Edit tour

Windows Analysis Report
main.dll

Overview

General Information

Sample name:	main.dll
Analysis ID:	1533005
MD5:	96d2a1bfbe79b68678b78017bf4ca532
SHA1:	c61e6222a42d858ab329eb5e0930b5274256c69d
SHA256:	5e97d896a427313467f598567f4dd60afc891f6b516faf3fc8d6379a7df40de4
Tags:	dlluser-4k95m
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7468 cmdline: loaddll32.exe "C:\Users\user\Desktop\main.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7532 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\main.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: main.dll	ReversingLabs: Detection: 47%
Source: main.dll	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: main.dll

Joe Sandbox ML: detected

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

4_2_6D737B99

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

4_2_6D6FDF00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDFE0 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

4_2_6D6FDFE0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6FDF00 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

4_2_6D6FDF00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		4_2_6D7227B9

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70FD00	4_2_6D70FD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FBDC0	4_2_6D6FBDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C69	4_2_6D6E7C69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7C75	4_2_6D6E7C75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73EC55	4_2_6D73EC55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DCC20	4_2_6D6DCC20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CE1	4_2_6D6E7CE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7CB6	4_2_6D6E7CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9F10	4_2_6D6E9F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D710FF0	4_2_6D710FF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90	4_2_6D715F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7E34	4_2_6D6E7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71DEF0	4_2_6D71DEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D721EA0	4_2_6D721EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7959	4_2_6D6E7959
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72C900	4_2_6D72C900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DA9D0	4_2_6D6DA9D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705850	4_2_6D705850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72A8D0	4_2_6D72A8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0	4_2_6D70D8B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F08B0	4_2_6D6F08B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FB20	4_2_6D73FB20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70CBF0	4_2_6D70CBF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D741BCE	4_2_6D741BCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E7A74	4_2_6D6E7A74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73FA50	4_2_6D73FA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DDAF0	4_2_6D6DDAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D705AB0	4_2_6D705AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D704AB0	4_2_6D704AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D700560	4_2_6D700560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D742549	4_2_6D742549
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D713500	4_2_6D713500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E75E9	4_2_6D6E75E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71E5C0	4_2_6D71E5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70A580	4_2_6D70A580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FC460	4_2_6D6FC460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70C420	4_2_6D70C420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED490	4_2_6D6ED490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FF490	4_2_6D6FF490
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D74048B	4_2_6D74048B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D722760	4_2_6D722760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6ED700	4_2_6D6ED700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E9700	4_2_6D6E9700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7217F0	4_2_6D7217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7227B9	4_2_6D7227B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7197A0	4_2_6D7197A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E767E	4_2_6D6E767E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E763E	4_2_6D6E763E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6FA6C0	4_2_6D6FA6C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70F160	4_2_6D70F160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E21D0	4_2_6D6E21D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA070	4_2_6D6EA070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D73B002	4_2_6D73B002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6DD370	4_2_6D6DD370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7053F0	4_2_6D7053F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7123B0	4_2_6D7123B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D71A3A0	4_2_6D71A3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EA260	4_2_6D6EA260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D701240	4_2_6D701240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6E72E0	4_2_6D6E72E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D7312A1	4_2_6D7312A1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E1E70 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6E0DC0 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D725970 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D6DB6B0 appears 43 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D70FBC0 appears 36 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776

Source: main.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.winDLL@7/5@1/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6DCC20 CreateToolhelp32Snapshot,Module32FirstW,Module32NextW,Module32NextW,CloseHandle,VirtualQuery,

4_2_6D6DCC20

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4b54a455-673e-4122-a563-0413c629bfff

Jump to behavior

Source: main.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: main.dll

Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Source: main.dll	ReversingLabs: Detection: 47%
Source: main.dll	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\main.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: main.dll

Static file information: File size 4952064 > 1048576

Source: main.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: main.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D721500

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EACF0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EAF27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D7184DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D715F90 push ecx; mov dword ptr [esp], 00000000h	4_2_6D718DDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6F7EA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_6D6F8197
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EE990 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EEAB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D70D8B0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D70D956
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EABC0 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EACA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D72545E push ecx; ret	4_2_6D725471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6EB000 push ecx; mov dword ptr [esp], 00000000h	4_2_6D6EB688

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.0 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D737B99 FindFirstFileExW,

4_2_6D737B99

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D6D1920 GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,Sleep,GetModuleHandleA,LdrInitializeThunk,EnumWindows,

4_2_6D6D1920

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_6D725853

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D721500 QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_6D721500

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D738D9A GetProcessHeap,

4_2_6D738D9A

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D724EF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6D724EF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D725853 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D725853
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D728776 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6D728776

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\main.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D72566F cpuid

4_2_6D72566F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: QueryPerformanceFrequency,QueryPerformanceCounter,GetKeyboardLayout,GetLocaleInfoA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,		4_2_6D721500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetKeyboardLayout,GetLocaleInfoA,		4_2_6D7214C0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6D7259B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_6D7259B5

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
main.dll	47%	ReversingLabs	Win32.PUA.GameHack
main.dll	56%	Virustotal		Browse
main.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
s-part-0017.t-0009.fb-t-msedge.net	0%	Virustotal		Browse
time.windows.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	0%, Virustotal, Browse	unknown
time.windows.com	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533005
Start date and time:	2024-10-14 09:45:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	main.dll
Detection:	MAL
Classification:	mal56.winDLL@7/5@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 20.42.65.92
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:46:23	API Interceptor	1x Sleep call for process: loaddll32.exe modified
03:46:47	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	file.exe	Get hash	malicious	Stealc	Browse	13.107.253.45
	https://verfiy-blue-badge-sign-up.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shaw-104167.square.site/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://attmailmanagementupdates2024.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://business.helpcaseappealcenter.eu/community-standard/346299132520232	Get hash	malicious	Unknown	Browse	13.107.253.45
	http://bervokter-pdf.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shawcawebmailserver.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://shaw-104167.square.site/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://businesssupport248.mfb72024.click/	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4bf71269e42599aca6dd6e6e3b744db6dcf1974_7522e4b5_f39e2f26-38ae-4b7c-88e0-3cfc3351528d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9328969788248272
Encrypted:	false
SSDEEP:	192:iq2PiWObr0BU/wjeTOkzuiFqZ24IO84ci:2iXb4BU/wje/zuiFqY4IO84ci
MD5:	43C37E97A100A1082D195F0B97BD2CA1
SHA1:	7D18B985607EE144B4B8D9FBDB2DECB70D32F2B8
SHA-256:	B45DCB7156FC0C8D0908B550FF409132B4EA462A6E8DBC7B55123A79CD782FEB
SHA-512:	1E77005443F83CB98B837F037277562CCBFED92611A5BC3BEAD40A1BD8893423A2DEEFD74FDFE210402B49DE44C80531EEBDEC75EBE296BF0B0AD94D58622164
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.6.5.5.8.5.4.8.9.2.3.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.6.5.5.8.5.9.8.9.2.0.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.9.e.2.f.2.6.-.3.8.a.e.-.4.b.7.c.-.8.8.e.0.-.3.c.f.c.3.3.5.1.5.2.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.3.1.3.f.8.0.-.a.6.8.4.-.4.3.b.e.-.b.7.5.8.-.7.d.d.4.2.e.4.b.f.4.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.0.-.0.0.0.1.-.0.0.1.4.-.4.0.1.1.-.9.8.2.a.0.d.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A98.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 14 07:46:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	54648
Entropy (8bit):	2.166253177348043
Encrypted:	false
SSDEEP:	192:So5i+7J2O5H4wm3m0pFQf7uFuaYvhLWlQcwGdfZUoWFBAXj:J7JB5HtmNQKFwCLbfZeKj
MD5:	70EA19CBE7E45F6A701A2786931DA57A
SHA1:	D586896C2FC0CF08C31BDAD949DE63D0213AD4C1
SHA-256:	18563F283FF6A1B0FEE33AEE07716CC1ADF1C927E5F54F9677EB02B0CD57A2FC
SHA-512:	ACFC3FEFCEB42109DE220D5568412534B3E7518AC3447D7A8E9FF55EED56F95BA300224E878E0A6CB468F255C7A96B18C665EF3A231BBDDC740516D9B8BB080C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Q..g........................l................1..........T.......8...........T...........................8...........$...............................................................................eJ..............GenuineIntel............T...........O..g.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B73.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.694012503883682
Encrypted:	false
SSDEEP:	192:R6l7wVeJrY6yd6YYx6rgmf88MprV89boRsfu4m:R6lXJ06yd6Y+6rgmf88roKf4
MD5:	2AFDE0A055215E71F1654D9040B75F1E
SHA1:	5C62387567469A769930275B8C797A31114A668F
SHA-256:	5535EFFA6CCAD4D85662029DB0354CD2E19EFA1370D0B9A0FB8D75B0AF97D66A
SHA-512:	6287328C03A635734157FEBA358094C17575160C6F8C8DF5AF55CCEC65A734BAA1464F4C966568BDDDD51A460DECC781EEADABA8373B6409CEC0F667AF316123
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BA3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.480821660060863
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9djOnWpW8VYHyYm8M4JCdPEFEXAP+q8vjP7HGScSgd:uIjf0I7zjD7VOJIAPKPHJ3gd
MD5:	9B029279EB4EE87AC08949429968FE72
SHA1:	894E2D51EEFFC8E26D9FD4C8BCA320260699D498
SHA-256:	F07912BFE0EECCE689A563938B89A36A4B7F6FCE760ACC6FF4E5B9DE182F6D62
SHA-512:	BC5F95B955F0703C1A9874A36A8057F3424F2CDFFD9FFEDC727311F8C39FA4AF4864C44999C95B4A274B766C7A8411B8CAFA3279D7ADD8EEA031DC0A722E700D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542809" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417470220345491
Encrypted:	false
SSDEEP:	6144:kcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Ji58oSWIZBk2MM6AFBWo
MD5:	C58733E8151AFB7FE0328DFE7F6DF803
SHA1:	BAA26D9AE70F420C27F141945DC058179B65C788
SHA-256:	4C254A286B8F0B35AF5AA6C68C0E10FCB308C063CE0AE9DA5B78D42EBF8C3C0B
SHA-512:	8F71098FCEF0034ADC114DC9F9C26C000B59ACB27F64C797E2F5820FD107342F770BB3E0B0155353374C5B26F6A34905A814061E069590EF64DAFB338E47BEBC
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.c.+................................................................................................................................................................................................................................................................................................................................................!...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.6820053479408899
TrID:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14% Win32 Dynamic Link Library (generic) (1002004/3) 49.67% Generic Win/DOS Executable (2004/3) 0.10% DOS Executable Generic (2002/1) 0.10% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	main.dll
File size:	4'952'064 bytes
MD5:	96d2a1bfbe79b68678b78017bf4ca532
SHA1:	c61e6222a42d858ab329eb5e0930b5274256c69d
SHA256:	5e97d896a427313467f598567f4dd60afc891f6b516faf3fc8d6379a7df40de4
SHA512:	0bc8ef5742d395692468d56966c3c9e640dbb34dcaf9922825067a69dc92f90574078553f3c2fb0052bce951939b869e19ab686470064422ffa9c7586c081bf6
SSDEEP:	24576:ab5Wyc+GYmc0guuEtMQxmbW0dH580xYIwzO0Zzp:ab8ysYm5ax580/wK0Zzp
TLSH:	6E36CF40B9EF80F5C46D20703028BBAF593E35844F2869F7B7D829695FE02D246F7966
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G........................E............'.......'.......'..................1....'.......'......Rich...........................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1005543b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x663EA19F [Fri May 10 22:37:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	121cde6d75e4ec93f689fa0e0c5acf93

