65496285C3B19440CB55

Non-executed Functions

Function 6D3921D0 Relevance: 127.2, APIs: 7, Strings: 65, Instructions: 1234threadCOMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008,D5219907,?,?,?,?,?,?,?,6D3F3EC5,000000FF,?,?,?,6D38177F), ref: 6D392238

Part of subcall function 6D389160: K32QueryWorkingSetEx.KERNEL32(?,00000008,?), ref: 6D389177

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000008,00000000,Freedom v0.94.3 DEV [6e79672] is Loading!,000000FF,00000000,00000000), ref: 6D3922AB

Part of subcall function 6D38E1B0: VirtualProtect.KERNEL32(00000000,00000000,00000040,59m,00000000,762304C0,?,6D390106,?,6D38E58D,00000000,?,?,?,6D3935EA), ref: 6D38E202
Part of subcall function 6D38E1B0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E222

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

Part of subcall function 6D3901D0: VirtualProtect.KERNEL32(00000000,00000000,00000040,6D3930DA,00000000,?,?,6D3930DA), ref: 6D3901F1
Part of subcall function 6D3901D0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3930DA), ref: 6D390211

Part of subcall function 6D38FC40: VirtualProtect.KERNEL32(00000000,00000000,00000040,6D39321D,00000000,?,?,6D39321D), ref: 6D38FC61
Part of subcall function 6D38FC40: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D39321D), ref: 6D38FC81

Part of subcall function 6D38FB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D436BA0,000000FF,00000000,00000000,00000000,00000000,?,6D436FA0,?,6D3932DD,6D436B18,6D436B20), ref: 6D38FBB4
Part of subcall function 6D38FB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D436FA0,00000000,?,6D436FA0,?,6D3932DD,6D436B18,6D436B20), ref: 6D38FBC5

CreateThread.KERNEL32(00000000,00000000,6D38E0B0,00000000,00000000,00000000), ref: 6D393586
CloseHandle.KERNEL32(00000000), ref: 6D39358D
UnhookWindowsHookEx.USER32 ref: 6D3935D5
std::_Throw_Cpp_error.LIBCPMT ref: 6D3936E9
std::_Throw_Cpp_error.LIBCPMT ref: 6D393739

Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E2ED
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E309
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E330
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E34C
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E373
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E38F
Part of subcall function 6D38E2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E3DB

Strings

Replay Keys, xrefs: 6D392EBC
##rpc_small_text, xrefs: 6D393369
Ciremun's Freedom v0.94.3 DEV [6e79672], xrefs: 6D393671
Mods, xrefs: 6D392C05
##font_size, xrefs: 6D393415
Left Click, xrefs: 6D392871
Timewarp Scale: %.2lf, xrefs: 6D392B65
Variable Unstable Rate, xrefs: 6D392973
Open Replay Preview in-game to Select a Replay, xrefs: 6D392BD0
##rpc_large_text, xrefs: 6D393307
Relax, xrefs: 6D392515, 6D392521
Usage: Open Replay Preview in-game to Select a Replay, xrefs: 6D392D3D
Difficulty, xrefs: 6D3924F8
Hold Ctrl To Set a Custom Value, xrefs: 6D393163
Discord RPC Settings, xrefs: 6D3931D2
##tab_content, xrefs: 6D3926F3
%s - %.2f%% - %ux - %s, xrefs: 6D392C20
Mods, xrefs: 6D3925CD
##fraction_modifier, xrefs: 6D392A56
Selected Replay, xrefs: 6D392BF0
Jumping Unstable Rate Window, xrefs: 6D3929BB
Font Size: %dpx, xrefs: 6D3933FD
Right Click, xrefs: 6D39289C
Replay Author, xrefs: 6D392C1B
Freedom, xrefs: 6D392326
Small Text, xrefs: 6D39335D
Aim According to Replay Data, xrefs: 6D392E88
Press Keys According to Replay Data, xrefs: 6D392EE6
Unmod Hidden, xrefs: 6D392F86
(Detected!), xrefs: 6D393040
Score Multiplier, xrefs: 6D393085
Alternate Mode, xrefs: 6D39292E
SingleTap Mode, xrefs: 6D3928DC
##rpc_state, xrefs: 6D3932A5
Freedom v0.94.3 DEV [6e79672] is Loading!, xrefs: 6D392298, 6D39236C
lACm, xrefs: 6D392FF2
Unload DLL, xrefs: 6D3935B3
##score_multiplier, xrefs: 6D393148
T;Cm, xrefs: 6D393143
Cursor Delay: %.2f, xrefs: 6D392A51
##settings, xrefs: 6D392487
Misc, xrefs: 6D3925E1
SingleTap, xrefs: 6D3928CB
Alternate, xrefs: 6D39291D
@mrflashstudio, xrefs: 6D3936A1
Convert Replay to/from Hardrock, xrefs: 6D392E36
##timewarp_scale, xrefs: 6D392B7E
Replay, xrefs: 6D392590, 6D39259C
Player, Accuracy, Mods, xrefs: 6D392C3B
lACm, xrefs: 6D393003
Debug, xrefs: 6D392646
About, xrefs: 6D392602
Large Text, xrefs: 6D3932FB
Memory Scan: %.0f%%, xrefs: 6D3923B2
Special Thanks to Maple Syrup, xrefs: 6D393694
Replay Aim, xrefs: 6D392E5E
State, xrefs: 6D393299
Timewarp, xrefs: 6D392567, 6D392573
Unmod Flashlight, xrefs: 6D392F22
Enable, xrefs: 6D3927AF, 6D3929F4, 6D392AE3, 6D392C63, 6D3930B7, 6D3931FA
Aimbot, xrefs: 6D39253E, 6D39254A
Score Multiplier: %.0f, xrefs: 6D39313E
Rescan Memory, xrefs: 6D39355A
h;Cm, xrefs: 6D392A43
Hardrock, xrefs: 6D392D7F

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$ByteCharMultiWide$Cpp_errorQueryThrow_Workingstd::_$CloseCreateFreeHandleHookThreadUnhookWindows
String ID: ##font_size$##fraction_modifier$##rpc_large_text$##rpc_small_text$##rpc_state$##score_multiplier$##settings$##tab_content$##timewarp_scale$%s - %.2f%% - %ux - %s$(Detected!)$@mrflashstudio$About$Aim According to Replay Data$Aimbot$Alternate$Alternate Mode$Ciremun's Freedom v0.94.3 DEV [6e79672]$Convert Replay to/from Hardrock$Cursor Delay: %.2f$Debug$Difficulty$Discord RPC Settings$Enable$Font Size: %dpx$Freedom$Freedom v0.94.3 DEV [6e79672] is Loading!$Hardrock$Hold Ctrl To Set a Custom Value$Jumping Unstable Rate Window$Large Text$Left Click$Memory Scan: %.0f%%$Misc$Mods$Mods$Open Replay Preview in-game to Select a Replay$Player, Accuracy, Mods$Press Keys According to Replay Data$Relax$Replay$Replay Aim$Replay Author$Replay Keys$Rescan Memory$Right Click$Score Multiplier$Score Multiplier: %.0f$Selected Replay$SingleTap$SingleTap Mode$Small Text$Special Thanks to Maple Syrup$State$T;Cm$Timewarp$Timewarp Scale: %.2lf$Unload DLL$Unmod Flashlight$Unmod Hidden$Usage: Open Replay Preview in-game to Select a Replay$Variable Unstable Rate$h;Cm$lACm$lACm
API String ID: 4285642291-1098162263
Opcode ID: 9afa2c9a18334e0b42752d3c01a28a843883ccee2ea2714222d1ff0b0907cdf0
Instruction ID: 022d97f0964f08e5a371d0ff61276431304e5ef794a70e984af01daf730fc027
Opcode Fuzzy Hash: 9afa2c9a18334e0b42752d3c01a28a843883ccee2ea2714222d1ff0b0907cdf0
Instruction Fuzzy Hash: F6B20BB8D081458FDF10EF65C955FBA77B1BF4A308F468158D9852F281EB72AC44CB62

Function 6D38CC20 Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 505processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000018,00000000), ref: 6D38CC5E
Module32FirstW.KERNEL32(00000000,?), ref: 6D38CC79
Module32NextW.KERNEL32(00000000,?), ref: 6D38CCAF
CloseHandle.KERNEL32(00000000), ref: 6D38CCC3
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 6D38CCD1

Strings

NBm, xrefs: 6D38D196
LMBm, xrefs: 6D38D024
(MBm, xrefs: 6D38D002
dNBm, xrefs: 6D38D1E0
osu!.exe, xrefs: 6D38CC97
dNBm, xrefs: 6D38D1B4
(MBm, xrefs: 6D38CFDC
:Cm, xrefs: 6D38CD5B
Memory Scan Took: %lfs, xrefs: 6D38CD9E

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Module32$CloseCreateFirstHandleNextQuerySnapshotToolhelp32Virtual
String ID: :Cm$ NBm$(MBm$(MBm$LMBm$Memory Scan Took: %lfs$dNBm$dNBm$osu!.exe
API String ID: 1628813743-1587853734
Opcode ID: 7ad9d74f69d3f50e485ffa537b1b41371f4114a9f751bc19db944454e6366344
Instruction ID: 4d1182a23c5da3593ab73632bfc50ae180716a8aaa94da035787735698d25d75
Opcode Fuzzy Hash: 7ad9d74f69d3f50e485ffa537b1b41371f4114a9f751bc19db944454e6366344
Instruction Fuzzy Hash: 601248715082928FDB20DF29D881B76BBF1FB8B355F15856ED48A8B243D332D885CB91

Function 6D397959 Relevance: 23.7, Strings: 18, Instructions: 1180COMMON

Download Yara Rule

Strings

0000, xrefs: 6D398184
0000, xrefs: 6D398044
0000, xrefs: 6D398B84
0123456789abcdefxp, xrefs: 6D397962
., xrefs: 6D397FEF
gfff, xrefs: 6D397C11
0000, xrefs: 6D3988F4
0, xrefs: 6D3981DC
+, xrefs: 6D397BBB
i, xrefs: 6D39833A
0, xrefs: 6D397FE3
XCCm, xrefs: 6D398704, 6D398718
_kMGT, xrefs: 6D39830C
0123456789ABCDEFXP, xrefs: 6D39795D
, xrefs: 6D3986ED
gfff, xrefs: 6D397BD9
_KMGT, xrefs: 6D398311
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $+$.$0$0$0000$0000$0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCCm$_KMGT$_kMGT$gfff$gfff$i
API String ID: 0-4233686986
Opcode ID: 4db23fcd088a94dc16228cb8f75d968c2d88f62b8478e38854ddcab8a1d71240
Instruction ID: a831f8652b4144c2639e8a0a3e581c95755db40710df942b1cf778ee88071dd2
Opcode Fuzzy Hash: 4db23fcd088a94dc16228cb8f75d968c2d88f62b8478e38854ddcab8a1d71240
Instruction Fuzzy Hash: 4BA27971A083828FD305CF29C48162BBBE2BFD9744F18892DE4D99B351E776D945CB82

Function 6D38DAF0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 321memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(win32u.dll,00000001), ref: 6D38DB0A
GetProcAddress.KERNEL32(00000000,NtUserSendInput), ref: 6D38DB1A

Part of subcall function 6D38FB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D436BA0,000000FF,00000000,00000000,00000000,00000000,?,6D436FA0,?,6D3932DD,6D436B18,6D436B20), ref: 6D38FBB4
Part of subcall function 6D38FB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D436FA0,00000000,?,6D436FA0,?,6D3932DD,6D436B18,6D436B20), ref: 6D38FBC5

VirtualProtect.KERNEL32(00000000,00000005,00000040,?), ref: 6D38DBC3
VirtualProtect.KERNEL32(00000000,00000005,?,?), ref: 6D38DBEA

Strings

?Cm, xrefs: 6D38DD69
lACm, xrefs: 6D38E096
[!] '%s' wasn't found, xrefs: 6D38DB7A
[!] NtUserSendInput is null, xrefs: 6D38DB29
NtUserSendInput, xrefs: 6D38DB14
:Cm, xrefs: 6D38DB66
win32u.dll, xrefs: 6D38DB05
<kCm, xrefs: 6D38E061
[!] win32u.dll is null, xrefs: 6D38DB30

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ByteCharMultiProtectVirtualWide$AddressHandleModuleProc
String ID: :Cm$<kCm$NtUserSendInput$[!] '%s' wasn't found$[!] NtUserSendInput is null$[!] win32u.dll is null$lACm$win32u.dll$?Cm
API String ID: 3533231508-3265461858
Opcode ID: 2e9c895825558e3ba44c364ebb3d63e60cf67330115a122238495c3d0d83e8c2
Instruction ID: 39a0965e0c5d064938091075289443e56843af07ece5279091d2096b1260962d
Opcode Fuzzy Hash: 2e9c895825558e3ba44c364ebb3d63e60cf67330115a122238495c3d0d83e8c2
Instruction Fuzzy Hash: FBE1C67481C3C29FEB11EF2AD445B677BF0BBDA348F02961DE49446242D772D988CB92

Function 6D3D1500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,00000026,?,?,?,?,?,?,?,?,?,6D391DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D3F3E83,00000000), ref: 6D3D151D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6D391DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D3F3E83,00000000), ref: 6D3D1530
GetKeyboardLayout.USER32(00000000), ref: 6D3D15A7
GetLocaleInfoA.KERNEL32(00000000,20001004,-00000024,00000004,?,?,?,?,?,?,?,?,6D391DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D3F3E83,00000000), ref: 6D3D15BC
LoadLibraryA.KERNEL32(6D426EA0), ref: 6D3D1614
GetProcAddress.KERNEL32(00000000,XInputGetCapabilities), ref: 6D3D1646
GetProcAddress.KERNEL32(00000000,XInputGetState), ref: 6D3D1651