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4B41386E37h
call 00007F4B413873EEh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F4B41386CE3h
add esp, 0Ch
pop ebp
retn 000Ch
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F4B41386466h
jmp 00007F4B41386E12h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100B3100h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [100B3100h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1584	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb9000	0x4d04	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xadc58	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xadc80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xadb98	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x75000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x73c58	0x73e00	68764eb186630d00bbaea0eae1a71d26	False	0.5364456917475728	data	6.675785525089795	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x75000	0x3d368	0x3d400	5061f20512dd222c15fb4541ba229533	False	0.6918925382653062	data	6.723426334145537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb3000	0x5880	0x2c00	c9bc63a30a9cbfd13c16c08a2eb6b509	False	0.1768465909090909	data	4.4110269978489445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xb9000	0x4d04	0x4e00	c2c8bf72306f8c9f53b02ec069001b42	False	0.7590645032051282	data	6.7013028056733654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
WINHTTP.dll	WinHttpConnect, WinHttpSendRequest, WinHttpCloseHandle, WinHttpOpenRequest, WinHttpReadData, WinHttpReceiveResponse, WinHttpOpen, WinHttpQueryDataAvailable
OPENGL32.dll	wglGetCurrentDC
USER32.dll	EnumWindows, WindowFromDC, GetWindowThreadProcessId, GetKeyState, GetMessageExtraInfo, ScreenToClient, ClientToScreen, TrackMouseEvent, GetKeyboardLayout, GetForegroundWindow, LoadCursorW, SetCursor, GetClientRect, IsWindowUnicode, SetCursorPos, GetCursorPos, OpenClipboard, CloseClipboard, EmptyClipboard, GetClipboardData, SetClipboardData, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, GetSystemMetrics, SendInput
OLEAUT32.dll	SysStringLen, SafeArrayPutElement, SysAllocString, SysFreeString, SafeArrayGetLBound, SafeArrayDestroy, VariantInit, SafeArrayGetUBound, SafeArrayGetElement, SafeArrayCreateVector
KERNEL32.dll	GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetFileSizeEx, GetConsoleOutputCP, WriteFile, FlushFileBuffers, ReadConsoleW, GetConsoleMode, SetFilePointerEx, GetFileType, GetStdHandle, LCMapStringW, HeapFree, HeapAlloc, ReadFile, ExitProcess, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, SetLastError, InterlockedFlushSList, RtlUnwind, VirtualFree, GetCurrentProcess, GetModuleHandleA, Sleep, CloseHandle, CreateThread, GetProcAddress, GetCurrentProcessId, FreeLibrary, WideCharToMultiByte, K32QueryWorkingSetEx, VirtualProtect, VirtualAlloc, EnterCriticalSection, LeaveCriticalSection, GetStringTypeW, MultiByteToWideChar, GetLastError, IsProcessorFeaturePresent, DeleteCriticalSection, CreateToolhelp32Snapshot, Module32FirstW, GetModuleHandleW, Module32NextW, VirtualQuery, GetModuleFileNameW, VirtualFreeEx, GetCurrentThreadId, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, LoadLibraryA, GetLocaleInfoA, QueryPerformanceFrequency, QueryPerformanceCounter, RaiseException, FreeLibraryWhenCallbackReturns, DecodePointer, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceComplete, InitOnceBeginInitialize, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, LocalFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, SetStdHandle, CreateFileW, HeapSize, HeapReAlloc, SetEndOfFile, WriteConsoleW, CreateThreadpoolWork
IMM32.dll	ImmSetCompositionWindow, ImmSetCandidateWindow, ImmReleaseContext, ImmGetContext

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 09:46:19.218103886 CEST	60664	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 09:46:19.218103886 CEST	192.168.2.7	1.1.1.1	0xc607	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 09:46:19.225965023 CEST	1.1.1.1	192.168.2.7	0xc607	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:20.955857992 CEST	1.1.1.1	192.168.2.7	0x8aa9	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:20.955857992 CEST	1.1.1.1	192.168.2.7	0x8aa9	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 09:46:20.955857992 CEST	1.1.1.1	192.168.2.7	0x8aa9	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:46:23
Start date:	14/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\main.dll"
Imagebase:	0xdd0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:46:23
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:46:23
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:46:23
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\main.dll",#1
Imagebase:	0xea0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:46:25
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 776
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	91
Total number of Limit Nodes:	6

Executed Functions

Function 6D6D1920 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 130
librarysleeploaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 6D6D195D
GetProcAddress.KERNEL32(00000000,wglSwapBuffers), ref: 6D6D196B
Sleep.KERNELBASE(000003E8), ref: 6D6D19AF

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

GetModuleHandleA.KERNEL32(d3d9.dll), ref: 6D6D19D1
LdrInitializeThunk.NTDLL(00000000,Direct3DCreate9), ref: 6D6D19D9
EnumWindows.USER32(6D6D18E0,00000000), ref: 6D6D1A15

Strings

opengl32.dll, xrefs: 6D6D1934
d3d9.dll, xrefs: 6D6D19CC
wglSwapBuffers, xrefs: 6D6D1965
Direct3DCreate9, xrefs: 6D6D19D3

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$HandleModuleProtect$AddressEnumFreeInitializeProcSleepThunkWindows
String ID: Direct3DCreate9$d3d9.dll$opengl32.dll$wglSwapBuffers
API String ID: 1689101902-4056170655
Opcode ID: aa1b371d993831bc0c07ca2bfd3b3a23d3a9eccec6e16676046de20b66444eba
Instruction ID: dd67272a758e8f92ec7bace90b10b621593a1b8b92b0b10b8ad4a49f5dc17b2d
Opcode Fuzzy Hash: aa1b371d993831bc0c07ca2bfd3b3a23d3a9eccec6e16676046de20b66444eba
Instruction Fuzzy Hash: 0851D370908380AFD701CF64C948B1BBBF5AF8E315F10896DF5849B291D7B4A684CB97

Function 6D725255 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D72529C
___scrt_uninitialize_crt.LIBCMT ref: 6D7252B6

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c3858dd4c15b6b80ed236c838e0dff26652769ab04952397d347a1d52f90b755
Instruction ID: a3f77a774e5a3926c0bff74cc4468d53fb2777285f79fc367c80bcdc72393f85
Opcode Fuzzy Hash: c3858dd4c15b6b80ed236c838e0dff26652769ab04952397d347a1d52f90b755
Instruction Fuzzy Hash: 17412972D082D5AFCB118F58EA44BBE76B4EF41779F11443AE94457145C7708E018BE2

Function 6D725305 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6D725342
dllmain_crt_dispatch.LIBCMT ref: 6D725359
dllmain_raw.LIBCMT ref: 6D7253A1
dllmain_crt_dispatch.LIBCMT ref: 6D7253B4
dllmain_raw.LIBCMT ref: 6D7253C7

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 27e87ca9fb75beb0ab6822b0f36cd6c60b88ba24af5f39854ad32c9975aa5d9e
Instruction ID: 72bad71ea95c195fc5a8a63f600a948b605a017b0aa8656a9a7f181d66fc5a65
Opcode Fuzzy Hash: 27e87ca9fb75beb0ab6822b0f36cd6c60b88ba24af5f39854ad32c9975aa5d9e
Instruction Fuzzy Hash: 1D21D371D0459AAFCB218E14EE44A7F3A78EB817B8F024426F85867219C7708E018BE2

Function 6D6D1560 Relevance: 4.6, APIs: 3, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000005,00003000,00000040,?,?,771AF550,opengl32.dll), ref: 6D6D15BF
VirtualProtect.KERNELBASE(771B0A60,00000005,00000040,?,?,?,771AF550,opengl32.dll), ref: 6D6D1615
VirtualProtect.KERNELBASE(?,00000005,?,?,?,?,?,?,?,771AF550,opengl32.dll), ref: 6D6D1647

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: ab0f1b2d8e17c653d16ef091e042a98b0221c3421fe841742b8f0716c2d2a15f
Instruction ID: 3f7f467c57d36a93bd448122b84d19b27dc078cce6b404bdfdd0fc5747dfe8f8
Opcode Fuzzy Hash: ab0f1b2d8e17c653d16ef091e042a98b0221c3421fe841742b8f0716c2d2a15f
Instruction Fuzzy Hash: E7313971A04346AFD701DF78EC84B5ABFACFF05268F01022AF55887281D775E91887E2

Function 6D6D1660 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID:
API String ID: 3866829018-0
Opcode ID: 6d90bc96112bc3399168131d41dc84df37c49da1dbcf5301c239e715547bc8a6
Instruction ID: 0911e6e9273294860a82664a8969e23105e3a6d47087b1e0a916b8892434dc2f
Opcode Fuzzy Hash: 6d90bc96112bc3399168131d41dc84df37c49da1dbcf5301c239e715547bc8a6
Instruction Fuzzy Hash: 79F0AFB6104388BFEB119E60EC48FAA7BACEB89614F14411AFA4996051D774E448C765

Function 6D72514E Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6D72519B

Part of subcall function 6D725A4D: InitializeSListHead.KERNEL32(6D7860F8,6D7251A5,6D780CC0,00000010,6D725136,?,?,?,6D72535E,?,00000001,?,?,00000001,?,6D780D08), ref: 6D725A52

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D725205

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: fabc4d1e830ac67bba4d655ce25b88d6e9fec7e5107455adb032c6130aed91d4
Instruction ID: c8ae481a433fbead98b152244498a172e0379618fc23423ceaf49f3ee6ef41d0
Opcode Fuzzy Hash: fabc4d1e830ac67bba4d655ce25b88d6e9fec7e5107455adb032c6130aed91d4
Instruction Fuzzy Hash: 6421C0765492D2AFDB01ABB8B7097BC37B09F1633DF12403BD6916B2C6DB31024086A7

Function 6D73456D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6D7345B9
GetFileType.KERNELBASE(00000000), ref: 6D7345CB

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 982feb22f2f1fd25ee3fc8ecc87f03050bc0d447abcf91ea7445b93ef8a7a82d
Instruction ID: c70fe1fc538a14777857d50fbc203745a1c1bae3bf49184f432f17c9cd59add3
Opcode Fuzzy Hash: 982feb22f2f1fd25ee3fc8ecc87f03050bc0d447abcf91ea7445b93ef8a7a82d
Instruction Fuzzy Hash: 8F11DD319087628AC7294D3D8E89736BAD4A74F238B25073BD4B6865F3C372D591A143

Function 6D6D1B00 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,6D6D1920,00000001,00000000,00000000), ref: 6D6D1B21
CloseHandle.KERNELBASE(00000000,?,6D72535E,?,00000001,?,?,00000001,?,6D780D08,0000000C,6D725457,?,00000001,?), ref: 6D6D1B28

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: b39fe098af5774b76a596f482b3d9add5cbf9a6077f1ccecf3ab33da0ae7fbe0
Instruction ID: 029d1b8aac27a118283eea2122bcf47fc241d1b570172eec77959c61da0bd02b
Opcode Fuzzy Hash: b39fe098af5774b76a596f482b3d9add5cbf9a6077f1ccecf3ab33da0ae7fbe0
Instruction Fuzzy Hash: F1D01738248300BBE7615FA09C49F2DB7B0E74A702F60842AF6049A1D0C3B49040CA16

Non-executed Functions

Function 6D6E21D0 Relevance: 127.2, APIs: 7, Strings: 65, Instructions: 1234threadCOMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008,BEFF0931,?,?,?,?,?,?,?,6D743EC5,000000FF,?,?,?,6D6D177F), ref: 6D6E2238

Part of subcall function 6D6D9160: K32QueryWorkingSetEx.KERNEL32(?,00000008,?), ref: 6D6D9177

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000008,00000000,Freedom v0.94.3 DEV [6e79672] is Loading!,000000FF,00000000,00000000), ref: 6D6E22AB

Part of subcall function 6D6DE1B0: VirtualProtect.KERNEL32(00000000,00000000,00000040,5nm,00000000,771B04C0,?,6D6E0106,?,6D6DE58D,00000000,?,?,?,6D6E35EA), ref: 6D6DE202
Part of subcall function 6D6DE1B0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE222

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

Part of subcall function 6D6E01D0: VirtualProtect.KERNEL32(00000000,00000000,00000040,6D6E30DA,00000000,?,?,6D6E30DA), ref: 6D6E01F1
Part of subcall function 6D6E01D0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E30DA), ref: 6D6E0211

Part of subcall function 6D6DFC40: VirtualProtect.KERNEL32(00000000,00000000,00000040,6D6E321D,00000000,?,?,6D6E321D), ref: 6D6DFC61
Part of subcall function 6D6DFC40: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E321D), ref: 6D6DFC81

Part of subcall function 6D6DFB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D786BA0,000000FF,00000000,00000000,00000000,00000000,?,6D786FA0,?,6D6E32DD,6D786B18,6D786B20), ref: 6D6DFBB4
Part of subcall function 6D6DFB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D786FA0,00000000,?,6D786FA0,?,6D6E32DD,6D786B18,6D786B20), ref: 6D6DFBC5

CreateThread.KERNEL32(00000000,00000000,6D6DE0B0,00000000,00000000,00000000), ref: 6D6E3586
CloseHandle.KERNEL32(00000000), ref: 6D6E358D
UnhookWindowsHookEx.USER32 ref: 6D6E35D5
std::_Throw_Cpp_error.LIBCPMT ref: 6D6E36E9
std::_Throw_Cpp_error.LIBCPMT ref: 6D6E3739

Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE2ED
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE309
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE330
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE34C
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE373
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE38F
Part of subcall function 6D6DE2A0: VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE3DB

Strings

Mods, xrefs: 6D6E25CD
Open Replay Preview in-game to Select a Replay, xrefs: 6D6E2BD0
Mods, xrefs: 6D6E2C05
Discord RPC Settings, xrefs: 6D6E31D2
Freedom, xrefs: 6D6E2326
T;xm, xrefs: 6D6E3143
Rescan Memory, xrefs: 6D6E355A
Large Text, xrefs: 6D6E32FB
Right Click, xrefs: 6D6E289C
Unmod Hidden, xrefs: 6D6E2F86
@mrflashstudio, xrefs: 6D6E36A1
Selected Replay, xrefs: 6D6E2BF0
SingleTap Mode, xrefs: 6D6E28DC
Unmod Flashlight, xrefs: 6D6E2F22
##rpc_state, xrefs: 6D6E32A5
Debug, xrefs: 6D6E2646
Replay Keys, xrefs: 6D6E2EBC
SingleTap, xrefs: 6D6E28CB
h;xm, xrefs: 6D6E2A43
##settings, xrefs: 6D6E2487
Special Thanks to Maple Syrup, xrefs: 6D6E3694
Player, Accuracy, Mods, xrefs: 6D6E2C3B
Replay Aim, xrefs: 6D6E2E5E
Hardrock, xrefs: 6D6E2D7F
##tab_content, xrefs: 6D6E26F3
##font_size, xrefs: 6D6E3415
Replay Author, xrefs: 6D6E2C1B
##fraction_modifier, xrefs: 6D6E2A56
Aimbot, xrefs: 6D6E253E, 6D6E254A
Variable Unstable Rate, xrefs: 6D6E2973
Hold Ctrl To Set a Custom Value, xrefs: 6D6E3163
(Detected!), xrefs: 6D6E3040
Misc, xrefs: 6D6E25E1
Enable, xrefs: 6D6E27AF, 6D6E29F4, 6D6E2AE3, 6D6E2C63, 6D6E30B7, 6D6E31FA
About, xrefs: 6D6E2602
Relax, xrefs: 6D6E2515, 6D6E2521
##rpc_small_text, xrefs: 6D6E3369
lAxm, xrefs: 6D6E3003
Difficulty, xrefs: 6D6E24F8
State, xrefs: 6D6E3299
Left Click, xrefs: 6D6E2871
##rpc_large_text, xrefs: 6D6E3307
Usage: Open Replay Preview in-game to Select a Replay, xrefs: 6D6E2D3D
Ciremun's Freedom v0.94.3 DEV [6e79672], xrefs: 6D6E3671
%s - %.2f%% - %ux - %s, xrefs: 6D6E2C20
Font Size: %dpx, xrefs: 6D6E33FD
Replay, xrefs: 6D6E2590, 6D6E259C
lAxm, xrefs: 6D6E2FF2
Jumping Unstable Rate Window, xrefs: 6D6E29BB
Convert Replay to/from Hardrock, xrefs: 6D6E2E36
Unload DLL, xrefs: 6D6E35B3
Alternate Mode, xrefs: 6D6E292E
Score Multiplier, xrefs: 6D6E3085
Press Keys According to Replay Data, xrefs: 6D6E2EE6
##score_multiplier, xrefs: 6D6E3148
Aim According to Replay Data, xrefs: 6D6E2E88
Score Multiplier: %.0f, xrefs: 6D6E313E
Freedom v0.94.3 DEV [6e79672] is Loading!, xrefs: 6D6E2298, 6D6E236C
Alternate, xrefs: 6D6E291D
Timewarp, xrefs: 6D6E2567, 6D6E2573
Memory Scan: %.0f%%, xrefs: 6D6E23B2
Small Text, xrefs: 6D6E335D
##timewarp_scale, xrefs: 6D6E2B7E
Cursor Delay: %.2f, xrefs: 6D6E2A51
Timewarp Scale: %.2lf, xrefs: 6D6E2B65

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$ByteCharMultiWide$Cpp_errorQueryThrow_Workingstd::_$CloseCreateFreeHandleHookThreadUnhookWindows
String ID: ##font_size$##fraction_modifier$##rpc_large_text$##rpc_small_text$##rpc_state$##score_multiplier$##settings$##tab_content$##timewarp_scale$%s - %.2f%% - %ux - %s$(Detected!)$@mrflashstudio$About$Aim According to Replay Data$Aimbot$Alternate$Alternate Mode$Ciremun's Freedom v0.94.3 DEV [6e79672]$Convert Replay to/from Hardrock$Cursor Delay: %.2f$Debug$Difficulty$Discord RPC Settings$Enable$Font Size: %dpx$Freedom$Freedom v0.94.3 DEV [6e79672] is Loading!$Hardrock$Hold Ctrl To Set a Custom Value$Jumping Unstable Rate Window$Large Text$Left Click$Memory Scan: %.0f%%$Misc$Mods$Mods$Open Replay Preview in-game to Select a Replay$Player, Accuracy, Mods$Press Keys According to Replay Data$Relax$Replay$Replay Aim$Replay Author$Replay Keys$Rescan Memory$Right Click$Score Multiplier$Score Multiplier: %.0f$Selected Replay$SingleTap$SingleTap Mode$Small Text$Special Thanks to Maple Syrup$State$T;xm$Timewarp$Timewarp Scale: %.2lf$Unload DLL$Unmod Flashlight$Unmod Hidden$Usage: Open Replay Preview in-game to Select a Replay$Variable Unstable Rate$h;xm$lAxm$lAxm
API String ID: 4285642291-385318363
Opcode ID: 8945183f6b342c5776985cce96428af725b4322c21b81a02b051225c8f33cf18
Instruction ID: 5f7a6d48d51087938573590cfd30e4852ef54449c79b3d5e62537806510c363e
Opcode Fuzzy Hash: 8945183f6b342c5776985cce96428af725b4322c21b81a02b051225c8f33cf18
Instruction Fuzzy Hash: 7EB215B0E082059BDF10CF64CA01BB9B7B2AF4F35DF150578DA056B292DB316945CBA7

Function 6D6DCC20 Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 505processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000018,00000000), ref: 6D6DCC5E
Module32FirstW.KERNEL32(00000000,?), ref: 6D6DCC79
Module32NextW.KERNEL32(00000000,?), ref: 6D6DCCAF
CloseHandle.KERNEL32(00000000), ref: 6D6DCCC3
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 6D6DCCD1

Strings

(Mwm, xrefs: 6D6DCFDC
dNwm, xrefs: 6D6DD1B4
(Mwm, xrefs: 6D6DD002
:xm, xrefs: 6D6DCD5B
LMwm, xrefs: 6D6DD024
Nwm, xrefs: 6D6DD196
dNwm, xrefs: 6D6DD1E0
Memory Scan Took: %lfs, xrefs: 6D6DCD9E
osu!.exe, xrefs: 6D6DCC97

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Module32$CloseCreateFirstHandleNextQuerySnapshotToolhelp32Virtual
String ID: :xm$ Nwm$(Mwm$(Mwm$LMwm$Memory Scan Took: %lfs$dNwm$dNwm$osu!.exe
API String ID: 1628813743-3760460330
Opcode ID: cc8171ebb9afd1c0b5c3f91d9964e62736d76664eab7899a9839adb2016799f0
Instruction ID: 375ea825bd3911e0046cd9b35d11a5a144161361ee8324a665fca19c62b18ec0
Opcode Fuzzy Hash: cc8171ebb9afd1c0b5c3f91d9964e62736d76664eab7899a9839adb2016799f0
Instruction Fuzzy Hash: F412F0706082469FDB60DF2498807BABBB0FB8F369F25897DD5868B245D3309585CF93

Function 6D6E7959 Relevance: 23.7, Strings: 18, Instructions: 1180COMMON

Download Yara Rule

Strings

0000, xrefs: 6D6E8044
0, xrefs: 6D6E7FE3
0000, xrefs: 6D6E8184
_KMGT, xrefs: 6D6E8311
0123456789ABCDEFXP, xrefs: 6D6E795D
_kMGT, xrefs: 6D6E830C
i, xrefs: 6D6E833A
, xrefs: 6D6E8D01
0000, xrefs: 6D6E88F4
XCxm, xrefs: 6D6E8704, 6D6E8718
gfff, xrefs: 6D6E7C11
+, xrefs: 6D6E7BBB
gfff, xrefs: 6D6E7BD9
0000, xrefs: 6D6E8B84
0123456789abcdefxp, xrefs: 6D6E7962
., xrefs: 6D6E7FEF
, xrefs: 6D6E86ED
0, xrefs: 6D6E81DC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $+$.$0$0$0000$0000$0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCxm$_KMGT$_kMGT$gfff$gfff$i
API String ID: 0-2124530759
Opcode ID: 8689f2086fac7d2a40b9f9f2897bb8da0e86e8ba6903c62e94d596f879315c24
Instruction ID: a8f6b227c2f99febed098375f2c18860c15cf05735fc331b31de1ed49f1de5e9
Opcode Fuzzy Hash: 8689f2086fac7d2a40b9f9f2897bb8da0e86e8ba6903c62e94d596f879315c24
Instruction Fuzzy Hash: ADA28971A0E7828FD305CF29C48026BBBE2BFD9784F148A2DE499D7365D731D9458B82

Function 6D6DDAF0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 321memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(win32u.dll,00000001), ref: 6D6DDB0A
GetProcAddress.KERNEL32(00000000,NtUserSendInput), ref: 6D6DDB1A

Part of subcall function 6D6DFB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D786BA0,000000FF,00000000,00000000,00000000,00000000,?,6D786FA0,?,6D6E32DD,6D786B18,6D786B20), ref: 6D6DFBB4
Part of subcall function 6D6DFB80: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D786FA0,00000000,?,6D786FA0,?,6D6E32DD,6D786B18,6D786B20), ref: 6D6DFBC5

VirtualProtect.KERNEL32(00000000,00000005,00000040,?), ref: 6D6DDBC3
VirtualProtect.KERNEL32(00000000,00000005,?,?), ref: 6D6DDBEA

Strings

NtUserSendInput, xrefs: 6D6DDB14
[!] win32u.dll is null, xrefs: 6D6DDB30
win32u.dll, xrefs: 6D6DDB05
[!] '%s' wasn't found, xrefs: 6D6DDB7A
<kxm, xrefs: 6D6DE061
lAxm, xrefs: 6D6DE096
?xm, xrefs: 6D6DDD69
[!] NtUserSendInput is null, xrefs: 6D6DDB29
:xm, xrefs: 6D6DDB66

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiProtectVirtualWide$AddressHandleModuleProc
String ID: :xm$<kxm$NtUserSendInput$[!] '%s' wasn't found$[!] NtUserSendInput is null$[!] win32u.dll is null$lAxm$win32u.dll$?xm
API String ID: 3533231508-3253101940
Opcode ID: 2300e8cb93af9cbf9f8024703a00d01e5cdb50d2dbcc136b092b3b79ee790cff
Instruction ID: 4ae4d0aa310db4df8344ac5acdb8897a4411fa8ad5ac7b359a819ae2694423a1
Opcode Fuzzy Hash: 2300e8cb93af9cbf9f8024703a00d01e5cdb50d2dbcc136b092b3b79ee790cff
Instruction Fuzzy Hash: 1FE18EB0D183829BEB41CF24D94572AFBF1BB9B319F20563DE49446242E7709688CF93

Function 6D721500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,00000026,?,?,?,?,?,?,?,?,?,6D6E1DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D743E83,00000000), ref: 6D72151D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6D6E1DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D743E83,00000000), ref: 6D721530
GetKeyboardLayout.USER32(00000000), ref: 6D7215A7
GetLocaleInfoA.KERNEL32(00000000,20001004,-00000024,00000004,?,?,?,?,?,?,?,?,6D6E1DDA,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D743E83,00000000), ref: 6D7215BC
LoadLibraryA.KERNEL32(6D776EA0), ref: 6D721614
GetProcAddress.KERNEL32(00000000,XInputGetCapabilities), ref: 6D721646
GetProcAddress.KERNEL32(00000000,XInputGetState), ref: 6D721651

Strings

nwm, xrefs: 6D7215FB
XInputGetCapabilities, xrefs: 6D72163D
XInputGetState, xrefs: 6D721648

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AddressPerformanceProcQuery$CounterFrequencyInfoKeyboardLayoutLibraryLoadLocale
String ID: XInputGetCapabilities$XInputGetState$nwm
API String ID: 2839060773-2824473317
Opcode ID: 845af3bf73b083763a4a292c53c5f7476a46a04741a5d10f5799473a56a869da
Instruction ID: 642085b3ea983b97848459293edd8ab0040b7ac9e9efd18ad04b8ef35140687a
Opcode Fuzzy Hash: 845af3bf73b083763a4a292c53c5f7476a46a04741a5d10f5799473a56a869da
Instruction Fuzzy Hash: 9F41B171A04751AFDB40DF29C645B6AFBF4BB49324F41096EE94997200DB71E504CBD3