Strings

nBm, xrefs: 6D3D15FB
XInputGetState, xrefs: 6D3D1648
XInputGetCapabilities, xrefs: 6D3D163D

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AddressPerformanceProcQuery$CounterFrequencyInfoKeyboardLayoutLibraryLoadLocale
String ID: XInputGetCapabilities$XInputGetState$nBm
API String ID: 2839060773-174835795
Opcode ID: 4e4cfcec88d6aaa90130e96da93df4956f8812db5b44b2efe7a3fa8572acd308
Instruction ID: e84184c052e7fd71ea7ed2d472cbe973d5fc36f64947993df7dc21d62bc827d8
Opcode Fuzzy Hash: 4e4cfcec88d6aaa90130e96da93df4956f8812db5b44b2efe7a3fa8572acd308
Instruction Fuzzy Hash: 6E41B076A08741AFDB80CF29C885B6ABBF8BF8D214F41456DE98997200D731E800CF91

Function 6D39767E Relevance: 17.1, Strings: 13, Instructions: 883COMMON

Download Yara Rule

Strings

gfff, xrefs: 6D3978E1
0000, xrefs: 6D398B84
0123456789abcdefxp, xrefs: 6D397682
0000, xrefs: 6D3988F4
x, xrefs: 6D3977A1
XCCm, xrefs: 6D398704, 6D398718
gfff, xrefs: 6D3978A5
0123456789ABCDEFXP, xrefs: 6D397690
, xrefs: 6D3986ED
+, xrefs: 6D39786C
., xrefs: 6D3977CB
, xrefs: 6D398D01
0, xrefs: 6D397791

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $+$.$0$0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCCm$gfff$gfff$x
API String ID: 0-1450608632
Opcode ID: 8ed3258a508f4d230fb14144bfd648a6fd8ba9cdba680fbceae62560bae80a04
Instruction ID: 50a7e3134fc0918180aad7df2cc8a522e439a357ee594638dbbfbf6a5c660f83
Opcode Fuzzy Hash: 8ed3258a508f4d230fb14144bfd648a6fd8ba9cdba680fbceae62560bae80a04
Instruction Fuzzy Hash: 41728A71A083828FD314CF29C88136BFBE2AFD5754F18892DE4D9DB351E676C8458B82

Function 6D3D1EA0 Relevance: 16.7, APIs: 11, Instructions: 192keyboardCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 6D3D1ED2
QueryPerformanceCounter.KERNEL32(?), ref: 6D3D1F0E
GetForegroundWindow.USER32 ref: 6D3D1F6A
ClientToScreen.USER32(?,?), ref: 6D3D1FA1
SetCursorPos.USER32(?,?,?,?), ref: 6D3D1FB3
GetCursorPos.USER32(?), ref: 6D3D1FCD
ScreenToClient.USER32(00000000,?), ref: 6D3D1FDE
GetKeyState.USER32(000000A0), ref: 6D3D2024
GetKeyState.USER32(000000A1), ref: 6D3D206A
GetKeyState.USER32(0000005B), ref: 6D3D20AD
GetKeyState.USER32(0000005C), ref: 6D3D20F0

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: 62852953193cbc8986f0662ee3fc4c4ec31291e15acf1586484c544ee76c13f6
Instruction ID: 513831b3a8d946935a790f98d208773d6c8da85386ebabd86534975d57678f5c
Opcode Fuzzy Hash: 62852953193cbc8986f0662ee3fc4c4ec31291e15acf1586484c544ee76c13f6
Instruction Fuzzy Hash: 3C8166369083469FEB62CF31CA45BBA7BF5AF46304F048359F9956A092C771E884CF91

Function 6D3D2625 Relevance: 15.5, APIs: 10, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df57b3ba9f78b74099e088cf6f6fde3882840b0d74a49da0d9b34fb2d01c364c
Instruction ID: 9a0ccfe6835ebfaef97243c2186d7545d32b1456e570d3b2fc17ae56b7e5ff42
Opcode Fuzzy Hash: df57b3ba9f78b74099e088cf6f6fde3882840b0d74a49da0d9b34fb2d01c364c
Instruction Fuzzy Hash: 7EE1492FD086470AD7F28A749F736F97BA19F52304F34459BE8D04B043D25B450A8F92

Function 6D38D370 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 467COMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D38D750
K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D38D778

Strings

$OBm, xrefs: 6D38D6CB
TOBm, xrefs: 6D38D884
NBm, xrefs: 6D38D544
vOBm, xrefs: 6D38D8A4
OBm, xrefs: 6D38D674
OBm, xrefs: 6D38D6B0

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: QueryWorking
String ID: OBm$ OBm$$OBm$TOBm$vOBm$NBm
API String ID: 380726023-2185625640
Opcode ID: f22e9cae04fe3f4b987232dc42bec8a588c3ed0711f68ad47965e81c6057e415
Instruction ID: e6392978d24ca0ad29f958b297bc5b535ddaaeb5ecccf48d3dab3beb7810a9ca
Opcode Fuzzy Hash: f22e9cae04fe3f4b987232dc42bec8a588c3ed0711f68ad47965e81c6057e415
Instruction Fuzzy Hash: F202E375A002978FDB21EF29D881BA67BF5FB86340F16807AD85AC7202E731DD05CB90

Function 6D3ADFE0 Relevance: 13.5, APIs: 9, Instructions: 44clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 6D3ADFE2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6D3ADFFF
GlobalAlloc.KERNEL32(00000002), ref: 6D3AE011
GlobalLock.KERNEL32(00000000), ref: 6D3AE01E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6D3AE033
GlobalUnlock.KERNEL32(00000000), ref: 6D3AE03A
EmptyClipboard.USER32 ref: 6D3AE040
SetClipboardData.USER32(0000000D,00000000), ref: 6D3AE049
GlobalFree.KERNEL32(00000000), ref: 6D3AE054

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Global$Clipboard$ByteCharMultiWide$AllocDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 731863220-0
Opcode ID: e48fdb238880f6d094f2ed099f6d3ebef2dd1d3397ca6fe4d90a983590cc5d80
Instruction ID: 0bfc4af0a86b78496002b798ef5b51c28d50f44e0ee86b76d0e0214ca288a5a9
Opcode Fuzzy Hash: e48fdb238880f6d094f2ed099f6d3ebef2dd1d3397ca6fe4d90a983590cc5d80
Instruction Fuzzy Hash: 4D01123124562ABBEF116B61EC0EF7E3B7CEB06761F148215F612A41D0DB655400C7B1

Function 6D3ADF00 Relevance: 12.1, APIs: 8, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 6D3ADF39
GetClipboardData.USER32(0000000D), ref: 6D3ADF49
CloseClipboard.USER32 ref: 6D3ADF55
GlobalLock.KERNEL32(00000000), ref: 6D3ADF62
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6D3ADF83
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000,00000000), ref: 6D3ADFB1
GlobalUnlock.KERNEL32(00000000), ref: 6D3ADFB9
CloseClipboard.USER32 ref: 6D3ADFBF

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlock
String ID:
API String ID: 846020896-0
Opcode ID: 3ecf594b7d3826afb9965e0e8e1d0e799be2d06a381488c10776b7856e6b0033
Instruction ID: 93204193502e54e2bfc675741960d2dea6948c4f55ece4826c30c98c50cf3791
Opcode Fuzzy Hash: 3ecf594b7d3826afb9965e0e8e1d0e799be2d06a381488c10776b7856e6b0033
Instruction Fuzzy Hash: 681184713492067FEB105F64EC4DFB67BB8EB097A1F25427AF909991D0EB6190008B61

Function 6D397C75 Relevance: 10.8, Strings: 8, Instructions: 777COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
0123456789ABCDEFXP, xrefs: 6D397C81
@, xrefs: 6D397DEE
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0123456789abcdefxp, xrefs: 6D397C78
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$@$XCCm
API String ID: 0-1185362143
Opcode ID: 6ddbd2a81725ab5b25f5fadb56030df689e9418885c1976de863256819d91f62
Instruction ID: 459dca9f9563ec12de510cc01301151abc116afaa98270982f18f18bd31d4a37
Opcode Fuzzy Hash: 6ddbd2a81725ab5b25f5fadb56030df689e9418885c1976de863256819d91f62
Instruction Fuzzy Hash: 7F526871A093828FD304CF29C48172BBBE2BFD5754F18892EE4D59B361E776D8458B82

Function 6D3EB002 Relevance: 10.3, APIs: 1, Strings: 4, Instructions: 1555COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6D3EB219

Strings

1#INF, xrefs: 6D3EB138
1#IND, xrefs: 6D3EB107
1#SNAN, xrefs: 6D3EB10E
1#QNAN, xrefs: 6D3EB115

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7d0e7c6de8dacf899fe936d4b857f4a472059f7d5923daa5d06db129be1f96aa
Instruction ID: 00cec919e530b098a6d551f46e21a8de62ac19cb83a5408e13ed455419333854
Opcode Fuzzy Hash: 7d0e7c6de8dacf899fe936d4b857f4a472059f7d5923daa5d06db129be1f96aa
Instruction Fuzzy Hash: 7DD25A71E082298FDB65CE28DC417EAB7B9FB45384F1441EAD54DE7280D735AE818F81

Function 6D39D700 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 929COMMON

Download Yara Rule

APIs

__libm_sse2_acos_precise.LIBCMT ref: 6D39DC18
__floor_pentium4.LIBCMT ref: 6D39DC40
__libm_sse2_cos_precise.LIBCMT ref: 6D39DC9D

Strings

Debug##Default, xrefs: 6D39E69E
gfff, xrefs: 6D39D745

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: __floor_pentium4__libm_sse2_acos_precise__libm_sse2_cos_precise
String ID: Debug##Default$gfff
API String ID: 3895510629-3988733986
Opcode ID: ed14f4684ea87099391865f70bf57640c7ca49664a836d56ddd91f875aa81578
Instruction ID: 8ed6780859ebc09cdbab173141455b8c0987a787f0f3f763c63236d02bcffb0b
Opcode Fuzzy Hash: ed14f4684ea87099391865f70bf57640c7ca49664a836d56ddd91f875aa81578
Instruction Fuzzy Hash: BA92C571A05B469FD719CF3AC4817E6F7E0BF49304F088769D869AB291E731B4A4CB90

Function 6D397A74 Relevance: 9.5, Strings: 7, Instructions: 729COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
0123456789ABCDEFXP, xrefs: 6D397A7C
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0123456789abcdefxp, xrefs: 6D397A81
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCCm
API String ID: 0-661937115
Opcode ID: 98315cc448e90b28aef4c759d42f374ba83600eef593d8bf92a56de2da23bd9b
Instruction ID: aaeac0187baaa192104bedd911a5a631550e6c601c276f7a8b114cdf76797bcc
Opcode Fuzzy Hash: 98315cc448e90b28aef4c759d42f374ba83600eef593d8bf92a56de2da23bd9b
Instruction Fuzzy Hash: 5D527871A083428FD704CF29C88162BFBE2AFD5754F18892EF495DB361E776C8458B82

Function 6D397CE1 Relevance: 9.5, Strings: 7, Instructions: 721COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
0123456789ABCDEFXP, xrefs: 6D397CFA
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0123456789abcdefxp, xrefs: 6D397CF1
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCCm
API String ID: 0-661937115
Opcode ID: 071cad38740eb4933f014bd5324b0266e889f1b99e84c41ea2e116b7d5b153f1
Instruction ID: 6bc2534ba1388729c0d4c65dffc73defeec8432a5c6f0d78cd170e83e45eae1a
Opcode Fuzzy Hash: 071cad38740eb4933f014bd5324b0266e889f1b99e84c41ea2e116b7d5b153f1
Instruction Fuzzy Hash: E6526871A093828FD704CF29C48172BFBE2BFD5754F18892EE4959B361E776C8458B82

Function 6D3D27B9 Relevance: 9.1, APIs: 6, Instructions: 133keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6D3D27E8
GetKeyState.USER32(00000010), ref: 6D3D281F
GetKeyState.USER32(00000012), ref: 6D3D2856
GetKeyState.USER32(0000005D), ref: 6D3D288D
GetKeyState.USER32(000000A0), ref: 6D3D2944
GetKeyState.USER32(000000A1), ref: 6D3D296A

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 702769cb2eab43bd25988cf775cdd756a973ac7d39d04c2eb2a34c109af6d57e
Instruction ID: 8bff9eb7f03dbe49a73442a696764aa80cb25be1623000e50603a468fa98324e
Opcode Fuzzy Hash: 702769cb2eab43bd25988cf775cdd756a973ac7d39d04c2eb2a34c109af6d57e
Instruction Fuzzy Hash: 9D412836A0C2454AEF72DE789A413AE7BA29F92308F054819E9D41F1C2C763955ECF93

Function 6D399700 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6D39997D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D3999B4

Strings

Inf, xrefs: 6D39975B
NaN, xrefs: 6D399754

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__aulldiv__ehfuncinfo$??2@
String ID: Inf$NaN
API String ID: 1185945948-3500518849
Opcode ID: 9878090deaa6867af77101a93956dcd51e4a09f2f8d820ba0be1da34ee506187
Instruction ID: de814700b8166478e11b5442b58959b22ccb1eb2961c66249d39bb06337fa76b
Opcode Fuzzy Hash: 9878090deaa6867af77101a93956dcd51e4a09f2f8d820ba0be1da34ee506187
Instruction Fuzzy Hash: 3AC1F431A183028FD715CF29C85162EB7E6FFC5314F15AA2EF8999B390E771D9018B92