Function 6D6E767E Relevance: 17.1, Strings: 13, Instructions: 883COMMON

Download Yara Rule

Strings

x, xrefs: 6D6E77A1
0, xrefs: 6D6E7791
., xrefs: 6D6E77CB
+, xrefs: 6D6E786C
gfff, xrefs: 6D6E78A5
0123456789ABCDEFXP, xrefs: 6D6E7690
, xrefs: 6D6E8D01
0000, xrefs: 6D6E88F4
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E8B84
0123456789abcdefxp, xrefs: 6D6E7682
, xrefs: 6D6E86ED
gfff, xrefs: 6D6E78E1

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $+$.$0$0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCxm$gfff$gfff$x
API String ID: 0-2996369569
Opcode ID: 14276a974d2f2b511dc3ef5085c88028956c2ef5b0f04d93e0d82ec26f8495e8
Instruction ID: ad1d440c8d1db79c9476a547701a943478951e86cc102e258e7fdcab989672db
Opcode Fuzzy Hash: 14276a974d2f2b511dc3ef5085c88028956c2ef5b0f04d93e0d82ec26f8495e8
Instruction Fuzzy Hash: B4729A71A0E3828FD314CF29C48036BBBE2AFD9794F14892EE499D7365D775C8458B82

Function 6D721EA0 Relevance: 16.7, APIs: 11, Instructions: 192keyboardCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 6D721ED2
QueryPerformanceCounter.KERNEL32(?), ref: 6D721F0E
GetForegroundWindow.USER32 ref: 6D721F6A
ClientToScreen.USER32(?,?), ref: 6D721FA1
SetCursorPos.USER32(?,?,?,?), ref: 6D721FB3
GetCursorPos.USER32(?), ref: 6D721FCD
ScreenToClient.USER32(00000000,?), ref: 6D721FDE
GetKeyState.USER32(000000A0), ref: 6D722024
GetKeyState.USER32(000000A1), ref: 6D72206A
GetKeyState.USER32(0000005B), ref: 6D7220AD
GetKeyState.USER32(0000005C), ref: 6D7220F0

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: e5342fcf66d98c9d18893f249a37270f4170468bf23a0a7607eb1f055f3befed
Instruction ID: adff16d3b7e95d0f2c693ee6f9042e5015bfc875090cbb571b30dfa88fab892f
Opcode Fuzzy Hash: e5342fcf66d98c9d18893f249a37270f4170468bf23a0a7607eb1f055f3befed
Instruction Fuzzy Hash: CE81E370A183859FEB22CF30CA44BBABBF1AF4A314F14467AF95566192C770E484CB53

Function 6D7227B9 Relevance: 15.2, APIs: 10, Instructions: 209keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6D7227E8
GetKeyState.USER32(00000010), ref: 6D72281F
GetKeyState.USER32(00000012), ref: 6D722856
GetKeyState.USER32(0000005D), ref: 6D72288D
GetKeyState.USER32(000000A0), ref: 6D722944
GetKeyState.USER32(000000A1), ref: 6D72296A
GetKeyState.USER32(000000A2), ref: 6D7229A1
GetKeyState.USER32(000000A3), ref: 6D7229C7
GetKeyState.USER32(000000A4), ref: 6D722A02
GetKeyState.USER32(000000A5), ref: 6D722A28

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 058bc4035a03047aaea244c6304f75ef23474f8810c513f10e92ba280a9519be
Instruction ID: 97406707622c552188a8e734b06ef7908787201d5285599b8151650b853d62a1
Opcode Fuzzy Hash: 058bc4035a03047aaea244c6304f75ef23474f8810c513f10e92ba280a9519be
Instruction Fuzzy Hash: CA514021A6C2D90AE721A9785D403ED7BA29FA3329F05093AFDD45B2C2D653C14E8793

Function 6D6DD370 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 467COMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D6DD750
K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D6DD778

Strings

TOwm, xrefs: 6D6DD884
vOwm, xrefs: 6D6DD8A4
Owm, xrefs: 6D6DD6B0
Nwm, xrefs: 6D6DD544
$Owm, xrefs: 6D6DD6CB
Owm, xrefs: 6D6DD674

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: QueryWorking
String ID: Owm$ Owm$$Owm$TOwm$vOwm$Nwm
API String ID: 380726023-1832386042
Opcode ID: 10d31d71e77da630c94cb7332994f7d3948aaf9296cd94e413cb095562c832ae
Instruction ID: fb7162113a0359597e7423711a79e949c75999edbc19f4c31ebf99efb2267ac6
Opcode Fuzzy Hash: 10d31d71e77da630c94cb7332994f7d3948aaf9296cd94e413cb095562c832ae
Instruction Fuzzy Hash: 6302E0716003469FDB61DF24D880BBABBE5BB8A319F28457ED859C7241E730DA45CF82

Function 6D6FDFE0 Relevance: 13.5, APIs: 9, Instructions: 44clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 6D6FDFE2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6D6FDFFF
GlobalAlloc.KERNEL32(00000002), ref: 6D6FE011
GlobalLock.KERNEL32(00000000), ref: 6D6FE01E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6D6FE033
GlobalUnlock.KERNEL32(00000000), ref: 6D6FE03A
EmptyClipboard.USER32 ref: 6D6FE040
SetClipboardData.USER32(0000000D,00000000), ref: 6D6FE049
GlobalFree.KERNEL32(00000000), ref: 6D6FE054

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Global$Clipboard$ByteCharMultiWide$AllocDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 731863220-0
Opcode ID: a03fd085e3eacfe2c3fba5c7da555df120e3abad02144f9b5c107c0f7303ce2a
Instruction ID: 97cda31c5c4c9656996e2efc39b569e4e10fd4a16eaef7c2a00eb8b562f3ca68
Opcode Fuzzy Hash: a03fd085e3eacfe2c3fba5c7da555df120e3abad02144f9b5c107c0f7303ce2a
Instruction Fuzzy Hash: 48011235145615BBEB123B61AC0DF7EBA78EB0A762F104237F612A51D0DB70544186A3

Function 6D6FDF00 Relevance: 12.1, APIs: 8, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 6D6FDF39
GetClipboardData.USER32(0000000D), ref: 6D6FDF49
CloseClipboard.USER32 ref: 6D6FDF55
GlobalLock.KERNEL32(00000000), ref: 6D6FDF62
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 6D6FDF83
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000,00000000), ref: 6D6FDFB1
GlobalUnlock.KERNEL32(00000000), ref: 6D6FDFB9
CloseClipboard.USER32 ref: 6D6FDFBF

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlock
String ID:
API String ID: 846020896-0
Opcode ID: 3153da0794eba0b851a28a129b924e1d847e4a31baa94988d80d05db9d86537e
Instruction ID: b05a95ea6119dbf330d24ca9c513af98fe1b7d944eb2bee28e0cb88b30af3512
Opcode Fuzzy Hash: 3153da0794eba0b851a28a129b924e1d847e4a31baa94988d80d05db9d86537e
Instruction Fuzzy Hash: B711B975249202AFEB116F64EC4DFBA77B5EB0D761F24017BF909DD1D1DB70A0408A62

Function 6D6E7C75 Relevance: 10.8, Strings: 8, Instructions: 777COMMON

Download Yara Rule

Strings

@, xrefs: 6D6E7DEE
0123456789ABCDEFXP, xrefs: 6D6E7C81
, xrefs: 6D6E8D01
0000, xrefs: 6D6E88F4
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E8B84
0123456789abcdefxp, xrefs: 6D6E7C78
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$@$XCxm
API String ID: 0-2048253927
Opcode ID: a141e9152014ca6e72818b1e6ff88437689261561af3cdfa806cbf74ee2467bf
Instruction ID: fb0567bbeaaf896cc920aa9b580a90a5ae0375c1debb9ddfac9eadc686d4c62c
Opcode Fuzzy Hash: a141e9152014ca6e72818b1e6ff88437689261561af3cdfa806cbf74ee2467bf
Instruction Fuzzy Hash: 37528871A0E7828FD704CF29C48032BBBE2BFD9794F14892EE49997365D775C8458B82

Function 6D73B002 Relevance: 10.3, APIs: 1, Strings: 4, Instructions: 1555COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6D73B219

Strings

1#INF, xrefs: 6D73B138
1#QNAN, xrefs: 6D73B115
1#SNAN, xrefs: 6D73B10E
1#IND, xrefs: 6D73B107

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 42ad18fc4cd94d29613579470b09bfaad0845feace1a2d4751c12a7f0aa30b41
Instruction ID: 400313b4de112df7888755dbdda25f56bd8ec1e2c1a47a81fa402acdd40fc37f
Opcode Fuzzy Hash: 42ad18fc4cd94d29613579470b09bfaad0845feace1a2d4751c12a7f0aa30b41
Instruction Fuzzy Hash: 12D24B71E086398FDB65CE28CE407EAB7B5EB45325F1541EAD40DE7241D734AE818F82

Function 6D6ED700 Relevance: 9.7, APIs: 3, Strings: 2, Instructions: 929COMMON

Download Yara Rule

APIs

__libm_sse2_acos_precise.LIBCMT ref: 6D6EDC18
__floor_pentium4.LIBCMT ref: 6D6EDC40
__libm_sse2_cos_precise.LIBCMT ref: 6D6EDC9D

Strings

gfff, xrefs: 6D6ED745
Debug##Default, xrefs: 6D6EE69E

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: __floor_pentium4__libm_sse2_acos_precise__libm_sse2_cos_precise
String ID: Debug##Default$gfff
API String ID: 3895510629-3988733986
Opcode ID: 067935aef9b729b4159f70342f359d04fa34a47df457d6943795537e3882be9f
Instruction ID: e982b175d14462f4290459296c04db2e3760b584b6250d47afd5ae227dee6f53
Opcode Fuzzy Hash: 067935aef9b729b4159f70342f359d04fa34a47df457d6943795537e3882be9f
Instruction Fuzzy Hash: 4192C570A09B469FD719CF3AC4847E6F7A0BF49344F048729D8699B292E731B4A4CF91

Function 6D6E7A74 Relevance: 9.5, Strings: 7, Instructions: 729COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 6D6E7A7C
, xrefs: 6D6E8D01
0000, xrefs: 6D6E88F4
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E8B84
0123456789abcdefxp, xrefs: 6D6E7A81
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCxm
API String ID: 0-466007267
Opcode ID: b22b303714eccf6eafbc989b82ea9a70d3b696f7e8ddd064f08339a42bec90b9
Instruction ID: cbd8025b9bbd4ee493474294f690792ea11e03d4e425ad549a9a743e81328a0a
Opcode Fuzzy Hash: b22b303714eccf6eafbc989b82ea9a70d3b696f7e8ddd064f08339a42bec90b9
Instruction Fuzzy Hash: 9C528971A0E7828FD704CF29C48022BBBE2BFD9794F14892EE499D7365D775C8458B82

Function 6D6E7CE1 Relevance: 9.5, Strings: 7, Instructions: 721COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 6D6E7CFA
, xrefs: 6D6E8D01
0000, xrefs: 6D6E88F4
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E8B84
0123456789abcdefxp, xrefs: 6D6E7CF1
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$0123456789ABCDEFXP$0123456789abcdefxp$XCxm
API String ID: 0-466007267
Opcode ID: 60ce0183b2a9c79690f2c55775343c1d9d84efe9d6b0cf2ea78bb907041a38a0
Instruction ID: 0ec747fb755d49084c8a618b7417d932553d83d0eaff58dff0051b2507389628
Opcode Fuzzy Hash: 60ce0183b2a9c79690f2c55775343c1d9d84efe9d6b0cf2ea78bb907041a38a0
Instruction Fuzzy Hash: 80527871A0E7828FD704CF29C48032BBBE2BFD9794F14892EE49997365D775C8458B82

Function 6D6E9700 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 334COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6D6E997D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D6E99B4

Strings

NaN, xrefs: 6D6E9754
Inf, xrefs: 6D6E975B

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__aulldiv__ehfuncinfo$??2@
String ID: Inf$NaN
API String ID: 1185945948-3500518849
Opcode ID: 79814cbdb6cd2512ce7120666c2423231cf11d51a8b2a5ba263c307159c818ae
Instruction ID: eb6cb6a9e1df6ea0e8e3307a29353cf8ca3a4f34185b83693a9e5510e10dabcf
Opcode Fuzzy Hash: 79814cbdb6cd2512ce7120666c2423231cf11d51a8b2a5ba263c307159c818ae
Instruction Fuzzy Hash: 2EC1E431A1D3128BD715CF29C44062AF7E6FFD9398F158A2FF89997290D770D9018B82

Function 6D6E7E34 Relevance: 8.5, Strings: 6, Instructions: 977COMMON

Download Yara Rule

Strings

, xrefs: 6D6E8D01
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED
, xrefs: 6D6E7E34

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ $0000$0000$XCxm
API String ID: 0-3511033123
Opcode ID: 69a1bba95cafae62093059506e2d60efd2b223eff623c5ea42357773106b4949
Instruction ID: 6cceacec7345b783d81554ea17696223261282479c970e1ca244834c2f53aedb
Opcode Fuzzy Hash: 69a1bba95cafae62093059506e2d60efd2b223eff623c5ea42357773106b4949
Instruction Fuzzy Hash: 3A827971A0E7428FD304CF29C48022BFBE6BFD9794F148A2EE49997365D774D8458B82

Function 6D6E72E0 Relevance: 8.4, Strings: 6, Instructions: 900COMMON

Download Yara Rule

Strings

, xrefs: 6D6E75D0
, xrefs: 6D6E8D01
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $ $0000$0000$XCxm
API String ID: 0-3511033123
Opcode ID: 7ffa5e902acb91b9f98121f982edda4c0b9662ac97980142b2ec72be8fe8db93
Instruction ID: 47076778e72f539b05258a259648f581f363e2dfb8e729e37d6f9e648c1a53e6
Opcode Fuzzy Hash: 7ffa5e902acb91b9f98121f982edda4c0b9662ac97980142b2ec72be8fe8db93
Instruction Fuzzy Hash: B9729E71A0D7828FD705CF29C48022BFBE2BFDA794F148A2EE49587365D771D8458B82

Function 6D6E75E9 Relevance: 8.2, Strings: 6, Instructions: 708COMMON

Download Yara Rule

Strings

, xrefs: 6D6E8D01
null, xrefs: 6D6E75F4
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCxm$null
API String ID: 0-1262486499
Opcode ID: 128db7a973bc7186324caa7d3ccbf9d124bd30f9b038e19b9575e45d1ff1129f
Instruction ID: 2481d7f38bdf9dcb03b6451a02ab3e540fa50a06847adbffb5532ed2b140b193
Opcode Fuzzy Hash: 128db7a973bc7186324caa7d3ccbf9d124bd30f9b038e19b9575e45d1ff1129f
Instruction Fuzzy Hash: FE427971A0E7828FD704CF29C48022BBBE2AFD9794F14892EE499D7365D775C8458B82

Function 6D715F90 Relevance: 7.1, Strings: 3, Instructions: 3379COMMON

Download Yara Rule

Strings

dawm, xrefs: 6D7190FD
#SCROLLY, xrefs: 6D716602, 6D716639
hawm, xrefs: 6D719107

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: #SCROLLY$dawm$hawm
API String ID: 0-4162407635
Opcode ID: 97ce08e525106097113b1381327101d8d5eaeea08a56db3545ded8b2b62329d1
Instruction ID: 4196711d78b73bc4f00bac97d3382234c26783cc95f4a49a59b0caae606615b1
Opcode Fuzzy Hash: 97ce08e525106097113b1381327101d8d5eaeea08a56db3545ded8b2b62329d1
Instruction Fuzzy Hash: 5163ED30D0875A9FDB11CB65C9807EDFBB1BF4A314F0887AAD8586B291D7316985CF82

Function 6D6E7C69 Relevance: 7.0, Strings: 5, Instructions: 745COMMON

Download Yara Rule

Strings

, xrefs: 6D6E8D01
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCxm
API String ID: 0-422436263
Opcode ID: 95155e7c4d3a15e5a71b299773576d4dcd8d9023b1872a94b837e3d622c51bdc
Instruction ID: 2c8ec74dfcb29cef8b584d720f7b2459cb4a6ecfc28d4b59f95b90d561d1a55a
Opcode Fuzzy Hash: 95155e7c4d3a15e5a71b299773576d4dcd8d9023b1872a94b837e3d622c51bdc
Instruction Fuzzy Hash: 15528971A0E7828FD704CF29C48022BBBE2BFD9794F148A2DF49997365D735D8458B82

Function 6D6E7CB6 Relevance: 7.0, Strings: 5, Instructions: 714COMMON

Download Yara Rule

Strings

, xrefs: 6D6E8D01
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCxm
API String ID: 0-422436263
Opcode ID: d33d98871cbaf714fa1bd50001b228c871d1c01d1d02f820cef349e803e4d3c0
Instruction ID: cd58b8318382f26ae45db3738fb54fef771b50909da4d8cc3d80e18edd15cb85
Opcode Fuzzy Hash: d33d98871cbaf714fa1bd50001b228c871d1c01d1d02f820cef349e803e4d3c0
Instruction Fuzzy Hash: 35427771A0E7828FD704CF29C48022BBBE2BFD9794F14892EE499D7365D775C8458B82

Function 6D6E763E Relevance: 6.9, Strings: 5, Instructions: 696COMMON

Download Yara Rule

Strings

, xrefs: 6D6E8D01
XCxm, xrefs: 6D6E8704, 6D6E8718
0000, xrefs: 6D6E88F4
0000, xrefs: 6D6E8B84
, xrefs: 6D6E86ED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $0000$0000$XCxm
API String ID: 0-422436263
Opcode ID: d38f51aa3ed62d8ebc788641a59490147d225224aafcf3996cc1d664648c048f
Instruction ID: 6a6e3b1a15f4c9fd186b168422d294aa0dd4e5d84f8fce666d27ec9b2f30a1c4
Opcode Fuzzy Hash: d38f51aa3ed62d8ebc788641a59490147d225224aafcf3996cc1d664648c048f
Instruction Fuzzy Hash: 1E428971A0E7828FD704CF29C48022BFBE2AFD9794F14892EE499D7365D775C8458B82

Function 6D72C900 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea1c5646f93581e152db654d64d339b3ceb19541b308a82805f66d273fde0bd
Instruction ID: 688fc69af473e03ff120cf9c22e2aad91d9e4383b972b44c808db5c14d4adc16
Opcode Fuzzy Hash: 8ea1c5646f93581e152db654d64d339b3ceb19541b308a82805f66d273fde0bd
Instruction Fuzzy Hash: B7027071E0025A9FDB14CFA9C9806ADFBF1FF88325F24826AD515E7340D731AA41CB91

Function 6D70D8B0 Relevance: 6.4, APIs: 4, Instructions: 355COMMON

Download Yara Rule

APIs

__libm_sse2_acos_precise.LIBCMT ref: 6D70D9F1
__libm_sse2_acos_precise.LIBCMT ref: 6D70DA4B
__libm_sse2_acos_precise.LIBCMT ref: 6D70DC4F
__libm_sse2_acos_precise.LIBCMT ref: 6D70DCA7

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: __libm_sse2_acos_precise
String ID:
API String ID: 2846157662-0
Opcode ID: 1ed9abdc4c603dea54dd0f00cf1bcacebe6bdc0fa95210a5f3297d45ba5de3f4
Instruction ID: d8a96ab7ae752e3899a6f53547c72a1415cbe0c0fbec03541ee67618a25c1dc1
Opcode Fuzzy Hash: 1ed9abdc4c603dea54dd0f00cf1bcacebe6bdc0fa95210a5f3297d45ba5de3f4
Instruction Fuzzy Hash: 15E1967181974D9AC702DA37898065AF7E0AFEF754F18DF0EB994324F0E730A1989A46

Function 6D725853 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D72585F
IsDebuggerPresent.KERNEL32 ref: 6D72592B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D725944
UnhandledExceptionFilter.KERNEL32(?), ref: 6D72594E

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 178ad9a0fda3904982c837f7e8d8baaa06d873a70f2c42adf101e37b6fb34bfe
Instruction ID: fd0caa7c2669b4c668c830d63a988b80bd1ace084f91c735207fc609caa3aeaf
Opcode Fuzzy Hash: 178ad9a0fda3904982c837f7e8d8baaa06d873a70f2c42adf101e37b6fb34bfe
Instruction Fuzzy Hash: 083126B5D052299BDF21DFA4D9497DDBBB8BF08314F1041AAE50CAB244EB709B84CF46

Function 6D7123B0 Relevance: 5.5, Strings: 4, Instructions: 466COMMON

Download Yara Rule

Strings

hawm, xrefs: 6D712A3C
dawm, xrefs: 6D712A32
#ComboPopup, xrefs: 6D7126A7
##v, xrefs: 6D71249A, 6D71249B, 6D71249C

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: ##v$#ComboPopup$dawm$hawm
API String ID: 0-358747718
Opcode ID: 2b937846a3488575e57d8e2a76410cd50bab5d28b9cb3128ff9820fea5d47f23
Instruction ID: 96725a686faa9586c3f31b4d1694c570618f1fc91e73dc0986fea0848c4d730c
Opcode Fuzzy Hash: 2b937846a3488575e57d8e2a76410cd50bab5d28b9cb3128ff9820fea5d47f23
Instruction Fuzzy Hash: 5922AD3190C7459FD721CF36C88166BF7E1AF9A354F089F2EF894661A1E730A4889F42

Function 6D71A3A0 Relevance: 4.7, Strings: 3, Instructions: 910COMMON

Download Yara Rule

Strings

,, xrefs: 6D71A4C9
,, xrefs: 6D71A931
N/A, xrefs: 6D71A8AA

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: ,$,$N/A
API String ID: 0-1273944187
Opcode ID: ca410e3fcf12a24ee7829b9d460a9cb2c3a30cb0635f0882347b8833a62dc208
Instruction ID: 72bda55f141033bb340ea964417debd4fe74ab9abb9736e8b2102f44ef8e581b
Opcode Fuzzy Hash: ca410e3fcf12a24ee7829b9d460a9cb2c3a30cb0635f0882347b8833a62dc208
Instruction Fuzzy Hash: 1E9291309087469FC315CF3AC580A66F7E0BF99354F188B2EE895A7651D731F49ACB82

Function 6D728776 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D72886E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D728878
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D728885

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a8e35045140e71a92d1c393bf9246ce999fc2ce74d33916a97bf452c16048df3
Instruction ID: b9a1f8f4efb80bd69511f012c9cb19b313d036f40aab2effdaafaaa142cbe8dc
Opcode Fuzzy Hash: a8e35045140e71a92d1c393bf9246ce999fc2ce74d33916a97bf452c16048df3
Instruction Fuzzy Hash: 4B31C57490122DABCB21DF64D9887DDBBB8BF08724F5041EAE51CA7290E7709B858F46

Function 6D713500 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

hawm, xrefs: 6D713904
##timewarp_scale, xrefs: 6D7135C5, 6D7135C6, 6D7135C7, 6D713774
dawm, xrefs: 6D7138FA

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: ##timewarp_scale$dawm$hawm
API String ID: 0-153653760
Opcode ID: a7e686632307f7fe98f672c83e77243dd559c10b5627fb97518419584006cc15
Instruction ID: 507f169bf7a54b57265613aa60de2b2573b5608e12dfc974e5ce3ee979f1bda3
Opcode Fuzzy Hash: a7e686632307f7fe98f672c83e77243dd559c10b5627fb97518419584006cc15
Instruction Fuzzy Hash: 37D1057190C345ABD711CF36C9807AAF7B1BF8A318F088B2EF59826191D732A559DB43

Function 6D70A580 Relevance: 3.9, Strings: 2, Instructions: 1437COMMON

Download Yara Rule

Strings

A, xrefs: 6D70A6A6
|, xrefs: 6D70B1FB

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: A$|
API String ID: 0-641917524
Opcode ID: f6287a5c823cd61b5fa4918c59952ea369fb2142aafcd758dd60fbaf70503b81
Instruction ID: eb9050e82e2132b2928a022c12f162b827d0e1985774392839e6277d949edfe9
Opcode Fuzzy Hash: f6287a5c823cd61b5fa4918c59952ea369fb2142aafcd758dd60fbaf70503b81
Instruction Fuzzy Hash: 26E28DB0D046298FDB25CF29C944BE9F7F1BF49314F0582EAD549A7281E730AA95CF81

Function 6D722760 Relevance: 3.2, APIs: 2, Instructions: 241windowCOMMON

Download Yara Rule

APIs

GetMessageExtraInfo.USER32 ref: 6D722C9E
ScreenToClient.USER32(?,?), ref: 6D722D83

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ClientExtraInfoMessageScreen
String ID:
API String ID: 3314809007-0
Opcode ID: 63e73fff612e000e8c9196274fe1bad827e387b984f4df7933aea557eb470d34
Instruction ID: 2db587729f049ed3f5829da24b4c0bf4c2a663c455fad80ddc3d3385396e7f9a
Opcode Fuzzy Hash: 63e73fff612e000e8c9196274fe1bad827e387b984f4df7933aea557eb470d34
Instruction Fuzzy Hash: 6581DB71B282458FD718DF28D18576EB7E1EB89324F008A3FE959D7291C735D9818B82

Function 6D7214C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 6D7214D3
GetLocaleInfoA.KERNEL32(00000000,20001004,-00000024,00000004), ref: 6D7214E8