Function 6D397E34 Relevance: 8.5, Strings: 6, Instructions: 977COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0000, xrefs: 6D3988F4
, xrefs: 6D397E34
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ $0000$0000$XCCm
API String ID: 0-3992252955
Opcode ID: ff3ece5c5d1d6fc69d88cd9b94e545f0cc2c525b703cc842c81a6827fca8a54d
Instruction ID: 36d9938cd6d9d8675b3a15558ef8ffbac0915607c4d365f7738943544ccf15f4
Opcode Fuzzy Hash: ff3ece5c5d1d6fc69d88cd9b94e545f0cc2c525b703cc842c81a6827fca8a54d
Instruction Fuzzy Hash: 75827A71A083428FD304CF29C48162BFBE6BFD9754F148A2EF4999B361E775D8458B82

Function 6D3972E0 Relevance: 8.4, Strings: 6, Instructions: 900COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
, xrefs: 6D3975D0
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ $0000$0000$XCCm
API String ID: 0-3992252955
Opcode ID: 4d31d69c906c14816dcc612c46452be521d09c1fd4feb417b5887d95d0483ffa
Instruction ID: aef6eba89678eed2dbfc9d2961069ecd91d1749a977813923eeb1f0866fec1e5
Opcode Fuzzy Hash: 4d31d69c906c14816dcc612c46452be521d09c1fd4feb417b5887d95d0483ffa
Instruction Fuzzy Hash: E2727D71A083828FD705CF29C48122BFBE6BFC5714F14892EE5D58B361E776D8468B82

Function 6D3975E9 Relevance: 8.2, Strings: 6, Instructions: 708COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
null, xrefs: 6D3975F4
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCCm$null
API String ID: 0-3777294923
Opcode ID: af854be82645f37975f2e7cfe9a1b7a1a51cb9f8a72c47aee47a0ddf66f843bb
Instruction ID: 50dfeda699777089eeb098da7c5fc62f0a93ab32e58564696cf2c6c9438cac71
Opcode Fuzzy Hash: af854be82645f37975f2e7cfe9a1b7a1a51cb9f8a72c47aee47a0ddf66f843bb
Instruction Fuzzy Hash: DC428971A093428FD704CF29C88122BFBE2AFD5754F18892EF495DB365E776C8458B82

Function 6D3C5F90 Relevance: 7.1, Strings: 3, Instructions: 3379COMMON

Download Yara Rule

Strings

daBm, xrefs: 6D3C90FD
#SCROLLY, xrefs: 6D3C6602, 6D3C6639
haBm, xrefs: 6D3C9107

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: #SCROLLY$daBm$haBm
API String ID: 0-2691892368
Opcode ID: b32ffdadefd67da5336c1d4b0864aee21e1124ef48bf82040d4dcdc26e2d009f
Instruction ID: 034685c9ae7a0c216310577d78b392458a186b008b1966c606a81398cfcb9dd6
Opcode Fuzzy Hash: b32ffdadefd67da5336c1d4b0864aee21e1124ef48bf82040d4dcdc26e2d009f
Instruction Fuzzy Hash: 1163EE70E0474A8FDB11CB76C8817E9FBB1BF49304F088699D8596B291E7326D85CF92

Function 6D397C69 Relevance: 7.0, Strings: 5, Instructions: 745COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCCm
API String ID: 0-631190175
Opcode ID: 7c9165d6f120143c2280aed377b7ecbb206de63d5fd601742f54b42b84a3e00c
Instruction ID: 35113c37c51e56fb7f8f463614150ff97c1cb660d533c979629f0e688ccbd225
Opcode Fuzzy Hash: 7c9165d6f120143c2280aed377b7ecbb206de63d5fd601742f54b42b84a3e00c
Instruction Fuzzy Hash: 5F528971A083428FD304CF29C88162BBBE2BFD5754F188A2DF495DB365E776C8458B82

Function 6D397CB6 Relevance: 7.0, Strings: 5, Instructions: 714COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCCm
API String ID: 0-631190175
Opcode ID: d3d97fe635fdabb220c39bf0a898b74bc77d4e40b436f00e1da858f47e0b60db
Instruction ID: cbec3723fb18865d552ceb068fe1a53f5b10c129b29e9020d67ac0f64ca8ede3
Opcode Fuzzy Hash: d3d97fe635fdabb220c39bf0a898b74bc77d4e40b436f00e1da858f47e0b60db
Instruction Fuzzy Hash: 4C426871A093828FD704CF29C48132BFBE2BFD5754F18892EE4959B361E776C8458B82

Function 6D39763E Relevance: 6.9, Strings: 5, Instructions: 696COMMON

Download Yara Rule

Strings

XCCm, xrefs: 6D398704, 6D398718
, xrefs: 6D3986ED
0000, xrefs: 6D398B84
0000, xrefs: 6D3988F4
, xrefs: 6D398D01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCCm
API String ID: 0-631190175
Opcode ID: d38f51aa3ed62d8ebc788641a59490147d225224aafcf3996cc1d664648c048f
Instruction ID: 74bf25c14cf53d00afa341e86f32616ff5b9d447bab49bfa0b459f3557a7c578
Opcode Fuzzy Hash: d38f51aa3ed62d8ebc788641a59490147d225224aafcf3996cc1d664648c048f
Instruction Fuzzy Hash: A9428A71A093828FD704CF29C48122BFBE2AFD5754F18892EF495DB365E776C8458B82

Function 6D3DC900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea1c5646f93581e152db654d64d339b3ceb19541b308a82805f66d273fde0bd
Instruction ID: 57b96acf234cf9be8399af30dd7812fcb4fe0c6351cc51a4c873e146ba678527
Opcode Fuzzy Hash: 8ea1c5646f93581e152db654d64d339b3ceb19541b308a82805f66d273fde0bd
Instruction Fuzzy Hash: 4D024E72E1121A9FDB54CFA9C8806ADFBF5FF88314F258269D515E7340D731AA428F90

Function 6D3BD8B0 Relevance: 6.4, APIs: 4, Instructions: 355COMMON

Download Yara Rule

APIs

__libm_sse2_acos_precise.LIBCMT ref: 6D3BD9F1
__libm_sse2_acos_precise.LIBCMT ref: 6D3BDA4B
__libm_sse2_acos_precise.LIBCMT ref: 6D3BDC4F
__libm_sse2_acos_precise.LIBCMT ref: 6D3BDCA7

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: __libm_sse2_acos_precise
String ID:
API String ID: 2846157662-0
Opcode ID: e1e94e562277b190db36eb01ae045b9b806b842767ca4228875c086f48c495d9
Instruction ID: f66eca138e591b669dc5d1de23fd1f4e93a4f9589eca7f39f7b94c510ea4f686
Opcode Fuzzy Hash: e1e94e562277b190db36eb01ae045b9b806b842767ca4228875c086f48c495d9
Instruction Fuzzy Hash: 50E1753181974D9AC612DB37988065AF7A4AFEF744F18DF0EB995324F0E730A1989B42

Function 6D3D5853 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D3D585F
IsDebuggerPresent.KERNEL32 ref: 6D3D592B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D3D5944
UnhandledExceptionFilter.KERNEL32(?), ref: 6D3D594E

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b75c4578f2958dafa7c82936bd4bfed5b84629f9a680c019ea151f210967ba4f
Instruction ID: 8fdd6d2021ee2c554fb91c209e095398c96962a7683fe59d6082711d9f049eeb
Opcode Fuzzy Hash: b75c4578f2958dafa7c82936bd4bfed5b84629f9a680c019ea151f210967ba4f
Instruction Fuzzy Hash: 17312775D0521DABDF60DFA4D9497DDBBB8EF09304F1081AAE50CAB240EB719A84CF44

Function 6D3C23B0 Relevance: 5.5, Strings: 4, Instructions: 466COMMON

Download Yara Rule

Strings

##v, xrefs: 6D3C249A, 6D3C249B, 6D3C249C
#ComboPopup, xrefs: 6D3C26A7
haBm, xrefs: 6D3C2A3C
daBm, xrefs: 6D3C2A32

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: ##v$#ComboPopup$daBm$haBm
API String ID: 0-1292387845
Opcode ID: c3d700a9b7d722b2242dfaa6d5837dd56c88024e559cefd72f819fba4a9f8ca3
Instruction ID: 5ebf77bab2e7ac2e085ffac319ea70fa881527787d91a64ea26d55e727b473b7
Opcode Fuzzy Hash: c3d700a9b7d722b2242dfaa6d5837dd56c88024e559cefd72f819fba4a9f8ca3
Instruction Fuzzy Hash: 8D22AD359187499FC721CF36C48166BF7E0AF9A304F099F1DF894661A1EB71A888DF42

Function 6D3CA3A0 Relevance: 4.7, Strings: 3, Instructions: 910COMMON

Download Yara Rule

Strings

N/A, xrefs: 6D3CA8AA
,, xrefs: 6D3CA931
,, xrefs: 6D3CA4C9

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: ,$,$N/A
API String ID: 0-1273944187
Opcode ID: d28dd28645d2217f0d58cee16df95307902be836a499ddef10da2287afdd9b7a
Instruction ID: c48c4daf6198a905087f02e0f676c4032c90fc978ae759cb7532da50b3efa35f
Opcode Fuzzy Hash: d28dd28645d2217f0d58cee16df95307902be836a499ddef10da2287afdd9b7a
Instruction Fuzzy Hash: E6928B3090874A9BC315CF3AC481A6AF7E0BF99344F18CB1DE995A7661D731F895CB82

Function 6D3D8776 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D3D886E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D3D8878
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D3D8885

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8a819799d71f2f34194219b0296ec448f92935fed74fae842edd431e5f3a7798
Instruction ID: e007138e8950eeef682222cdbfa271a4e76b173a0bfbf7833f569eecf8230378
Opcode Fuzzy Hash: 8a819799d71f2f34194219b0296ec448f92935fed74fae842edd431e5f3a7798
Instruction Fuzzy Hash: 5C31D27590122CABCB61DF28D9887DCBBB8BF08310F5081EAE41CA6290E7309B85CF44

Function 6D3C3500 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

haBm, xrefs: 6D3C3904
daBm, xrefs: 6D3C38FA
##timewarp_scale, xrefs: 6D3C35C5, 6D3C35C6, 6D3C35C7, 6D3C3774

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: ##timewarp_scale$daBm$haBm
API String ID: 0-1363335747
Opcode ID: e235bc53dfc3a84dc8659f1d5e6ef421a516c06706900e7c02e79b9134ded5af
Instruction ID: 9017a38cffa9c9e6ba88568a1deab97cc73f9680bd57a1028b1f8826790a824e
Opcode Fuzzy Hash: e235bc53dfc3a84dc8659f1d5e6ef421a516c06706900e7c02e79b9134ded5af
Instruction Fuzzy Hash: 90D1D671A083459BC711DF36C881BAAF7F1BF99308F048B2DF5982A191D732A959DB43

Function 6D3BA580 Relevance: 3.9, Strings: 2, Instructions: 1437COMMON

Download Yara Rule

Strings

A, xrefs: 6D3BA6A6
|, xrefs: 6D3BB1FB

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: A$|
API String ID: 0-641917524
Opcode ID: 74317e81c019724711651e645c9bb3375ec776be11c0a38362ca097f3bb96181
Instruction ID: 788bc6763b668261813f64dc27ae6fc368a452823bc6bed694d3817af7821a81
Opcode Fuzzy Hash: 74317e81c019724711651e645c9bb3375ec776be11c0a38362ca097f3bb96181
Instruction Fuzzy Hash: 5EE2BD70D046298FDB69CF29C881BE9F7F0BF59304F0582E9D449A7641EB31AA95CF80

Function 6D3D2760 Relevance: 3.2, APIs: 2, Instructions: 241windowCOMMON

Download Yara Rule

APIs

GetMessageExtraInfo.USER32 ref: 6D3D2C9E
ScreenToClient.USER32(?,?), ref: 6D3D2D83

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ClientExtraInfoMessageScreen
String ID:
API String ID: 3314809007-0
Opcode ID: 9b87ef8e700713226818b420ceec46515ee6a154dd8529bab3908830489abab4
Instruction ID: 609bf2adbd2187c5c2ed1ca264c257d9811844a67d649dc5671628b1e4def1a7
Opcode Fuzzy Hash: 9b87ef8e700713226818b420ceec46515ee6a154dd8529bab3908830489abab4
Instruction Fuzzy Hash: 52810F76B082058FD754CF39D18276EB7E5EB88304F048A2EE899D7291C736D881CF81

Function 6D3D14C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 6D3D14D3
GetLocaleInfoA.KERNEL32(00000000,20001004,-00000024,00000004), ref: 6D3D14E8

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: InfoKeyboardLayoutLocale
String ID:
API String ID: 1218629382-0
Opcode ID: 7c9889be3a9219b976cf6ca9c894231925321dc65b76d07307e18e0c6c0011a7
Instruction ID: 70cfea999330d7893620330861868ee046e53bb512d2df790327ce78f50eee38
Opcode Fuzzy Hash: 7c9889be3a9219b976cf6ca9c894231925321dc65b76d07307e18e0c6c0011a7
Instruction Fuzzy Hash: DDE0C273548161BBEF909AA5DC08FE63EBCAB01651F030120FB44D7149D720D840CBA0