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: InfoKeyboardLayoutLocale
String ID:
API String ID: 1218629382-0
Opcode ID: d347990d7325a256ad1eb82c2f7d7284cc440c0be49ecd257c318e0557905c41
Instruction ID: 0efae56dcad596d9aafe0c563a7a3d71e9b43a6f939f1ccda52d1bb598507afd
Opcode Fuzzy Hash: d347990d7325a256ad1eb82c2f7d7284cc440c0be49ecd257c318e0557905c41
Instruction Fuzzy Hash: 19E0CD72544161A7FB115A659D04FD67AB4BB05761F010131FF88D7145D721C840C761

Function 6D6F08B0 Relevance: 2.2, Strings: 1, Instructions: 951COMMON

Download Yara Rule

Strings

#RESIZE, xrefs: 6D6F09C0

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: #RESIZE
API String ID: 0-1383961720
Opcode ID: 32566c1ad5e637affeee62ef29789838d675ad49932aa38022e63097992f8c47
Instruction ID: b0e30fbe5052eeb90da69e8513f24bfe9ede694f7b00f1b291a06182fa27ea4e
Opcode Fuzzy Hash: 32566c1ad5e637affeee62ef29789838d675ad49932aa38022e63097992f8c47
Instruction Fuzzy Hash: 6C929271918B498AD302CB37C4803A6F7B1BF9E384F18CF1DE998771A1D735A4969B42

Function 6D700560 Relevance: 2.0, Strings: 1, Instructions: 715COMMON

Download Yara Rule

Strings

, xrefs: 6D700EC8

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 65d153c771b3a899c926ce22fd9892f15af02bebb58b9c3267b4f1f36dc63702
Instruction ID: 9db00dccb0680a180f7fb5d836c1969dc7f381febf1247decb324900750bb385
Opcode Fuzzy Hash: 65d153c771b3a899c926ce22fd9892f15af02bebb58b9c3267b4f1f36dc63702
Instruction Fuzzy Hash: 6952C1715187918FC315CF3A859027BFBE1AF9A324F088B2EF8D5932A1E339D5558B42

Function 6D6FC460 Relevance: 1.9, Strings: 1, Instructions: 618COMMON

Download Yara Rule

Strings

##NavUpdateWindowing, xrefs: 6D6FC4E2

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: ##NavUpdateWindowing
API String ID: 0-2766148257
Opcode ID: 44a3953fad8d5d2ea51e306042d477075da716c31c9d9fc6ac3e0e54226e9964
Instruction ID: 1adb7a0fdcd36d8bd1eade91a95a857d216864ce4fe495fece06a7a18a22d1d1
Opcode Fuzzy Hash: 44a3953fad8d5d2ea51e306042d477075da716c31c9d9fc6ac3e0e54226e9964
Instruction Fuzzy Hash: F842F571508F868AD711CF36C0C03E6F7E2AF5E344F158A1DD8AB57292D774A09ACB92

Function 6D73EC55 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,6D73EC50,00000000,?,00000008,?,?,6D73E853,00000000), ref: 6D73EE82

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 22b68878024485bb4f49acd35fe37f2d334bdb83640f718e90228be94492e5a4
Instruction ID: caadaa8855a7f6731b2089cfd810eb30d49840f75e67d495c6bc6d9ef3a33935
Opcode Fuzzy Hash: 22b68878024485bb4f49acd35fe37f2d334bdb83640f718e90228be94492e5a4
Instruction Fuzzy Hash: A3B13B3112061ADFE705CF28C586B657BE0FF45364F26866DE8A9CF2A2C335E991CB41

Function 6D70C420 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

., xrefs: 6D70C7AE

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: e257b2b324d217e3ecf5fc25e879ad7957b4f56da628d6cd4982be27d0d98422
Instruction ID: edaabb8d4842630eada776789006395c21ff21ff14c9f99e75a8a0ea56a47a2c
Opcode Fuzzy Hash: e257b2b324d217e3ecf5fc25e879ad7957b4f56da628d6cd4982be27d0d98422
Instruction Fuzzy Hash: 700290B5600B068FC330CF19C190936B3F1FF49325B559A6ED8868B6A1EB31F559CB62

Function 6D72566F Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D725685

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7cf31b1e1115a116b3520591dc9ed72b6f32d547120a59ae0110cf5b69d08bdd
Instruction ID: d8a04a2a36f89dca040f04bbdec12cd4a786f4a31b022655f3698cdfff23d6c0
Opcode Fuzzy Hash: 7cf31b1e1115a116b3520591dc9ed72b6f32d547120a59ae0110cf5b69d08bdd
Instruction Fuzzy Hash: 405156B1A14656DBEB04CF99D5817BEBBF4FB4A721F20803AC411EB344D3759940CB92

Function 6D737B99 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09559a1e3c9e37589e0365a242b7ce6dfd400f4f3868fec9aa262aebfe63100c
Instruction ID: f357156e31eff906bcbd315cbee1e4bab3fe135671f5bc3d8794cd07556ae2dd
Opcode Fuzzy Hash: 09559a1e3c9e37589e0365a242b7ce6dfd400f4f3868fec9aa262aebfe63100c
Instruction Fuzzy Hash: FB41D5B5C0822DEFDB10DF68CD88AAABBB8EF45314F1142EAE419D3201DB349E448F51

Function 6D7312A1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 6D731425

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0f4c36d93be4b398b0cc2ee2613d6abf5a59a91c2cbbd6b9cf724c28b81919aa
Instruction ID: e144d71fb30125fa9d2c6974054a6c5a9ffee9e6c5caa3384af21dd0d6cdc428
Opcode Fuzzy Hash: 0f4c36d93be4b398b0cc2ee2613d6abf5a59a91c2cbbd6b9cf724c28b81919aa
Instruction Fuzzy Hash: 5DB1E370904B3B8BCB19CF68C7556BEB7B1AF05334F02462ADD6697A92C7319601CB53

Function 6D738D9A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D738D9A

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 543b86580410ea6832d3ce8a0a290638245bb1dfe8ccde59d99474afbc31e064
Instruction ID: f23f073fa0b23e2dde08198dc5d89edd18e9db5c901169dae0c8b4b88f8bf5e4
Opcode Fuzzy Hash: 543b86580410ea6832d3ce8a0a290638245bb1dfe8ccde59d99474afbc31e064
Instruction Fuzzy Hash: 4DA01130A222008BAB208F30830A30CBAF8AA03282300003AA008C8028FB288080AA83

Function 6D74048B Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad53f79c48964e8a27caea513346ad2aa3dbbd68c4a406309fcb683c69e52dd
Instruction ID: 20fc269e487b7a9b0e9bd103d254947f8e023268e95661ba5a0857f9a06a11e8
Opcode Fuzzy Hash: 7ad53f79c48964e8a27caea513346ad2aa3dbbd68c4a406309fcb683c69e52dd
Instruction Fuzzy Hash: 09323721D69F114DD763A539C922335A26DBFB33D4F51CB37E819B5AAAEB2980C34102

Function 6D742549 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a1be234f3aa5ad1790d2b42707048550e992a6e82b292e9bc6dd58a7e9f2bf
Instruction ID: ccb418d02db42c8ed3e9328fd908e121437c9fd8e090fe5d32c2ec43d0f84de2
Opcode Fuzzy Hash: f7a1be234f3aa5ad1790d2b42707048550e992a6e82b292e9bc6dd58a7e9f2bf
Instruction Fuzzy Hash: F2323621E69F118DD7239534C922335A259BFB73D4F11DB37E81AF6D9AEB28C4834102

Function 6D6FA6C0 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a7cc27e62f0510beb355a5291b5c6b57bc98223f5c170766440038c63cf96e
Instruction ID: 01bceb2e58df36dbea838441e0bfe96f2d28ed6f7e43d90ec5a83943a985f4b2
Opcode Fuzzy Hash: e7a7cc27e62f0510beb355a5291b5c6b57bc98223f5c170766440038c63cf96e
Instruction Fuzzy Hash: A842C170608F429AE716CB35C144BE1F7A3BF5A358F14876ED8B80B2D2D775609ACB81

Function 6D70FD00 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2675ccf9bb766917e34526f2b3ab5c2dde8771fc58e815dfa0d43dc4a6552a8
Instruction ID: 920445d4bf4c246fb64b34920ff6df2c224c489dbb65f77c6800852fe9bc91a5
Opcode Fuzzy Hash: f2675ccf9bb766917e34526f2b3ab5c2dde8771fc58e815dfa0d43dc4a6552a8
Instruction Fuzzy Hash: FB121F3060C7469BD305CF36C6903AAF7E17F8A364F084B2EE9A957291D774A465CB83

Function 6D6DA9D0 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75be5b5d84f63c9f3f8fd8de8202d25b7f09a0b15f2195c882ab7dc91f1d43a3
Instruction ID: 571587ebb1e3a758389de34afa9f2cda637bc14b69b4d64f3e2f8458ed68849e
Opcode Fuzzy Hash: 75be5b5d84f63c9f3f8fd8de8202d25b7f09a0b15f2195c882ab7dc91f1d43a3
Instruction Fuzzy Hash: 3AF135B1B0C2214BD75CCE18D5D0A2DBBE2EBD8346F144A7EE88697395D6348C85CB92

Function 6D7217F0 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126b8ce8148cbe66a9e05f94135524f0cbf1b749436ff97a28fcfc9f50534beb
Instruction ID: e62f9d179ee62907bbf5c311d57fa6711ea6306cb877a6b79c20e871d7a97cb4
Opcode Fuzzy Hash: 126b8ce8148cbe66a9e05f94135524f0cbf1b749436ff97a28fcfc9f50534beb
Instruction Fuzzy Hash: AC023A246187A45AD702CA36C54137BF7F1AF5B698F08CF1AFC98271C2D32265C88793

Function 6D71DEF0 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a279bd33f0f62ace543b4f19ffed8ac4161c576e25d5a0cd36fa8a5d787c30e
Instruction ID: f10af909a9cf57fd57418dbf9c3d1ff07ca8454a305accce5771c54fc883055b
Opcode Fuzzy Hash: 6a279bd33f0f62ace543b4f19ffed8ac4161c576e25d5a0cd36fa8a5d787c30e
Instruction Fuzzy Hash: 9802B031D1D75E86D703D93789812A6F7A06FAF290F1DCF1BFC64764B1E32561888A42

Function 6D7197A0 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e70a6d4d1259445b6666a23f1158256b2cdd9cd86f821166c542da3ddc128f
Instruction ID: 12949b633509bb5bcad3ce2c86474a503720ba9b7a50ad893c5b112fdffed98b
Opcode Fuzzy Hash: 38e70a6d4d1259445b6666a23f1158256b2cdd9cd86f821166c542da3ddc128f
Instruction Fuzzy Hash: 6512D93190C7469BD311CF36C9807AAF7E0BFAA354F088B2EE9A553191D731A499DB43

Function 6D71E5C0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efeec7a0f6912de7e7ed230c5e79b2cd9bdc6419e43a5eaa802094beabd82a04
Instruction ID: 0b88a8518adbf0ae80618b98ec66bd23f76a5afc9074ae84d6bc16cbcdd30a06
Opcode Fuzzy Hash: efeec7a0f6912de7e7ed230c5e79b2cd9bdc6419e43a5eaa802094beabd82a04
Instruction Fuzzy Hash: 7D02D532C1CB8D8AD303DA3789912A6F7A06FAF290F1DCB17FC6576561E72060958743

Function 6D701240 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44ab973eda814433cd5e65659301a66b7e50fa4fb4c4a8f6f044a9cd73a93b7
Instruction ID: fa272183455f7093f311aa877afaee4e73cc4ac5a51ee69551f0b166e2d036f3
Opcode Fuzzy Hash: d44ab973eda814433cd5e65659301a66b7e50fa4fb4c4a8f6f044a9cd73a93b7
Instruction Fuzzy Hash: 6D12F771518B80CFC375CF2AC5817AAF7F1BF9A314F058A1DD489972A1EB30A499DB02

Function 6D710FF0 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523adf292f1ca5be5d01f484b1053ffa4d5638cc465aec7c24260593999f4a5c
Instruction ID: cf98d0fa359ced124593e510cb9c3c9f2e106c27e692c8622679af925ccfa863
Opcode Fuzzy Hash: 523adf292f1ca5be5d01f484b1053ffa4d5638cc465aec7c24260593999f4a5c
Instruction Fuzzy Hash: EFE1A33191C7899BC302CE37898125AF7A0AFEF294F1CCF1EFC95361A1D731A4949A42

Function 6D70F160 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a756f0a780819757503eb4d955b91f8a7324924112be310b77c34f4d151ae88c
Instruction ID: 29f7b553536029dad95ad7c7830e98d16a35ca369ba475eb9162bf5267a70231
Opcode Fuzzy Hash: a756f0a780819757503eb4d955b91f8a7324924112be310b77c34f4d151ae88c
Instruction Fuzzy Hash: 8ED1D27090834A8FC715CF26C58079AF7F0BF9A354F088B6DE8546B292D731E599CB86