Function 6D3A08B0 Relevance: 2.2, Strings: 1, Instructions: 951COMMON

Download Yara Rule

Strings

#RESIZE, xrefs: 6D3A09C0

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: #RESIZE
API String ID: 0-1383961720
Opcode ID: 2391dca384ecb0a2e6c8390692ec008b85a85b2eaa8f878648e2aceed8b81869
Instruction ID: 433ddf76ba1e4de48944d6147bb07c916e7e743ecd823e7d0cc0e2c04836d289
Opcode Fuzzy Hash: 2391dca384ecb0a2e6c8390692ec008b85a85b2eaa8f878648e2aceed8b81869
Instruction Fuzzy Hash: 89928E71A187498AC302CB37C4817AAF7A0FF9E344F1CDB1EE998771A1D732A4959B41

Function 6D3B0560 Relevance: 2.0, Strings: 1, Instructions: 715COMMON

Download Yara Rule

Strings

, xrefs: 6D3B0EC8

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f463a8579442e68b56bf74cc74f4701c782e6f4f2b5e9eec863c55699119b748
Instruction ID: 940a3813da6f2f3c40eb81e6040f37baa6a70d1dce01e71604ee41a20e188f96
Opcode Fuzzy Hash: f463a8579442e68b56bf74cc74f4701c782e6f4f2b5e9eec863c55699119b748
Instruction Fuzzy Hash: 5E52C0719187918FC315CF3A859127BFBE1AFAA304F088B1EF8D593661E339E5458B42

Function 6D3AC460 Relevance: 1.9, Strings: 1, Instructions: 618COMMON

Download Yara Rule

Strings

##NavUpdateWindowing, xrefs: 6D3AC4E2

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: ##NavUpdateWindowing
API String ID: 0-2766148257
Opcode ID: a954824b86eb49e43a5fd97a53ee71a2a00ae09ab0e0702636e0fbcd3e434ef3
Instruction ID: 91d8812f3279e5d1e76ac0e51b9e489cfae2c28461cf68db1979abf66e214da4
Opcode Fuzzy Hash: a954824b86eb49e43a5fd97a53ee71a2a00ae09ab0e0702636e0fbcd3e434ef3
Instruction Fuzzy Hash: 5142E4787087868AD712CF36C0817E6F7E1EF56304F0C8B1ED8A957292D776A489CB91

Function 6D3EEC55 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,6D3EEC50,00000000,?,00000008,?,?,6D3EE853,00000000), ref: 6D3EEE82

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0c5c79a61e87278fab624ac21dd568e5061cbe293b9c13d7b42f1b29129d02e7
Instruction ID: 6fccbe4a8673b32df6b2fecfc550687958eefaefaff89f37bde547fab3ccd60f
Opcode Fuzzy Hash: 0c5c79a61e87278fab624ac21dd568e5061cbe293b9c13d7b42f1b29129d02e7
Instruction Fuzzy Hash: 1BB12932520619DFD705CF28C486B657BE0FF453A4F258699E9A9DF2E1C336E982CB40

Function 6D3BC420 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

., xrefs: 6D3BC7AE

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 670edd86514c7c483bbd2144e272dcceeb53dead85eac0e2d70b8de88acefb5b
Instruction ID: a038adc8d997e25f42f7b793ee19326e47e5f97e8310f9a8cbbeafa491126dd3
Opcode Fuzzy Hash: 670edd86514c7c483bbd2144e272dcceeb53dead85eac0e2d70b8de88acefb5b
Instruction Fuzzy Hash: FB028E35600B068FC330DF29C491A76B3F1FFA9304B558A5DD8868BA61EB31F999CB50

Function 6D3D566F Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D3D5685

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3d07cd52e6e6c7d42df511046b09a8b4fcce09e45b2413a926d7bee5313b37d9
Instruction ID: 4d1f207b702b08cf2f2586346fb30b5f2d70416abf9c5aa0b865d1ebb47e2011
Opcode Fuzzy Hash: 3d07cd52e6e6c7d42df511046b09a8b4fcce09e45b2413a926d7bee5313b37d9
Instruction Fuzzy Hash: 375117B6A04616CBEB54CF5AC9867AABBF4FB4A350F21846AD415EB340D376D900CF90

Function 6D3E7B99 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2ca9cc2eedd96c3591930696d53b261bdb29d0864a8f1830836a029236dbf8
Instruction ID: c03df40d3b412cf5ae290d81f980f680ac687638c903d629b6c066e2fe21e989
Opcode Fuzzy Hash: 6a2ca9cc2eedd96c3591930696d53b261bdb29d0864a8f1830836a029236dbf8
Instruction Fuzzy Hash: 0541D5B5C0822DAFDB10DF68CC89AAABBB8EF45344F1082DAE458D3241DB319E458F50

Function 6D3E12A1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 6D3E1425

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 21f5da649e7b363a60aa073e556caba06f7069f5ae87ac2c84534c1dc861a66f
Instruction ID: 35a0e39a474bbd03a394bc53a8b135bc72dcecc5151ac691b0d81bb4242fad34
Opcode Fuzzy Hash: 21f5da649e7b363a60aa073e556caba06f7069f5ae87ac2c84534c1dc861a66f
Instruction Fuzzy Hash: B7B10470A08A2B8BCB15CF68C8526BEB7B5BF05384F10461FD5A6A7BD5C732E601CB51

Function 6D3E8D9A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D3E8D9A

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 66edf8357d7d817cb167fa3086449cd28078f7e08717b58d38e0afb1921b3a7e
Instruction ID: d1afdaccde35e2259db8078139ed3fcc03b9e0518f615cb697d1bbf75fd718fe
Opcode Fuzzy Hash: 66edf8357d7d817cb167fa3086449cd28078f7e08717b58d38e0afb1921b3a7e
Instruction Fuzzy Hash: FEA011302022028BAF208F3A830A3083AFCEA022803028028A008C8028EB208800ABA2

Function 6D3F048B Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313980ecac099b7cb1f8b7b5e9e9204859c2f764f8fab2246f33f768796076b2
Instruction ID: 8333a576b8e4c1356cf0a4dce0e453f5d2d2e6e0337bcf01d65421542402642f
Opcode Fuzzy Hash: 313980ecac099b7cb1f8b7b5e9e9204859c2f764f8fab2246f33f768796076b2
Instruction Fuzzy Hash: 1E325821D69F054DDB23A939C872336A25DAFB33D4F55C737E819B5AA6EB29C4C34100

Function 6D3F2549 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0042a1756ca527c0f4fbdd66b2592a95a02fa9433dd252fcd5bf74200c86a159
Instruction ID: d7810fa0500a02272d07bfcde0d200bb29dc2f4f94a5cebc28557fa79335028a
Opcode Fuzzy Hash: 0042a1756ca527c0f4fbdd66b2592a95a02fa9433dd252fcd5bf74200c86a159
Instruction Fuzzy Hash: EC322422D69F458DDB239534C922335A25DAFB73C4F21D727F82AF6D99EB29C8834140

Function 6D3AA6C0 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ef58eb8b97c10c4999d592aa68f12349b38b02fd320607b5aab5019d223132
Instruction ID: 25141b5c8f10329444265302af283501ba05b5436b8c091ea62a6bb4e02dfccc
Opcode Fuzzy Hash: 83ef58eb8b97c10c4999d592aa68f12349b38b02fd320607b5aab5019d223132
Instruction Fuzzy Hash: B842AF72708B469AE716CB35C445BE1F7E1FF46318F08836ED8B80B192D7766499CB81

Function 6D3BFD00 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8735c967da210c66ac4b872defe7012c4beae02b564887c742d79d5659a06d2d
Instruction ID: 894de30f27ad8c739d5502626c7d62d0a5125200d3b609e421f657eade071e22
Opcode Fuzzy Hash: 8735c967da210c66ac4b872defe7012c4beae02b564887c742d79d5659a06d2d
Instruction Fuzzy Hash: 0512E8746087869BD705CF36C0813AAF7E1BF96348F048B1DE9A457291D776AC85CB83

Function 6D38A9D0 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75be5b5d84f63c9f3f8fd8de8202d25b7f09a0b15f2195c882ab7dc91f1d43a3
Instruction ID: ccf8965e8729f177f2cb09bbf50f43cfc1e7dd88e608b3edf4cffeda561cdfef
Opcode Fuzzy Hash: 75be5b5d84f63c9f3f8fd8de8202d25b7f09a0b15f2195c882ab7dc91f1d43a3
Instruction Fuzzy Hash: D6F119B2A182214BD71DCE18C8D062DBBF6EBC4306F154A3DE486D73D6D6748D84CB92

Function 6D3D17F0 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b361d1ae327e8553a506810dc4068e6f2403f3f19ff5e31f9b9ccc7941451521
Instruction ID: ca45bf64401757e9e7a93842fac5d3d7ee2ec5b6a28d96f503831cc9ab926d98
Opcode Fuzzy Hash: b361d1ae327e8553a506810dc4068e6f2403f3f19ff5e31f9b9ccc7941451521
Instruction Fuzzy Hash: 03022B35A147559BEB42CB36C442377B7E19F5B688F18CB09FC986B182D331A8C88BD1

Function 6D3CDEF0 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef53cf1d331775f18276986ef2604a890e774c934628a8a3e0f78457a64ea8
Instruction ID: f0d261aa2be8aa5c0450494faa8df4156344af80a65951bf9bbef3bbb4ec6124
Opcode Fuzzy Hash: 07ef53cf1d331775f18276986ef2604a890e774c934628a8a3e0f78457a64ea8
Instruction Fuzzy Hash: 1E02A632D1974DC6D703D63784822A6F7A06FAF284F1DDF1AFD54761B1E32678888A42

Function 6D3C97A0 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9257040062c48c5bd71959de82f04da92c4cfdaf2b96b0669738b2e67c7fcb17
Instruction ID: bd5c7cd21e3f5dd0a2d3ebdb2644bddded4cfbdf4bfd26cfa912e595b8752eaf
Opcode Fuzzy Hash: 9257040062c48c5bd71959de82f04da92c4cfdaf2b96b0669738b2e67c7fcb17
Instruction Fuzzy Hash: CA12D4319087869BD311CF36C4817AAF7E0BF9A309F058B1DE9A5631A1D732A894DB53

Function 6D3CE5C0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9c2fbea84e66267d08d2710be06008bb7cfd0cd13ba69aa4992cc447627aea
Instruction ID: a25ae476f92a3e1a28b56900f11b3307d1ac6312ef7c4b9c3ceca00d66ebb41a
Opcode Fuzzy Hash: 5e9c2fbea84e66267d08d2710be06008bb7cfd0cd13ba69aa4992cc447627aea
Instruction Fuzzy Hash: F2021932C18B8D8AC703DA3784932A6F7A46FAF380F19CB07FD6577161E72578958642

Function 6D3B1240 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c28566ff688fd3a562bcb4d728b03f25e5b6241ec8869664872669e47ca921
Instruction ID: e9fc100dd9ec62da05699a3b99abb2c8c36b1a589536ee1c2d591cd6d397c754
Opcode Fuzzy Hash: 10c28566ff688fd3a562bcb4d728b03f25e5b6241ec8869664872669e47ca921
Instruction Fuzzy Hash: 2A120571518B848FC375CF2AC581BAAF7E1BF9A304F058B1DD48997661EB30A499DB02

Function 6D3C0FF0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb754be7f8a5e86d1ba86dedeb94d5affac8d3365a2a2eaf42c43f5e9242a9
Instruction ID: 8f0186c5223dc564e510414c3d3c819cd6eada04ec45b809e3ad093375905357
Opcode Fuzzy Hash: dcdb754be7f8a5e86d1ba86dedeb94d5affac8d3365a2a2eaf42c43f5e9242a9
Instruction Fuzzy Hash: F5E195319287899BD302DE37C48165AF7F0AFEE244F18DF0EF895361A1D771B494AA42

Function 6D3BF160 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74820df475f90fde83560e54e4c93a594eafb292b5219ce42d721faee8bf8ec
Instruction ID: 3e3d31647abcd562b008303b260de274358294f3fb5175775a9d7c56befc3c16
Opcode Fuzzy Hash: a74820df475f90fde83560e54e4c93a594eafb292b5219ce42d721faee8bf8ec
Instruction Fuzzy Hash: B7D1D33490834ADFC715CF26C480796B7F0BF5A344F089B6DE8986B652D732E599CB81

Function 6D3F1BCE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635cd08fbc573d27688f29f951fb71cbc3289d52e3f141c0dbf043e90bd0299f
Instruction ID: ddfa8597409c00b2eb5f7eee472e1a52b64a6b392e96c13e0a71ed256b09dfa4
Opcode Fuzzy Hash: 635cd08fbc573d27688f29f951fb71cbc3289d52e3f141c0dbf043e90bd0299f
Instruction Fuzzy Hash: 32B1F221D2AF414DDB23A6398831336B6ACAFFB2D5F56D71BFC6670D12EB2185834180

Function 6D3B53F0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5819e66026311926e5e92411c594da8cee1c967ae30482421966a5e602d61e
Instruction ID: e4666c9cc2d1ad69b7916a80c0640be4ad3023491e65c5ddbdf7e42765c68674
Opcode Fuzzy Hash: 2f5819e66026311926e5e92411c594da8cee1c967ae30482421966a5e602d61e
Instruction Fuzzy Hash: DEC1AC31D297498FC702DF37C88052AF7E0EFEA644F14DB1AF884A6161E331A885DB42

Function 6D3B4AB0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05be29f5040c699cd9d44b7027cc9524b3b2dc1b46871af1e3304011fdfebc8c
Instruction ID: 482af76c0905aff5f7f81c652d45fc232bd9acfbef0b9fe398a5a59a824d0bf9
Opcode Fuzzy Hash: 05be29f5040c699cd9d44b7027cc9524b3b2dc1b46871af1e3304011fdfebc8c
Instruction Fuzzy Hash: DF9179319183468FC701CF2AC48066AF7E1BFD9358F198B1DE985A7222E731F5958F86