Function 6D741BCE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b80b16de56dd963f2b1094429bfcd8ed49a5e219e269c92a7d2285ae70f507b
Instruction ID: 7057d7b83afceb2711aabacc8779e7ca63b95eaf6f1c7b595691562831dff400
Opcode Fuzzy Hash: 1b80b16de56dd963f2b1094429bfcd8ed49a5e219e269c92a7d2285ae70f507b
Instruction Fuzzy Hash: 64B1E220D2AF618DD723A5398831336F6ACAFBB2D5F51DB2BFC2674D52EB2181834141

Function 6D7053F0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c29e02501ad4adaec828c679d587ceb8c05456999e136a3447eb27a56c69a7
Instruction ID: 4b1e8dc8254a996a5c6b3c4c4926dea77a479c75d4a984b92adc314d2e43e838
Opcode Fuzzy Hash: 51c29e02501ad4adaec828c679d587ceb8c05456999e136a3447eb27a56c69a7
Instruction Fuzzy Hash: 68C1BD71D297598FC302DF37C48052AF7E0AFEA754F149B2EF840A61A1E330A485EB42

Function 6D704AB0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe713cd74e3921e74c2c3f7709f3b821abbc4e4b0a9f4b61c2c6bc49960f112
Instruction ID: 6467d437c35fad48a49a07cde4a75c01856f65ca95a2c39b6b281b091e3feea1
Opcode Fuzzy Hash: 0fe713cd74e3921e74c2c3f7709f3b821abbc4e4b0a9f4b61c2c6bc49960f112
Instruction Fuzzy Hash: 70919B719183468FC701CF2AC58052AF7E0BFD9368F198B2DE985A7261E730E5858B82

Function 6D6FBDC0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0745bb32126e35fa78a8e1c210f4b527c53508587d74cb16446c1d620393ce59
Instruction ID: 880c5e17966cb8228c3d737461fdce8e2277d2883eebb5b3f654b8cbc0c44cdb
Opcode Fuzzy Hash: 0745bb32126e35fa78a8e1c210f4b527c53508587d74cb16446c1d620393ce59
Instruction Fuzzy Hash: 7881D370615F458AD313CB3AC4853F2F7E2EF4A364F288B1AD5E9161E2D771219ACB41

Function 6D705850 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577f5127219f6f89eb3ed6352889fcd2be086dd25a6b2316414b39a285f17187
Instruction ID: eabe9c57d12dc37c1a3e7a9fe64c2b1c0fd47101d6fd23180720677d7509ae2b
Opcode Fuzzy Hash: 577f5127219f6f89eb3ed6352889fcd2be086dd25a6b2316414b39a285f17187
Instruction Fuzzy Hash: 2E61AEF160C3958FC304CF2DD58156ABBE0BF99218F444A6EE4D5C7682D734D808CB56

Function 6D705AB0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc0e8712f0ccd8e3822401b813b15a91a0279d7a9851f9d84c7de2dced17dea
Instruction ID: a2c16b8b453b8a579854abbe2a8d338052d2b864ccc65f1565bc7b58babaac0c
Opcode Fuzzy Hash: 9bc0e8712f0ccd8e3822401b813b15a91a0279d7a9851f9d84c7de2dced17dea
Instruction Fuzzy Hash: 5E617DB260C7928FC305CF2DD68156BFBE4BF9A204F444AAEE4D5C7241D724D5488B97

Function 6D6FF490 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb9c200384795c83f1914d520cc9e6f6cc3b3049d69cd08bf3e277d60c65be
Instruction ID: 01ead9326abfe05e48d49aa48d32fed7a541f7802ca025b239fd20aefa27771a
Opcode Fuzzy Hash: 8ceb9c200384795c83f1914d520cc9e6f6cc3b3049d69cd08bf3e277d60c65be
Instruction Fuzzy Hash: C551CC3224C9314A9768CD2DB8900F9B7D7DBCA211368C5BFE1D5C7B4AD129A48FE760

Function 6D6ED490 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5aea9bfd9785232cddce16f44fceb825f67a36b64f8343693f32db22f996466
Instruction ID: 7aa6e9ac1bd2e306cf82b8cbe2997981fdf4b16e3213c68ba0541f3f23e13eb7
Opcode Fuzzy Hash: a5aea9bfd9785232cddce16f44fceb825f67a36b64f8343693f32db22f996466
Instruction Fuzzy Hash: 9461F23024EB839BD7018E3884403F6BBE07FDA39CF148A59D8B98B192D3A59059DF91

Function 6D6EA070 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9751eb3613bd939468beaa6f4352382e9ce8aaa465f67fef5251879b3651d31
Instruction ID: 881453299bdb89a8ddbebb7de5d5fb16aaf50488ffe4532a2b766592f654140e
Opcode Fuzzy Hash: b9751eb3613bd939468beaa6f4352382e9ce8aaa465f67fef5251879b3651d31
Instruction Fuzzy Hash: 34513632A0D3928BC708CF29D85166EBBF1BFC9700F49496DE8D697241D7349A0C8793

Function 6D72A8D0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31aa143e30b41863d714d1eea67c976006b9f97cadf7236cbc214e2c3673a0e
Instruction ID: 04c5a6939819d89f362fc9212773bba0bfd8c7ebceab887511d781617b99ae40
Opcode Fuzzy Hash: c31aa143e30b41863d714d1eea67c976006b9f97cadf7236cbc214e2c3673a0e
Instruction Fuzzy Hash: DB51B372D0025AEFDF04CF99C950AEEBBB2FF88314F5A8069E555AB201D7349A41CF91

Function 6D6EA260 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a0c91b631d51cbf8927cfd848973c257e512a5f3f98fdf3c4bf2626569242d
Instruction ID: ee927a6a51af71bac7e1623a635dc641fe17c8c2b306f610d0d12a28d769eab1
Opcode Fuzzy Hash: 68a0c91b631d51cbf8927cfd848973c257e512a5f3f98fdf3c4bf2626569242d
Instruction Fuzzy Hash: C1412A32B5D7924FD70DCE68C8A197E7BE29FC6340F0D896DE4C297642DA64880DC782

Function 6D6E9F10 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2662e0f9a706505350d6631d686bd23643049fb0b8ead93b7660c757998da67
Instruction ID: c91a87e15da87735da4c015bb1b956d624965a3c0efc937fc94586e0761bbb59
Opcode Fuzzy Hash: f2662e0f9a706505350d6631d686bd23643049fb0b8ead93b7660c757998da67
Instruction Fuzzy Hash: 364116327193924FD748CB78C8526AEBBE1EB86354F4A897EE0C5C7241D638D849C752

Function 6D70CBF0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524ff240882bff5b829da51e0ec2e49f9b44bbf562bec92475d9ced549f2ddc8
Instruction ID: f36ec5c1738c8d58594185d3642f31878a5f6ad9e6423cb69b7b785b5b4a98bd
Opcode Fuzzy Hash: 524ff240882bff5b829da51e0ec2e49f9b44bbf562bec92475d9ced549f2ddc8
Instruction Fuzzy Hash: 16314EB16493094BC315CA3BC5D0636B7D1AFEB222B29CB2FFC55E75D0D321988491A3

Function 6D73FA50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: a6a615b6a2f553342eb510f5070afba4a087e176d99edd937cbaea11b1f9a4f2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 571134772421E343D700892DDAB07B7E7A5EAD72B572B827BD0618B74AD233A1459602

Function 6D6D5320 Relevance: 72.1, APIs: 17, Strings: 24, Instructions: 303
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(System.Runtime.InteropServices.GCHandle), ref: 6D6D5374
SysFreeString.OLEAUT32(00000000), ref: 6D6D53BA
SysAllocString.OLEAUT32(Alloc), ref: 6D6D542C
SysFreeString.OLEAUT32(?), ref: 6D6D5478
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D6D547F
VariantInit.OLEAUT32(?), ref: 6D6D549F
SysAllocString.OLEAUT32(?), ref: 6D6D54AD
VariantInit.OLEAUT32(?), ref: 6D6D54BA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000), ref: 6D6D54D2
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6D6D5507
SysFreeString.OLEAUT32(?), ref: 6D6D5546
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D6D554D
SysAllocString.OLEAUT32(AddrOfPinnedObject), ref: 6D6D5598
SysFreeString.OLEAUT32(00000000), ref: 6D6D55DE
SafeArrayCreateVector.OLEAUT32(00000000,00000000,00000000), ref: 6D6D55F7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6D6D5627
_com_issue_error.COMSUPP ref: 6D6D56A0

Strings

[!] Invoke("AddrOfPinnedObject") (0x%X), xrefs: 6D6D5631
System.Runtime.InteropServices.GCHandle, xrefs: 6D6D5368
System.Object, xrefs: 6D6D5402
[!] QueryInterface, xrefs: 6D6D574F
[!] CLRCreateInstance, xrefs: 6D6D5926
[!] GetMethod("Alloc") (0x%X), xrefs: 6D6D548B
System.Runtime.InteropServices.GCHandleType, xrefs: 6D6D53F9
[!] GetInterface, xrefs: 6D6D59AE
AddrOfPinnedObject, xrefs: 6D6D558F
Alloc, xrefs: 6D6D5423
[!] GetType (0x%X), xrefs: 6D6D53C7
[!] Invoke("Alloc") (0x%X), xrefs: 6D6D5557, 6D6D555D
osu!, xrefs: 6D6D5A83
[!] GetMethod("AddrOfPinnedObject") (0x%X), xrefs: 6D6D55EA, 6D6D5637
[!] GetRuntime failed: %S, xrefs: 6D6D5950
mscorlib.dll, xrefs: 6D6D5A0A
[!] C# Get Default Domain Failed, xrefs: 6D6D5AF9
kxm, xrefs: 6D6D532D
[!] GetDefaultDomain, xrefs: 6D6D56FB
[!] Get mscorlib.dll Assembly Failed, xrefs: 6D6D5A62
[!] Get osu! Assembly Failed, xrefs: 6D6D5ADB
[!] Load (0x%X), xrefs: 6D6D583D
[!] Start, xrefs: 6D6D59C5
v4.0.30319, xrefs: 6D6D594B

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: String$ArraySafe$AllocFree$Destroy$CreateInitVariantVector$Element_com_issue_error
String ID: kxm$AddrOfPinnedObject$Alloc$System.Object$System.Runtime.InteropServices.GCHandle$System.Runtime.InteropServices.GCHandleType$[!] C# Get Default Domain Failed$[!] CLRCreateInstance$[!] Get mscorlib.dll Assembly Failed$[!] Get osu! Assembly Failed$[!] GetDefaultDomain$[!] GetInterface$[!] GetMethod("AddrOfPinnedObject") (0x%X)$[!] GetMethod("Alloc") (0x%X)$[!] GetRuntime failed: %S$[!] GetType (0x%X)$[!] Invoke("AddrOfPinnedObject") (0x%X)$[!] Invoke("Alloc") (0x%X)$[!] Load (0x%X)$[!] QueryInterface$[!] Start$mscorlib.dll$osu!$v4.0.30319
API String ID: 377884663-1138246287
Opcode ID: 11c237790123253e63745c09a1dc6957045bb68865088814d9373153f66bb490
Instruction ID: 6e0e51d8464a4a39690c5a6c4ce62a8613b6361e213958a77b44574640a6a84f
Opcode Fuzzy Hash: 11c237790123253e63745c09a1dc6957045bb68865088814d9373153f66bb490
Instruction Fuzzy Hash: 53B1BE70D04259EFDF02DFA8D948BBEBBB4EF0A315F144169E801AB340DB759945CBA2

Function 6D6DE2A0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE2ED
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE309
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE330
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE34C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE373
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE38F
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE3DB
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE3F7
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE41E
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE43A
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE461
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE47D
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE4C9
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE4E5
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE50C
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE528
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE54F
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE56B
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE5F6
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE612
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE639
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE655

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE68E
VirtualProtect.KERNEL32(00000000,00000005,?,?,?,?,6D6E35EA), ref: 6D6DE6AD

Strings

lAxm, xrefs: 6D6DE668
?xm, xrefs: 6D6DE57E
UUZ, xrefs: 6D6DE5AD
?xm, xrefs: 6D6DE2BC
?xm, xrefs: 6D6DE3B3
?xm, xrefs: 6D6DE4A1

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: UUZ$lAxm$?xm$?xm$?xm$?xm
API String ID: 3866829018-1067907689
Opcode ID: ac91dd9c30bc5a898edd8582aa7c7edf5089e5bc859f68f9bd9512c05a1008e3
Instruction ID: 09f731e7c29d5903faba5fbe824f3876f6024a31165eb523e957d806f049a656
Opcode Fuzzy Hash: ac91dd9c30bc5a898edd8582aa7c7edf5089e5bc859f68f9bd9512c05a1008e3
Instruction Fuzzy Hash: 8BB1BF714082817EEB11CA21DC84F7BBFBDAB4F229F540079F55892182D3B4D405E7A3