Function 6D3ABDC0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e3d534b096ffeeed55a31d97a068e1ea77c547af401a1ec6b42e2cf90c7df2
Instruction ID: afa4cd415d8b198ea29761c16ba22d0807966d16926caa7e116eef75fb0194ef
Opcode Fuzzy Hash: 74e3d534b096ffeeed55a31d97a068e1ea77c547af401a1ec6b42e2cf90c7df2
Instruction Fuzzy Hash: 9B81D271615B498AD313CB3A94863F2F7E0EF45324F2C8B5AD5E91A1E2D7722198CB81

Function 6D3B5850 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be6f1185885eb51bfd521f6a484dfd8d52fdf277b9078649be35c550862b4b2
Instruction ID: 50201d6a6b78f6206587f2d87d2532073c5a490ac1a297d0b2b2e3768abd8265
Opcode Fuzzy Hash: 3be6f1185885eb51bfd521f6a484dfd8d52fdf277b9078649be35c550862b4b2
Instruction Fuzzy Hash: 6161C2B260C3958FC305DF2DC59156ABBE0BFA9208F484A6DF4D5D7A42D334D808CB56

Function 6D3B5AB0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e72e2a757c3950c0da9bc63d598a8145647582cb036fb13759af6f61073af3
Instruction ID: 1852c14e6cdc3e89e847b3d4e7cdda69227985fcef609fb8ba905f30844c4778
Opcode Fuzzy Hash: 11e72e2a757c3950c0da9bc63d598a8145647582cb036fb13759af6f61073af3
Instruction Fuzzy Hash: DF6190B260C7928FC306CF2DC58157AFBE5BFAA204F444AAEE0D5C7641D734D5488B96

Function 6D3AF490 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb9c200384795c83f1914d520cc9e6f6cc3b3049d69cd08bf3e277d60c65be
Instruction ID: 156e4d1e16f25499513dc31bd722b04f100d1c583211c79331c865a6c2b79d1c
Opcode Fuzzy Hash: 8ceb9c200384795c83f1914d520cc9e6f6cc3b3049d69cd08bf3e277d60c65be
Instruction Fuzzy Hash: 8951E93234C9314A9768CD2DB8500F9B7D6DBC621136CC6BFF1D5C7A0AD12AA48BE760

Function 6D39D490 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0d949b2f6fa0b209840a2ddd19e2e01c5ade024e37ff0591e17a192ff30e2e
Instruction ID: ada68ccaeec332c80d750a6cfe1cc2675c31d443d1f7beb01081f8c471803427
Opcode Fuzzy Hash: fe0d949b2f6fa0b209840a2ddd19e2e01c5ade024e37ff0591e17a192ff30e2e
Instruction Fuzzy Hash: AE61F5302087839BD7019E39A4433F2BBE47F9232CF548659D4B98F192E3A79059DBA1

Function 6D39A070 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667d3618d4bc3abd922854d1eb8a82abbb1a9a41ec37be80854c72bd8f992afa
Instruction ID: 9c0de6d8800baab4b198d6572579adc13963d6e996b08eb88c26826d0575b974
Opcode Fuzzy Hash: 667d3618d4bc3abd922854d1eb8a82abbb1a9a41ec37be80854c72bd8f992afa
Instruction Fuzzy Hash: 38512A32A0D3524BC70CDF29889166FBBE1AFC5700F49496DE4D69B341E7349A0CC792

Function 6D3DA8D0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31aa143e30b41863d714d1eea67c976006b9f97cadf7236cbc214e2c3673a0e
Instruction ID: a7ae5620130e412e89e0050e9ddbbe9367d682b5bc86cb4cc46e37fffe7113dc
Opcode Fuzzy Hash: c31aa143e30b41863d714d1eea67c976006b9f97cadf7236cbc214e2c3673a0e
Instruction Fuzzy Hash: 2751D372D0021AEFDF04CF98C941AEEBBB2FF98304F0A8059E554AB241D775AA51CF90

Function 6D39A260 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c805c0a79658179860f11f0d2b7eb33321df3ad408faace60cf1e6bfeaea36e1
Instruction ID: 201bbfe57868a32def92a426c8a99a7b4c865a1a88751038c3169b490a650fc9
Opcode Fuzzy Hash: c805c0a79658179860f11f0d2b7eb33321df3ad408faace60cf1e6bfeaea36e1
Instruction Fuzzy Hash: 0E414D32B5D7924BD70CCE68C8E157E7BE2DBC2300F1D8A6DD5C24B641EA65880DC391

Function 6D399F10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a378d8eb8b4ede8c588aa6fa34d314a6e9357a5257c6be199c0eb89b22892c46
Instruction ID: f119e4a6e2a03907a2aa6ec404d24a86ea0d769032487d54ec834103d8525f6b
Opcode Fuzzy Hash: a378d8eb8b4ede8c588aa6fa34d314a6e9357a5257c6be199c0eb89b22892c46
Instruction Fuzzy Hash: 874108337183924FD748DE7CC89266ABBE1EB86311F4A897DE4C5CB241E638D849C751

Function 6D3BCBF0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524ff240882bff5b829da51e0ec2e49f9b44bbf562bec92475d9ced549f2ddc8
Instruction ID: e865691ac59ac0eb1c980d5998a88c187f6af69019f7066e3a267dc07c6ea339
Opcode Fuzzy Hash: 524ff240882bff5b829da51e0ec2e49f9b44bbf562bec92475d9ced549f2ddc8
Instruction Fuzzy Hash: 97311E3564A31D4BC335C93B84E1675B7D5AFFB200B29CB1FEC65A7D50D332A8858141

Function 6D3EFA50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e65125b853f4b9f1ae4e4946d3646efcaafd5453137660eabec457fadd13a91c
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5B1138772400A343D380892FF4B56B7B7A5EAC52E8729837BD0614F6C8D2A3D1859E00

Function 6D385320 Relevance: 72.1, APIs: 17, Strings: 24, Instructions: 303
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(System.Runtime.InteropServices.GCHandle), ref: 6D385374
SysFreeString.OLEAUT32(00000000), ref: 6D3853BA
SysAllocString.OLEAUT32(Alloc), ref: 6D38542C
SysFreeString.OLEAUT32(?), ref: 6D385478
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D38547F
VariantInit.OLEAUT32(?), ref: 6D38549F
SysAllocString.OLEAUT32(?), ref: 6D3854AD
VariantInit.OLEAUT32(?), ref: 6D3854BA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000), ref: 6D3854D2
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6D385507
SysFreeString.OLEAUT32(?), ref: 6D385546
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D38554D
SysAllocString.OLEAUT32(AddrOfPinnedObject), ref: 6D385598
SysFreeString.OLEAUT32(00000000), ref: 6D3855DE
SafeArrayCreateVector.OLEAUT32(00000000,00000000,00000000), ref: 6D3855F7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D385627
_com_issue_error.COMSUPP ref: 6D3856A0

Strings

[!] Get mscorlib.dll Assembly Failed, xrefs: 6D385A62
[!] GetType (0x%X), xrefs: 6D3853C7
[!] CLRCreateInstance, xrefs: 6D385926
Alloc, xrefs: 6D385423
[!] Invoke("Alloc") (0x%X), xrefs: 6D385557, 6D38555D
[!] C# Get Default Domain Failed, xrefs: 6D385AF9
[!] GetInterface, xrefs: 6D3859AE
mscorlib.dll, xrefs: 6D385A0A
[!] Get osu! Assembly Failed, xrefs: 6D385ADB
[!] GetRuntime failed: %S, xrefs: 6D385950
v4.0.30319, xrefs: 6D38594B
System.Runtime.InteropServices.GCHandle, xrefs: 6D385368
[!] GetMethod("AddrOfPinnedObject") (0x%X), xrefs: 6D3855EA, 6D385637
[!] Load (0x%X), xrefs: 6D38583D
System.Object, xrefs: 6D385402
[!] Start, xrefs: 6D3859C5
AddrOfPinnedObject, xrefs: 6D38558F
[!] GetMethod("Alloc") (0x%X), xrefs: 6D38548B
[!] Invoke("AddrOfPinnedObject") (0x%X), xrefs: 6D385631
System.Runtime.InteropServices.GCHandleType, xrefs: 6D3853F9
[!] QueryInterface, xrefs: 6D38574F
[!] GetDefaultDomain, xrefs: 6D3856FB
osu!, xrefs: 6D385A83
kCm, xrefs: 6D38532D

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: String$ArraySafe$AllocFree$Destroy$CreateInitVariantVector$Element_com_issue_error
String ID: kCm$AddrOfPinnedObject$Alloc$System.Object$System.Runtime.InteropServices.GCHandle$System.Runtime.InteropServices.GCHandleType$[!] C# Get Default Domain Failed$[!] CLRCreateInstance$[!] Get mscorlib.dll Assembly Failed$[!] Get osu! Assembly Failed$[!] GetDefaultDomain$[!] GetInterface$[!] GetMethod("AddrOfPinnedObject") (0x%X)$[!] GetMethod("Alloc") (0x%X)$[!] GetRuntime failed: %S$[!] GetType (0x%X)$[!] Invoke("AddrOfPinnedObject") (0x%X)$[!] Invoke("Alloc") (0x%X)$[!] Load (0x%X)$[!] QueryInterface$[!] Start$mscorlib.dll$osu!$v4.0.30319
API String ID: 377884663-3760990818
Opcode ID: c5e81cc64d563e626a9c1c9ffc31dd16904b70a7a565d9138156ef2cacb37242
Instruction ID: 1bb2176a3326fcce5c269a0bbf93351d0c8dff8a6470f36fd7e5e8c2b209a715
Opcode Fuzzy Hash: c5e81cc64d563e626a9c1c9ffc31dd16904b70a7a565d9138156ef2cacb37242
Instruction Fuzzy Hash: D3B19E71D04259EBDF11CFA8C849BBEBBB8EF49304F144169E802AB341D775A945CBA1

Function 6D38E2A0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E2ED
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E309
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E330
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E34C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E373
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E38F
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E3DB
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E3F7
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E41E
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E43A
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E461
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E47D
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E4C9
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E4E5
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E50C
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E528
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E54F
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E56B
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E5F6
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E612
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E639
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E655

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00000000,?,?,?,6D3935EA), ref: 6D38E68E
VirtualProtect.KERNEL32(00000000,00000005,?,?,?,?,6D3935EA), ref: 6D38E6AD

Strings

?Cm, xrefs: 6D38E57E
?Cm, xrefs: 6D38E2BC
?Cm, xrefs: 6D38E3B3
UUZ, xrefs: 6D38E5AD
lACm, xrefs: 6D38E668
?Cm, xrefs: 6D38E4A1

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: UUZ$lACm$?Cm$?Cm$?Cm$?Cm
API String ID: 3866829018-2627447504
Opcode ID: eef2fe68d880e0c55168221bb422cbbbd3d6e00085fe6175552de7e24e6d2cc4
Instruction ID: 026b25c5c1a026cc1fdde110ca9733e5e088a7e67212c0b9dcf23768e40d13df
Opcode Fuzzy Hash: eef2fe68d880e0c55168221bb422cbbbd3d6e00085fe6175552de7e24e6d2cc4
Instruction Fuzzy Hash: 46B1B5795082957EEB21AB57CC84FBB7FB8AB4B2A4F064018F55C93181D376DC05CBA2

Function 6D3D1680 Relevance: 25.6, APIs: 17, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cdb0baaeeacc7a2f603ec8c0484151ce7539def8c1a48169669b8c9eaafd26
Instruction ID: 40dfeafaa82de0c2e1f8b94902c5c7f59c2f45078789d6b0b22bc4321507c61f
Opcode Fuzzy Hash: 43cdb0baaeeacc7a2f603ec8c0484151ce7539def8c1a48169669b8c9eaafd26
Instruction Fuzzy Hash: 452130B95981057BEF405B74E81CB7E3A7CEB16782FC44694F51DC66C0CB69C4009B32

Function 6D391A30 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 293threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6D391A60
GetModuleHandleA.KERNEL32(00000000), ref: 6D391A6A
SetWindowsHookExA.USER32(00000003,6D391460,00000000,00000000), ref: 6D391A79
GetModuleFileNameW.KERNEL32(6D438238,00000208), ref: 6D391B9B
GetLastError.KERNEL32 ref: 6D391BAB
K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D391BE0
VirtualFreeEx.KERNEL32(?,00000000,00008000), ref: 6D391C4F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,6D438238,00000000,6D438650,00000208,00000000,00000000), ref: 6D391C70

Strings

`#v, xrefs: 6D391A6A
onfig, xrefs: 6D391B23
[!] Couldn't get config path, xrefs: 6D391C7A
[!] GetModuleFileName (0x%X), xrefs: 6D391BB2
config.ini path: %s, xrefs: 6D391CE6
7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL, xrefs: 6D391DA6

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Module$ByteCharCurrentErrorFileFreeHandleHookLastMultiNameQueryThreadVirtualWideWindowsWorking
String ID: 7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL$[!] Couldn't get config path$[!] GetModuleFileName (0x%X)$`#v$config.ini path: %s$onfig
API String ID: 1201383334-1635599636
Opcode ID: 1ed676bbed5abd39d7b32fd466005f88eb84dbebc4d9fc6fdaa819ecd5394f93
Instruction ID: 99f12a645a97fc0ee09157e311c83ca2c27505ab34da90c6f2a09c8b151f544e
Opcode Fuzzy Hash: 1ed676bbed5abd39d7b32fd466005f88eb84dbebc4d9fc6fdaa819ecd5394f93
Instruction Fuzzy Hash: 9DB15471904345AFEB10DF69C845BAA7BB8FF05304F068269E959AF281FB71D805CF91

Function 6D3EAB0D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D3EA854: CreateFileW.KERNEL32(00000000,00000000,?,6D3EABB6,?,?,00000000,?,6D3EABB6,00000000,0000000C), ref: 6D3EA871

GetLastError.KERNEL32 ref: 6D3EAC21
__dosmaperr.LIBCMT ref: 6D3EAC28
GetFileType.KERNEL32(00000000), ref: 6D3EAC34
GetLastError.KERNEL32 ref: 6D3EAC3E
__dosmaperr.LIBCMT ref: 6D3EAC47
CloseHandle.KERNEL32(00000000), ref: 6D3EAC67
CloseHandle.KERNEL32(00000000), ref: 6D3EADB4
GetLastError.KERNEL32 ref: 6D3EADE6
__dosmaperr.LIBCMT ref: 6D3EADED

Strings

H, xrefs: 6D3EAD72

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ce4ade4d49637aca41d068b24ef3c241e4381939eef6c9fa02d5e4b23557a9e7
Instruction ID: 063fcb08cb09a18435206c3e27dc8f2b6a6dc4b5ff85badbd0c1c402c2d431db
Opcode Fuzzy Hash: ce4ade4d49637aca41d068b24ef3c241e4381939eef6c9fa02d5e4b23557a9e7
Instruction Fuzzy Hash: 31A14332A1826A9FCF099F6CD891BAE3BB1EB06354F15415EE912DB3D0C735D812CB91

Function 6D3D0410 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 203libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(opengl32.dll,?,00000026,?,?,?,6D391E50,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D3F3E83,00000000), ref: 6D3D0424
GetProcAddress.KERNEL32(00000000,wglGetProcAddress), ref: 6D3D0443
GetProcAddress.KERNEL32(6D426230), ref: 6D3D0478

Strings

%d.%d, xrefs: 6D3D04E4, 6D3D0582
GL_ARB_clip_control, xrefs: 6D3D0651
opengl32.dll, xrefs: 6D3D041B
#version 130, xrefs: 6D3D05D8
wglGetProcAddress, xrefs: 6D3D043D
Failed to initialize OpenGL loader!, xrefs: 6D3D0693
HfBm, xrefs: 6D3D0539

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: #version 130$%d.%d$Failed to initialize OpenGL loader!$GL_ARB_clip_control$HfBm$opengl32.dll$wglGetProcAddress
API String ID: 2238633743-3275769853
Opcode ID: e2909a55b7e0bdf0bf5c8b808bab93dbd59c83d55301a3d5f6f3bfc21dbe8802
Instruction ID: c7927a5ea434b2249f485c076747df6ce572ef2ac7cde905d00ceb951010daab
Opcode Fuzzy Hash: e2909a55b7e0bdf0bf5c8b808bab93dbd59c83d55301a3d5f6f3bfc21dbe8802
Instruction Fuzzy Hash: A561043290C342DBEB119F6AC846F6B7BB5FB46B04F054428EAC097242D771D909CFA2

Function 6D3D4A03 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6D3D4A09
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 6D3D4A17
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6D3D4A28
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 6D3D4A39

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6D3D4A1D
GetCurrentPackageId, xrefs: 6D3D4A11
kernel32.dll, xrefs: 6D3D4A04
GetTempPath2W, xrefs: 6D3D4A2E

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: f5b49cc1b700ae522054e4976204d485d23a185ce618442669838bec77f5d17b
Instruction ID: 613e37ec3082092f8bc461c93e9362c2eb7e8859182214caa3f98d830d3e95b6
Opcode Fuzzy Hash: f5b49cc1b700ae522054e4976204d485d23a185ce618442669838bec77f5d17b
Instruction Fuzzy Hash: CEE0B636405B59AB8B206B75ED0CB753AB8FA07206302C091F505DA545D7704802CB91

Function 6D3D73B6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D3D74D5
___TypeMatch.LIBVCRUNTIME ref: 6D3D75E3
_UnwindNestedFrames.LIBCMT ref: 6D3D7735
CallUnexpected.LIBVCRUNTIME ref: 6D3D7750

Strings

csm, xrefs: 6D3D7460
csm, xrefs: 6D3D750C
csm, xrefs: 6D3D73F3

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: afc0701e0db1d0a4012b57d91c5cd394ab8bddfbdc65f079716f878e89bf1190
Instruction ID: e3454d21fa88eac34e9055112119192ff0f5e14816a383f156002848aabf57a7
Opcode Fuzzy Hash: afc0701e0db1d0a4012b57d91c5cd394ab8bddfbdc65f079716f878e89bf1190
Instruction Fuzzy Hash: 4FB18FB2C0420ADFCF85CFA8C8819AEBBB5FF04314F11856AE9126B251D732DA51CF91

Function 6D386A90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000001), ref: 6D386AE7
SysAllocString.OLEAUT32(00000000), ref: 6D386B21
SysFreeString.OLEAUT32(00000000), ref: 6D386B5F
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 6D386B72

Strings

[!] GetType (%s, 0x%X), xrefs: 6D386C13
[!] get_types failed, pAssembly is null, xrefs: 6D386ACA

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ArraySafeString$AllocCreateElementFreeVector
String ID: [!] GetType (%s, 0x%X)$[!] get_types failed, pAssembly is null
API String ID: 4162797470-1448166456
Opcode ID: 6ab6077473b053c67581cd6f03ebf47a58dc8bb89644ad9cca52c9781e2dcc6e
Instruction ID: ae1caa3205043f51a42b15913d2f3187657230b440fe77470ef1542124f01c62
Opcode Fuzzy Hash: 6ab6077473b053c67581cd6f03ebf47a58dc8bb89644ad9cca52c9781e2dcc6e
Instruction Fuzzy Hash: 6A61B170D00248EFDF01DFE8C898BAEBBB8EF09308F148159E515EB281D775AA45CB91

Function 6D386D30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6D386D89
SysAllocString.OLEAUT32(00000000), ref: 6D386DC5
SysFreeString.OLEAUT32(00000000), ref: 6D386E03
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 6D386E16

Strings

[!] GetType (%s, 0x%X), xrefs: 6D386EB7
[!] get_types failed, pAssembly is null, xrefs: 6D386D6C

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ArraySafeString$AllocCreateElementFreeVector
String ID: [!] GetType (%s, 0x%X)$[!] get_types failed, pAssembly is null
API String ID: 4162797470-1448166456
Opcode ID: e54ef22580cfd4387342d5985c62c0673ed783b8a548f275331cec5d376c2a0e
Instruction ID: 2b76e9def4767f03f11bc17b411182ae0dcb031bcc5bd130fdf7230a99777bb6
Opcode Fuzzy Hash: e54ef22580cfd4387342d5985c62c0673ed783b8a548f275331cec5d376c2a0e
Instruction Fuzzy Hash: 7A71A071D14248EFDF04CFE8C888BAEBBB9EF48304F148159E515EB282D775AA45CB91

Function 6D3858B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,D5219907), ref: 6D3858F0
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6D385904

Strings

[!] IsLoadable, xrefs: 6D385B21
`#v, xrefs: 6D3858F0
CLRCreateInstance, xrefs: 6D3858FE
mscoree.dll, xrefs: 6D3858D6
v4.0.30319, xrefs: 6D38593C

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CLRCreateInstance$[!] IsLoadable$`#v$mscoree.dll$v4.0.30319
API String ID: 1646373207-1204990856
Opcode ID: 4e96161263017889c67315ec98e0b08fcfb8855c05a67d8de3db42c556660155
Instruction ID: 52234926375fafab9f13ae0ba30203f3fe330da795b5a9e8574727a242fe1efd
Opcode Fuzzy Hash: 4e96161263017889c67315ec98e0b08fcfb8855c05a67d8de3db42c556660155
Instruction Fuzzy Hash: E9317AB0A0420AABDB10DFA5C884FBF7BB9EF55718F004158E516EB242EB759905CBA1

Function 6D38F8B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F8FD
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F919
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F940
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F95C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F983
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F99F

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

Strings

?Cm, xrefs: 6D38F8CC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?Cm
API String ID: 3866829018-3963593464
Opcode ID: 7c471d731c016db59325bc2b76dacc6154dfd965fca2b58db3d4cbcb99cda322
Instruction ID: b1fae4e10999e4e6ebc6f368d9bae04fb03ac7819b32be248215c631b7e4fd10
Opcode Fuzzy Hash: 7c471d731c016db59325bc2b76dacc6154dfd965fca2b58db3d4cbcb99cda322
Instruction Fuzzy Hash: B321B66A5081957EEB21A657CC84FBB7F7CEB8B2A4F164009F55C52141D336DC48CBB2

Function 6D38F6B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F6FD
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F719
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F740
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F75C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F783
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F79F

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

Strings

?Cm, xrefs: 6D38F6CC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?Cm
API String ID: 3866829018-3963593464
Opcode ID: a162a53bc5ca100c5d915018365f3ad7c683b46e177d7edeb4092a2b9b41cb35
Instruction ID: 51df89e1dc06dc75af6fa08b10b1458ae967661b8be5fcd9938ddb69f661a893
Opcode Fuzzy Hash: a162a53bc5ca100c5d915018365f3ad7c683b46e177d7edeb4092a2b9b41cb35
Instruction Fuzzy Hash: EB21D8664041957EEF21A6179C88FBB7FBCEB5B2A4F164009F59C52141D336DC08C7A6

Function 6D3E3355 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D3E361D,00000022,FlsSetValue,6D3F81A4,6D3F81AC,00000000,?,6D3E310E,FFFFFFFF,000000FF,?,6D3E262E,00000000,00000000), ref: 6D3E3416

Strings

api-ms-, xrefs: 6D3E33AC
ext-ms-, xrefs: 6D3E33C0
.&>m, xrefs: 6D3E3357

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: .&>m$api-ms-$ext-ms-
API String ID: 3664257935-2295197826
Opcode ID: 0691da87ba7b75d704cc70b99af65e199b81470da1596716f4e36681f18ddba8
Instruction ID: 3bbef7cfafe12bf793d4f7d23d41912bed81d6ba1bbcde17c9de2c37355230fc
Opcode Fuzzy Hash: 0691da87ba7b75d704cc70b99af65e199b81470da1596716f4e36681f18ddba8
Instruction Fuzzy Hash: F321DE35D05137ABDB215B1ADC41F6A3778EB427E6B114121E911B72E2DB71DD01CAE0

Function 6D388B60 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 388COMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008,D5219907), ref: 6D388D9F

Strings

Unknown, xrefs: 6D388CA5, 6D388CAA
Unknown, xrefs: 6D388C9B
mods updated: %s, xrefs: 6D388CAB

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: QueryWorking
String ID: Unknown$Unknown$mods updated: %s
API String ID: 380726023-2432842809
Opcode ID: 3e0f668be60318f5dcba85f3548b3232235165835b487ff3c01bf367d6523658
Instruction ID: e73da14ea1dd6296a1b44de039f5d982338dcd3757cf5113b78162becbb65a94
Opcode Fuzzy Hash: 3e0f668be60318f5dcba85f3548b3232235165835b487ff3c01bf367d6523658
Instruction Fuzzy Hash: 92F10279908286CFEB21EF2AD4467767BF1BB47308F1A8159C4905B287D372EC44CBA1

Function 6D3E6E06 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6D3E6E8C

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f30d69ebd9c3244c8ffa272c56fca57c4a1bed504d5da9b0f0469bcbf4574be5
Instruction ID: 22737ecb27eefb2c79ea98c7f74c7029c2cf1f77bbcf029295856fa23cc20d40
Opcode Fuzzy Hash: f30d69ebd9c3244c8ffa272c56fca57c4a1bed504d5da9b0f0469bcbf4574be5
Instruction Fuzzy Hash: 86B16AB2D043769FDB12CF68CC81BAEBBA5EF45390F148557EA44AB2C2D3759901C7A0

Function 6D3AE070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32(?), ref: 6D3AE099
ImmSetCompositionWindow.IMM32(00000000,00000020), ref: 6D3AE0D4
ImmSetCandidateWindow.IMM32(00000000,00000000), ref: 6D3AE111
ImmReleaseContext.IMM32(?,00000000), ref: 6D3AE119

Strings

@, xrefs: 6D3AE0E7
, xrefs: 6D3AE0AA

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ContextWindow$CandidateCompositionRelease
String ID: $@
API String ID: 3969737024-1077428164
Opcode ID: 999f3b5a155f858438abfda1484d1d4962337a5197e5343d2eec7ab6505d09a2
Instruction ID: de22d8ffcab260573df0714507f8659671889ed06f6b95fc5fd277f794a86fa4
Opcode Fuzzy Hash: 999f3b5a155f858438abfda1484d1d4962337a5197e5343d2eec7ab6505d09a2
Instruction Fuzzy Hash: B5212772514745ABC711CF24D585A6BBBF9FF8A214F01961EF99496204EB30D9408B92

Function 6D3E4FD6 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a181448a14147c479ec773fc261e43fdc3993c4f4aedd45d80e95522b837048
Instruction ID: 989e3238234a4a51dcf726b8b8f63d2563fc60272b7e7fce49e06b847e1194f9
Opcode Fuzzy Hash: 7a181448a14147c479ec773fc261e43fdc3993c4f4aedd45d80e95522b837048
Instruction Fuzzy Hash: 9EB1F671A0826AAFDB01CF9CC881BBE7BB5BF46394F05815AE6519B2C1C771D941CFA0