Function 6D6DE261 Relevance: 51.1, APIs: 24, Strings: 5, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE2ED
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE309
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE330
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE34C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE373
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE38F
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,?,?,6D6E35EA), ref: 6D6DE3DB
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE3F7

Part of subcall function 6D6DE0C0: VirtualProtect.KERNEL32(00000000,00000005,00000040), ref: 6D6DE0D8
Part of subcall function 6D6DE0C0: VirtualProtect.KERNEL32(00000000,00000005,?,0000107F), ref: 6D6DE102

Strings

lAxm, xrefs: 6D6DE668
?xm, xrefs: 6D6DE57E
UUZ, xrefs: 6D6DE5AD
?xm, xrefs: 6D6DE3B3
?xm, xrefs: 6D6DE4A1

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: UUZ$lAxm$?xm$?xm$?xm
API String ID: 544645111-2871971624
Opcode ID: ca3d980c25a8a6909a507f0e727cb7d32b1ae0b44755b513a6b5bdcc27e68eec
Instruction ID: 243d53616376718519129b3f129f0245d99b8c7d22f4724c2d0b17546700fb42
Opcode Fuzzy Hash: ca3d980c25a8a6909a507f0e727cb7d32b1ae0b44755b513a6b5bdcc27e68eec
Instruction Fuzzy Hash: 37B1CF71408281BEEB11CA21DC84F7BBBBDAB4F26DF550079F69892182D3B49405E7A3

Function 6D721680 Relevance: 25.6, APIs: 17, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74acdcc4eb803fa12cbe50534a953bf62d7c4e4aed0fe07718dd6eebb550488d
Instruction ID: 409138217a7cbba1855dc7b28e8d244985b327e9938ee9277439bdabd2a31d13
Opcode Fuzzy Hash: 74acdcc4eb803fa12cbe50534a953bf62d7c4e4aed0fe07718dd6eebb550488d
Instruction Fuzzy Hash: F2213EF85981016BEF416FB0ED1CB7E7678BB56702FC404B7F519C6680CB2944449A33

Function 6D6E1A30 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 293threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6D6E1A60
GetModuleHandleA.KERNEL32(00000000), ref: 6D6E1A6A
SetWindowsHookExA.USER32(00000003,6D6E1460,00000000,00000000), ref: 6D6E1A79
GetModuleFileNameW.KERNEL32(6D788238,00000208), ref: 6D6E1B9B
GetLastError.KERNEL32 ref: 6D6E1BAB
K32QueryWorkingSetEx.KERNEL32(?,00000008), ref: 6D6E1BE0
VirtualFreeEx.KERNEL32(?,00000000,00008000), ref: 6D6E1C4F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,6D788238,00000000,6D788650,00000208,00000000,00000000), ref: 6D6E1C70

Strings

7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL, xrefs: 6D6E1DA6
[!] GetModuleFileName (0x%X), xrefs: 6D6E1BB2
onfig, xrefs: 6D6E1B23
config.ini path: %s, xrefs: 6D6E1CE6
[!] Couldn't get config path, xrefs: 6D6E1C7A

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Module$ByteCharCurrentErrorFileFreeHandleHookLastMultiNameQueryThreadVirtualWideWindowsWorking
String ID: 7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL$[!] Couldn't get config path$[!] GetModuleFileName (0x%X)$config.ini path: %s$onfig
API String ID: 1201383334-1288609819
Opcode ID: 36cc64bbd0742e207ff6a55e08fd3a7275d348980268c3f6a557b4ab142786a6
Instruction ID: eb0d9f3ff428098750b9298511b59a0e065fd64947093a76793f7627f507c873
Opcode Fuzzy Hash: 36cc64bbd0742e207ff6a55e08fd3a7275d348980268c3f6a557b4ab142786a6
Instruction Fuzzy Hash: 08B16870909305AFDF10DF64D948BAEBBB0FF0A354F104679F9199B282EB789504DB92

Function 6D73AB0D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D73A854: CreateFileW.KERNEL32(00000000,00000000,?,6D73ABB6,?,?,00000000,?,6D73ABB6,00000000,0000000C), ref: 6D73A871

GetLastError.KERNEL32 ref: 6D73AC21
__dosmaperr.LIBCMT ref: 6D73AC28
GetFileType.KERNEL32(00000000), ref: 6D73AC34
GetLastError.KERNEL32 ref: 6D73AC3E
__dosmaperr.LIBCMT ref: 6D73AC47
CloseHandle.KERNEL32(00000000), ref: 6D73AC67
CloseHandle.KERNEL32(00000000), ref: 6D73ADB4
GetLastError.KERNEL32 ref: 6D73ADE6
__dosmaperr.LIBCMT ref: 6D73ADED

Strings

H, xrefs: 6D73AD72

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4fe21e73ae955e15d4834e98c2a601bc3d553222189b200a3a57fe0ae3c2e621
Instruction ID: 989bc7e28d408a42bf33ddb18cd3557457d2c576bf3228af34fceb3254a61d59
Opcode Fuzzy Hash: 4fe21e73ae955e15d4834e98c2a601bc3d553222189b200a3a57fe0ae3c2e621
Instruction Fuzzy Hash: 90A147329181659FCF099F6CC996FAD7BB1AB07324F16016EE8119F296C735C902C793

Function 6D720410 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 203libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(opengl32.dll,?,00000026,?,?,?,6D6E1E50,7])#######l/<QH'/###I),##c'ChLQXH##$%1S:t@rT.M<m1gEfj/1QY;99XmhQ^l->>#2]rS%263h<#tJ(BrN&##J:$##9x,e=l$5VREE(##sN*##dDpe=pho['T1###`/,X6TuA0Fn;o,k[<+##ql$##.m4'Ij&94p=<bY#WD6_Abu^-Gxe-R4faaY#Vx&##e=s<BAW>W-*'e--n<i--;%HkEodl8(C/+##OCA>#0g?UClMNFa9d`Y#.Ij--f'TqL,6D743E83,00000000), ref: 6D720424
GetProcAddress.KERNEL32(00000000,wglGetProcAddress), ref: 6D720443
GetProcAddress.KERNEL32(6D776230), ref: 6D720478

Strings

#version 130, xrefs: 6D7205D8
opengl32.dll, xrefs: 6D72041B
Hfwm, xrefs: 6D720539
Failed to initialize OpenGL loader!, xrefs: 6D720693
wglGetProcAddress, xrefs: 6D72043D
GL_ARB_clip_control, xrefs: 6D720651
%d.%d, xrefs: 6D7204E4, 6D720582

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: #version 130$%d.%d$Failed to initialize OpenGL loader!$GL_ARB_clip_control$Hfwm$opengl32.dll$wglGetProcAddress
API String ID: 2238633743-2673120853
Opcode ID: e3296ca581105d9cff22979ebcf1c34f78af5546059d0279c456dca13764afab
Instruction ID: 074bba7b955aa4d984dcef12cc21973bb878ec9c9876e4f39c7357ac726232da
Opcode Fuzzy Hash: e3296ca581105d9cff22979ebcf1c34f78af5546059d0279c456dca13764afab
Instruction Fuzzy Hash: 5B613731A083829BEB019F66C95AF6BB7B5BB47326F04443DE58187242D771D609CBA3

Function 6D724A03 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6D724A09
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 6D724A17
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6D724A28
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 6D724A39

Strings

GetCurrentPackageId, xrefs: 6D724A11
GetSystemTimePreciseAsFileTime, xrefs: 6D724A1D
kernel32.dll, xrefs: 6D724A04
GetTempPath2W, xrefs: 6D724A2E

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: ba82f1da73d1641b192fa5c3d41d49b1e7028ba834d614e45bcd65772eebc82b
Instruction ID: 7d553870d07181ac6c086a4cc8b7275eb749e058997ab6ffd937d15350709dd2
Opcode Fuzzy Hash: ba82f1da73d1641b192fa5c3d41d49b1e7028ba834d614e45bcd65772eebc82b
Instruction Fuzzy Hash: D3E0EC35415210AB8B03AF70BE4CA75BAF8BE072233614473B906DB94AD77009418BA3

Function 6D7273B6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D7274D5
___TypeMatch.LIBVCRUNTIME ref: 6D7275E3
_UnwindNestedFrames.LIBCMT ref: 6D727735
CallUnexpected.LIBVCRUNTIME ref: 6D727750

Strings

csm, xrefs: 6D727460
csm, xrefs: 6D72750C
csm, xrefs: 6D7273F3

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 26e315ed584083286ed6dfeabef74209c3512e354d0675f85cf03e3de13b9ecf
Instruction ID: 034bf7ee2e7ef651cb1b4ad5b243ff231caf2fd3de34fa3837bf6d3e21292def
Opcode Fuzzy Hash: 26e315ed584083286ed6dfeabef74209c3512e354d0675f85cf03e3de13b9ecf
Instruction Fuzzy Hash: F1B16671C0429AEFCF15CFA8CB849AEBBB5BF04324F51416AE9106B215D731DA51CBA3

Function 6D6D6A90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000001), ref: 6D6D6AE7
SysAllocString.OLEAUT32(00000000), ref: 6D6D6B21
SysFreeString.OLEAUT32(00000000), ref: 6D6D6B5F
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 6D6D6B72

Strings

[!] get_types failed, pAssembly is null, xrefs: 6D6D6ACA
[!] GetType (%s, 0x%X), xrefs: 6D6D6C13

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ArraySafeString$AllocCreateElementFreeVector
String ID: [!] GetType (%s, 0x%X)$[!] get_types failed, pAssembly is null
API String ID: 4162797470-1448166456
Opcode ID: 4563adaea9a0dc8554505f4cb486dc8da826cfc02e23881a98bdef9797ddaab7
Instruction ID: 94c8575904ae4869a79201c6242d8de1dbf874db8fd7616cafda1bce84f84411
Opcode Fuzzy Hash: 4563adaea9a0dc8554505f4cb486dc8da826cfc02e23881a98bdef9797ddaab7
Instruction Fuzzy Hash: FD61A170E0424CDFDB01DFE8D988BADBBB4EF09318F148129E415EB281D7759A45CBA1

Function 6D6D6D30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6D6D6D89
SysAllocString.OLEAUT32(00000000), ref: 6D6D6DC5
SysFreeString.OLEAUT32(00000000), ref: 6D6D6E03
SafeArrayPutElement.OLEAUT32(00000000,00000000,00000000), ref: 6D6D6E16

Strings

[!] get_types failed, pAssembly is null, xrefs: 6D6D6D6C
[!] GetType (%s, 0x%X), xrefs: 6D6D6EB7

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ArraySafeString$AllocCreateElementFreeVector
String ID: [!] GetType (%s, 0x%X)$[!] get_types failed, pAssembly is null
API String ID: 4162797470-1448166456
Opcode ID: 642882d0731a34ebd6eddc576615a5e70b90ee7fc9ca9eecfc6b3e8277671397
Instruction ID: f0046d4bfc5c1a5ccf92dad67e8c967bd2d9be10d49634aa1688681aeeb23cc0
Opcode Fuzzy Hash: 642882d0731a34ebd6eddc576615a5e70b90ee7fc9ca9eecfc6b3e8277671397
Instruction Fuzzy Hash: E7719B70E0424C9FDB01CFE8D988BADBBB5EF08308F248129E515EB281D775AA45CB91

Function 6D6DF8B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF8FD
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF919
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF940
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF95C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF983
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF99F

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

Strings

?xm, xrefs: 6D6DF8CC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?xm
API String ID: 3866829018-3498921408
Opcode ID: 879ea6170e81a31870ab95a296d3d3d25fccd3ad283659c3f3d19610c239a231
Instruction ID: 2c9af8aec5933eaefa55b0673d5051e1ceb802fb77887ad8394cea04b4f5e090
Opcode Fuzzy Hash: 879ea6170e81a31870ab95a296d3d3d25fccd3ad283659c3f3d19610c239a231
Instruction Fuzzy Hash: 8821D2624081C57EEB118651DC84F7BBFBDEB8F22DFA440B9F54892141C3B49408EBA3

Function 6D6DF6B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF6FD
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF719
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF740
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF75C
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF783
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF79F

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

Strings

?xm, xrefs: 6D6DF6CC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?xm
API String ID: 3866829018-3498921408
Opcode ID: 194cdc76221182c8b050653efa875b74b94f83ba878ecc2458d18d3282c1c9db
Instruction ID: 2a990c6ebc2ea1023d72d66daba159d8910a4f00da37098d40e5a93b9714f416
Opcode Fuzzy Hash: 194cdc76221182c8b050653efa875b74b94f83ba878ecc2458d18d3282c1c9db
Instruction Fuzzy Hash: 7D21A2618041D17EEB118611AC84F7BBFBDAB9F62EF240079F64892141D3B4D409E7A7

Function 