Function 6D390310 Relevance: 9.1, APIs: 6, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,762304C0,00000000,6D38E663,00000000,?,?,?,6D3935EA), ref: 6D390338
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D390354
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,762304C0,00000000,6D38E663,00000000,?,?,?,6D3935EA), ref: 6D39037B
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D390397
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,762304C0,00000000,6D38E663,00000000,?,?,?,6D3935EA), ref: 6D3903BE
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D3903DA

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6b682a0b94685bd3c6d340524f9955678da11a8eab3df6376381c2b0c2f8272b
Instruction ID: 9beebbad8c3778427360865bc3cb09b9c271d09856e9bdf090777f0b12bf38f4
Opcode Fuzzy Hash: 6b682a0b94685bd3c6d340524f9955678da11a8eab3df6376381c2b0c2f8272b
Instruction Fuzzy Hash: 4221B37A4041507EEB2196979C84FFB7BBCEB8F2E8F164009FA6C62140D376D805C7A2

Function 6D3D707F Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D3D6F9E,6D3D4C62,6D3D5126,?,6D3D535E,?,00000001,?,?,00000001,?,6D430D08,0000000C,6D3D5457), ref: 6D3D708D
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D3D709B
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D3D70B4
SetLastError.KERNEL32(00000000,6D3D535E,?,00000001,?,?,00000001,?,6D430D08,0000000C,6D3D5457,?,00000001,?), ref: 6D3D7106

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1c6345d738b8db68583a0ce77b7214b4568d40dc4556829bed22f9079c9fed2c
Instruction ID: 8f1eab8ae91c47204d5d435b6e5e623b09f120c85a1c4168bc96754c130f9fc8
Opcode Fuzzy Hash: 1c6345d738b8db68583a0ce77b7214b4568d40dc4556829bed22f9079c9fed2c
Instruction Fuzzy Hash: 6401FC7791C7135EEB911779EC49B263A68EB036B8722432EF621410D0FF52DC028990

Function 6D385316 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(System.Runtime.InteropServices.GCHandle), ref: 6D385374
SysFreeString.OLEAUT32(00000000), ref: 6D3853BA
_com_issue_error.COMSUPP ref: 6D3856A0

Strings

System.Runtime.InteropServices.GCHandle, xrefs: 6D385368
[!] GetType (0x%X), xrefs: 6D3853C7
kCm, xrefs: 6D38532D

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: String$AllocFree_com_issue_error
String ID: kCm$System.Runtime.InteropServices.GCHandle$[!] GetType (0x%X)
API String ID: 1786537486-1961527063
Opcode ID: d0f3ea4507cb75e7bc1ed7dcfdba224003da4e9dcd372583d480ed2996ab26f7
Instruction ID: 5e8d5c576ce776bea0b2485c8bff3470b5a9cbc2ec49e6bce86ef7c139b719fa
Opcode Fuzzy Hash: d0f3ea4507cb75e7bc1ed7dcfdba224003da4e9dcd372583d480ed2996ab26f7
Instruction Fuzzy Hash: D331BD71905219EFCB10CF98C948BAEFBF8EB49714F144259E805A7341D775A904CBA1

Function 6D3E809D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D3E80B9

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 4be32cfc01804adc8610ebedde244a4e50823f0a74fd446ef4cd7abd03764f65
Instruction ID: 8e3149f994c35bea8bdf06a0f46590b094e4f4962f5d58ed9f02619416de3191
Opcode Fuzzy Hash: 4be32cfc01804adc8610ebedde244a4e50823f0a74fd446ef4cd7abd03764f65
Instruction Fuzzy Hash: 4B21CD71A48226AFCB109F658C8096B77ACFF813E8701C916EA55D7380E731EC01CBA0

Function 6D38F4F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F53D
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F559
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D38F580
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D38F59C

Part of subcall function 6D381660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,7622F550,?,?,6D434004,6D3819CC), ref: 6D38167B
Part of subcall function 6D381660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D38169A
Part of subcall function 6D381660: VirtualFree.KERNEL32(6D4369C8,00000000,00008000,?,?,opengl32.dll), ref: 6D3816B4

Strings

?Cm, xrefs: 6D38F50C

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?Cm
API String ID: 3866829018-3963593464
Opcode ID: dd1b4406ec6afb38905d2326b9e3a46df182e351da26c7e420324b96b0a16224
Instruction ID: 5bb782d4c155f1487f700c84282ac5d8688e3d8a97ee05ab1136435b59c8774d
Opcode Fuzzy Hash: dd1b4406ec6afb38905d2326b9e3a46df182e351da26c7e420324b96b0a16224
Instruction Fuzzy Hash: 4811C4A550C1957EEB21AA2BEC44FB77FBCEB8B6A4F064009F65C82141D336DC45C7A2

Function 6D3D8D01 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D5219907,00000000,?,00000000,6D3F33E0,000000FF,?,6D3D8C9B,?,?,6D3D8C6F,?), ref: 6D3D8D36
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D3D8D48
FreeLibrary.KERNEL32(00000000,?,00000000,6D3F33E0,000000FF,?,6D3D8C9B,?,?,6D3D8C6F,?), ref: 6D3D8D6A

Strings

CorExitProcess, xrefs: 6D3D8D40
mscoree.dll, xrefs: 6D3D8D2F

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 977ef14210309cdb865848cdc00b16b7b4b8abeed663cace628e9a36049f681c
Instruction ID: b0acaf258912a5043bac3cad270eb94ac0d6f9c36aacea39c76083b473feb7fb
Opcode Fuzzy Hash: 977ef14210309cdb865848cdc00b16b7b4b8abeed663cace628e9a36049f681c
Instruction Fuzzy Hash: 9501123290561EBFDF119F94DC49BBEBBB8FB05755F004625F821A26D0DB75A900CB90

Function 6D385C70 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 6D385D5B
std::_Throw_Cpp_error.LIBCPMT ref: 6D385D66
std::_Throw_Cpp_error.LIBCPMT ref: 6D385E49
std::_Throw_Cpp_error.LIBCPMT ref: 6D385E54
__Cnd_unregister_at_thread_exit.LIBCPMT ref: 6D385E79

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Cnd_unregister_at_thread_exit
String ID:
API String ID: 1267939008-0
Opcode ID: 892f72d18d337810b7dff5b988ab6197a711b75505fe88c8c8e4db6ff3e01729
Instruction ID: 26a8d4d95bc50f11ba9911b4a18c8216f726153eb9978ce61cc56733b77cc8b5
Opcode Fuzzy Hash: 892f72d18d337810b7dff5b988ab6197a711b75505fe88c8c8e4db6ff3e01729
Instruction Fuzzy Hash: E6512972C087459FDB21CBB4DC05BBBB7F8EF05314F00492DD5A252691E776A508CBA2

Function 6D3EC794 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D3EC819
__alloca_probe_16.LIBCMT ref: 6D3EC8E2
__freea.LIBCMT ref: 6D3EC949

Part of subcall function 6D3E3BD9: HeapAlloc.KERNEL32(00000000,6D3E8616,?,?,6D3E8616,00000220,?,00000000,?), ref: 6D3E3C0B

__freea.LIBCMT ref: 6D3EC95C
__freea.LIBCMT ref: 6D3EC969

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 1fe306c6f89dac909e0e80528b5d9e5ef45482a36e0eab306741d11115c34d9b
Instruction ID: 9330e2887cd5f91a81308f223d6048c1c94e68e7dc5a6f2d38add31b39d88512
Opcode Fuzzy Hash: 1fe306c6f89dac909e0e80528b5d9e5ef45482a36e0eab306741d11115c34d9b
Instruction Fuzzy Hash: C651C5B260422BAFEF114F65CC81EBF3AA9EF85694F12412AFE14D61D4EB71DD108660

Function 6D3D44BA Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6D3D44CE
AcquireSRWLockExclusive.KERNEL32(-6D434248,?,6D3869B0,?,D5219907,-6D434250), ref: 6D3D44ED
AcquireSRWLockExclusive.KERNEL32(-6D434248,?,?,?,6D3869B0,?,D5219907,-6D434250), ref: 6D3D451B
TryAcquireSRWLockExclusive.KERNEL32(-6D434248,?,?,?,6D3869B0,?,D5219907,-6D434250), ref: 6D3D4576
TryAcquireSRWLockExclusive.KERNEL32(-6D434248,?,?,?,6D3869B0,?,D5219907,-6D434250), ref: 6D3D458D

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 47320cc5e08a8e3427f459a79235cba20dbcab52777931d27bc855afee249074
Instruction ID: bcce54f9999df0db7005ac569fc5a951d449b6c16b1fb18322eec2810728ec58
Opcode Fuzzy Hash: 47320cc5e08a8e3427f459a79235cba20dbcab52777931d27bc855afee249074
Instruction Fuzzy Hash: 2B41797290460BDBCF51CF65C486AAAB7FAFF0E310B10892AE15697A40D731F585CF60

Function 6D381867 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6D381882
wglGetCurrentDC.OPENGL32 ref: 6D38188D
WindowFromDC.USER32(00000000), ref: 6D381894

Part of subcall function 6D391A30: GetCurrentThreadId.KERNEL32 ref: 6D391A60
Part of subcall function 6D391A30: GetModuleHandleA.KERNEL32(00000000), ref: 6D391A6A
Part of subcall function 6D391A30: SetWindowsHookExA.USER32(00000003,6D391460,00000000,00000000), ref: 6D391A79
Part of subcall function 6D391A30: GetModuleFileNameW.KERNEL32(6D438238,00000208), ref: 6D391B9B
Part of subcall function 6D391A30: GetLastError.KERNEL32 ref: 6D391BAB

CreateThread.KERNEL32(00000000,00000000,6D38E0B0,00000000,00000000,00000000), ref: 6D3818B5
CloseHandle.KERNEL32(00000000), ref: 6D3818BC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Current$HandleModuleThread$CloseCreateErrorFileFromHookLastNameProcessWindowWindows
String ID:
API String ID: 3610768000-0
Opcode ID: fc3d07b2f5d1fd0a39326e192d1fbf7290a79f925638eed336a0a82a0fd05c70
Instruction ID: 0f87ff5e8aa108814c83c541f90c79b3f011f34446dc90895b1592bf7cd9cf3c
Opcode Fuzzy Hash: fc3d07b2f5d1fd0a39326e192d1fbf7290a79f925638eed336a0a82a0fd05c70
Instruction Fuzzy Hash: 07F05475948301B7DF607BB59C0E72D3978BB02749F02C819E642E61C0DB75A4008B6A

Function 6D3B8CB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

SingleTap, xrefs: 6D3B8CB0

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID:
String ID: SingleTap
API String ID: 0-3144083996
Opcode ID: 55ff719f6547c7f59fcd0a60fef9ea0f4904c8fe94a1b673058f63b7037f4857
Instruction ID: ea224eb2ee5af64201575b94c4191fbdbb1b1ddef70e2ca00bfa4dcc8312b3c9
Opcode Fuzzy Hash: 55ff719f6547c7f59fcd0a60fef9ea0f4904c8fe94a1b673058f63b7037f4857
Instruction Fuzzy Hash: DF91AF32928709CAC302DF3AD48151AF7B0AFAE385F19CB1AF98476151F731A5D8CA46

Function 6D3D8142 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D3D80F3,00000000,?,00000001,?,?,?,6D3D81E2,00000001,FlsFree,6D3F6B88,FlsFree), ref: 6D3D814F
GetLastError.KERNEL32(?,6D3D80F3,00000000,?,00000001,?,?,?,6D3D81E2,00000001,FlsFree,6D3F6B88,FlsFree,00000000,?,6D3D7154), ref: 6D3D8159
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D3D8181

Strings

api-ms-, xrefs: 6D3D8166

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 48e47238a88fd4784d5e07586d913a409dd5d3871699fdc1029651914b3677d5
Instruction ID: af1fd1d8d4a822afba197ceaa55140f0c377bf1bc19077074dfdf6aede55edd9
Opcode Fuzzy Hash: 48e47238a88fd4784d5e07586d913a409dd5d3871699fdc1029651914b3677d5
Instruction Fuzzy Hash: 39E01A3164420ABAEF101B61ED07F383E78EB01B89F148420FA0DE80D1E7A6A415CAC4

Function 6D3E556B Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D5219907,00000000,00000000,?), ref: 6D3E55CE

Part of subcall function 6D3E8BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D3EC93F,?,00000000,-00000008), ref: 6D3E8C4B

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D3E5820
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D3E5866
GetLastError.KERNEL32 ref: 6D3E5909

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c3bf99beb92ddc1d0c8c8aa656af995d038d257fbec4fc5b9e842186a9397911
Instruction ID: 92a20bd6d90c48987375c8a34859709845d28de7bcb31d1e8b28cfbf7b5b93fd
Opcode Fuzzy Hash: c3bf99beb92ddc1d0c8c8aa656af995d038d257fbec4fc5b9e842186a9397911
Instruction Fuzzy Hash: E6D17B75E04269AFCF05CFA8C880AEDBBB9FF09354F15812AE556EB391D730A941CB50

Function 6D3D715F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D3D7226
___AdjustPointer.LIBCMT ref: 6D3D7249
___AdjustPointer.LIBCMT ref: 6D3D72E5

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: bf0b017d7f422e9f669d6b6cf88ed8b31b676e3f6619fa1e66f23794fb18237c
Instruction ID: c1f56fa0b0ded4fabe60815a48dd005df0a1f79f1f0dbd92f5aa17d54cec14c8
Opcode Fuzzy Hash: bf0b017d7f422e9f669d6b6cf88ed8b31b676e3f6619fa1e66f23794fb18237c
Instruction Fuzzy Hash: FE51DEF3A05646AFEB958F54C842BBA77B4FF41354F10852DED6256294E732E840CF90

Function 6D381E00 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6D3D47B5: QueryPerformanceFrequency.KERNEL32(6D3D34CB,?,?,6D3D34CB,6D381E12,?,6D3D34CC,6D3D34CB,?,00000020,6D3D34CB,00000000,?), ref: 6D3D47D3

Part of subcall function 6D3D479E: QueryPerformanceCounter.KERNEL32(6D3D34CB,?,?,?,6D381E21,?,6D3D34CC,6D3D34CB,?,00000020,6D3D34CB,00000000,?), ref: 6D3D47A7

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D381E63
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D381E95
__alldvrm.LIBCMT ref: 6D381EB8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D381EDC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 5bc31e4a5047d1f8e994e6d0e8e73c730afa4f17a177c175571736e83d129d53
Instruction ID: 6ba41083ba8dd85a88909f810f738781ff8490e95cede2b93057c193761bbfa4
Opcode Fuzzy Hash: 5bc31e4a5047d1f8e994e6d0e8e73c730afa4f17a177c175571736e83d129d53
Instruction Fuzzy Hash: 692105723083142FC314DE2D5C41B7BB7EDDBC8694F06857EFA09DB391E6A4AC0406A4

Function 6D3E7939 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D3E8BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D3EC93F,?,00000000,-00000008), ref: 6D3E8C4B

GetLastError.KERNEL32 ref: 6D3E799D
__dosmaperr.LIBCMT ref: 6D3E79A4
GetLastError.KERNEL32(?,?,?,?), ref: 6D3E79DE
__dosmaperr.LIBCMT ref: 6D3E79E5

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: b2e9eb399a884f987f859724f5ee8d6b8bb3061962907a18ea70106b92f8d619
Instruction ID: c880f0ab87e24efdf779ff1525b875fedc42b9db3b08b1e29ac8511d8c4fbbaa
Opcode Fuzzy Hash: b2e9eb399a884f987f859724f5ee8d6b8bb3061962907a18ea70106b92f8d619
Instruction Fuzzy Hash: 2921CBB2E08227AFD7148F65C88096AB7ADFF413E4701C51AF959D7181D731EC428BE0

Function 6D3E8C8D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D3E8C95

Part of subcall function 6D3E8BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D3EC93F,?,00000000,-00000008), ref: 6D3E8C4B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D3E8CCD
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D3E8CED

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0fe22a9fb8b790313cb012ef06772ae3841e5250bc30a0ed8eac77223bbd14eb
Instruction ID: 5110cc55d2c179b6e838d66318db7a765942904ccfbd9443e5da7fd24992abb4
Opcode Fuzzy Hash: 0fe22a9fb8b790313cb012ef06772ae3841e5250bc30a0ed8eac77223bbd14eb
Instruction Fuzzy Hash: 801121E1D1A12ABFAA1117B19C88D7F69ACEECA2E93114513F641E2080EB30CE0042F1

Function 6D3ECCB9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D3EA3A1,00000000,00000001,00000000,?,?,6D3E595D,?,00000000,00000000), ref: 6D3ECCD0
GetLastError.KERNEL32(?,6D3EA3A1,00000000,00000001,00000000,?,?,6D3E595D,?,00000000,00000000,?,?,?,6D3E5F37,00000000), ref: 6D3ECCDC

Part of subcall function 6D3ECCA2: CloseHandle.KERNEL32(FFFFFFFE,6D3ECCEC,?,6D3EA3A1,00000000,00000001,00000000,?,?,6D3E595D,?,00000000,00000000,?,?), ref: 6D3ECCB2

___initconout.LIBCMT ref: 6D3ECCEC

Part of subcall function 6D3ECC64: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D3ECC93,6D3EA38E,?,?,6D3E595D,?,00000000,00000000,?), ref: 6D3ECC77

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D3EA3A1,00000000,00000001,00000000,?,?,6D3E595D,?,00000000,00000000,?), ref: 6D3ECD01

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3bb062d6bb5267f0a8fe347174d7765aa1fc249d9fb638858d22c3a388343daf
Instruction ID: 93d411dbe44a961a33c1ad7b110935158172930949591f75bf6900c844a7698c
Opcode Fuzzy Hash: 3bb062d6bb5267f0a8fe347174d7765aa1fc249d9fb638858d22c3a388343daf
Instruction Fuzzy Hash: ADF0303A001129BBCF221F96DC09B9E3F3AFF497E0B068011FA0985160D733C820EB90

Function 6D3D6330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D3D636F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D3D6423

Strings

csm, xrefs: 6D3D640D

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: e277a82a095d6ea230eacc0daab708f765eb9243ef13635de10b46bb2e250539
Instruction ID: 2d541fb1d7fe90c6ff84f5e7b297474361fda33643d5f4d01d8282b30241e231
Opcode Fuzzy Hash: e277a82a095d6ea230eacc0daab708f765eb9243ef13635de10b46bb2e250539
Instruction Fuzzy Hash: 47418136A0421DABCF40CF68C880BAE7BB5AF45318F11C165E9255B252D772AA16CFD1

Function 6D3D775B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D3D7780

Strings

RCC, xrefs: 6D3D779A
MOC, xrefs: 6D3D7792

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 1b7d34c98c64c83f7bd327479c40285c23faffc506ca553f31f45f50605a8d5b
Instruction ID: f869681ef46430dcf82d29b44b4646c8103227986c690c5d11aa4e06caf00f2c
Opcode Fuzzy Hash: 1b7d34c98c64c83f7bd327479c40285c23faffc506ca553f31f45f50605a8d5b
Instruction Fuzzy Hash: C24138B2D0010AAFCF06CF94CD82AEE7BB5FF48305F258159FA1666260D3369950DF51

Function 6D388550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6D386CD0: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6D386CE5
Part of subcall function 6D386CD0: SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6D386D18

SafeArrayDestroy.OLEAUT32(?), ref: 6D3885C1
_com_issue_error.COMSUPP ref: 6D388609

Strings

[!] Invoke (0x%X), xrefs: 6D3885CC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector_com_issue_error
String ID: [!] Invoke (0x%X)
API String ID: 378831089-2656373395
Opcode ID: e25b0578a21ceb32c974a7eb2feae76615066c08806969ec5637adfd3b4450bc
Instruction ID: cb0e3fd0a88c517f35effe6bb8d9efa2a9330c6212b955fdbe5eaa9c615df946
Opcode Fuzzy Hash: e25b0578a21ceb32c974a7eb2feae76615066c08806969ec5637adfd3b4450bc
Instruction Fuzzy Hash: 3321D575C042189BCB11DFA8C904BAAB7B4FF59318F218559E91577202E7326E41CBA1

Function 6D3D4127 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D3D41AF
RaiseException.KERNEL32(?,?,?,?), ref: 6D3D41D4

Part of subcall function 6D3D682B: RaiseException.KERNEL32(E06D7363,00000001,00000003,6D381D8A,-6D434250,?,?,?,6D381D8A,6D431510,6D431510), ref: 6D3D688B

Part of subcall function 6D3D8607: IsProcessorFeaturePresent.KERNEL32(00000017,6D3D8775,?,6D3D86E4,?,00000000,6D3D88F3,?,?,?,?,?,00000000,?,00000000,?), ref: 6D3D8623

Strings

csm, xrefs: 6D3D4163

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: d5481b82d1b9b2e381d68818885133ee6eb5ee3162ecf89a6217cbfb9b6258e8
Instruction ID: e65787bf0c58022596261cd259888460091ee02c3fcdc7e8583a9dee5d4b8cd2
Opcode Fuzzy Hash: d5481b82d1b9b2e381d68818885133ee6eb5ee3162ecf89a6217cbfb9b6258e8
Instruction Fuzzy Hash: 0121BE37C00219ABCF64CFA5D882AAEB7B9EF18714F528419E556AB250C731EE45CF80

Function 6D38DA60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D4369E0,0000001F,00000000,00000000,?,00000000,?,00000000,6D38E7EF,D5219907,?,00000000), ref: 6D38DACB

Strings

@OBm, xrefs: 6D38DA75
TOBm, xrefs: 6D38DA90

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: @OBm$TOBm
API String ID: 626452242-1434211474
Opcode ID: bfaedfeee472e5a723eec1c8c87a81e2980257c230221476a6803eeda0e767b4
Instruction ID: c5dbbd185f5be4398fd489f4a1b1768bac259d23a08b6000b7fbe1a172d8de09
Opcode Fuzzy Hash: bfaedfeee472e5a723eec1c8c87a81e2980257c230221476a6803eeda0e767b4
Instruction Fuzzy Hash: 70016D3120414A5FD7209B59EC81FB67BAAEFC2340F3580AAE655CF502D732CC44C761

Function 6D38E1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,59m,00000000,762304C0,?,6D390106,?,6D38E58D,00000000,?,?,?,6D3935EA), ref: 6D38E202
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E222

Strings

59m, xrefs: 6D38E1F2, 6D38E1FD

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: 59m
API String ID: 544645111-880326226
Opcode ID: c224c1c01f84220ae5731095b618bc95a64089f14353c1d66fc5e474590559f5
Instruction ID: 8439635c8f3e589b9e4908c73c7d1340dac6bcca1e7d55d2e34524db43d83d25
Opcode Fuzzy Hash: c224c1c01f84220ae5731095b618bc95a64089f14353c1d66fc5e474590559f5
Instruction Fuzzy Hash: 9F014FA580C3C5BEEF61A61ADC49F23BFBCA7C7725F560049F585911A2C376888CCB52

Function 6D389230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,XACm,00000040,6D38FC2A,00000000,?,?,6D38FC2A,6D434158,00000000,6D393216), ref: 6D38924F
VirtualProtect.KERNEL32(00000000,XACm,?,?,6D434158,00000000,6D393216), ref: 6D38927A

Strings

XACm, xrefs: 6D389232, 6D38924D, 6D389255, 6D389278

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: XACm
API String ID: 544645111-3069320837
Opcode ID: fc4d4d90e9f2b0f786d3944209a8e3e903ef20cd0f0ce3dba67daae21275785d
Instruction ID: 1fdd23b320427d6c7df8f69cb82fc2174c6076c5f1a65f8ec6642e1133d7f220
Opcode Fuzzy Hash: fc4d4d90e9f2b0f786d3944209a8e3e903ef20cd0f0ce3dba67daae21275785d
Instruction Fuzzy Hash: B9F0277214434E7FC6008E6AECC0E7BFB7DEBC2620F05412AF21042240CB22B8095732

Function 6D390100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D38E1B0: VirtualProtect.KERNEL32(00000000,00000000,00000040,59m,00000000,762304C0,?,6D390106,?,6D38E58D,00000000,?,?,?,6D3935EA), ref: 6D38E202
Part of subcall function 6D38E1B0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D38E222

VirtualProtect.KERNEL32(00000000,00000000,00000040,59m,00000000,762304C0,?,6D38E58D,00000000,?,?,?,6D3935EA), ref: 6D390126
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D3935EA), ref: 6D390146

Strings

59m, xrefs: 6D390116, 6D390121

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: 59m
API String ID: 544645111-880326226
Opcode ID: a3a3f4f87f91fab1b64409c2db609817c67a6703543bf273bd4af526bfed2443
Instruction ID: b21363fff90bc0b0b4b88a9b6c17e24868499a451bb66a2a2191f35fa4e48d19
Opcode Fuzzy Hash: a3a3f4f87f91fab1b64409c2db609817c67a6703543bf273bd4af526bfed2443
Instruction Fuzzy Hash: 60F0A0B6008280BADF20976AEC4CF977FBCEB9B614F128409F24DD1141D736D804C7A0

Function 6D399D30 Relevance: 5.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,D5219907,?,?,6D437DA6,?,?,?,?,?,6D3F4280), ref: 6D399D87
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D425EB8,000000FF,00000000,00000000,?,?,?,?,?,6D3F4280,000000FF), ref: 6D399D9C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D425EB8,?,?,?,?,?,?,6D3F4280,000000FF), ref: 6D399DD6
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,?,6D3F4280,000000FF), ref: 6D399DEC

Memory Dump Source

Source File: 00000004.00000002.2279165228.000000006D381000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D380000, based on PE: true

Associated: 00000004.00000002.2279145819.000000006D380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279219106.000000006D3F5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279283397.000000006D433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2279314080.000000006D439000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d380000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 2668bf2482db1f17aad2a03008f0c079b7cd04859c1a4cf92d1b9a292d1c3e36
Instruction ID: 5bff2e207675f953115a1a816d43a7bd782238088b4be15ef50975672c2a50ec
Opcode Fuzzy Hash: 2668bf2482db1f17aad2a03008f0c079b7cd04859c1a4cf92d1b9a292d1c3e36
Instruction Fuzzy Hash: 6821DB72A44246BFEB209FA5CC45FBF7B78EB05720F214239F625AB1C0E77559048B91

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report up.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_45b27b9ae4bdc5533369f53128e793cbabf13_7522e4b5_8c897256-56e2-4a6b-a5a5-c2b09c66c44c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER485.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER590.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
up.dll

Function 6D381920 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130
librarysleeploaderCOMMON

Function 6D3D5255 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D3D5305 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D381560 Relevance: 4.6, APIs: 3, Instructions: 95
memoryCOMMON

Function 6D381660 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Function 6D3D514E Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D3E456D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6D381B00 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMONLIBRARYCODE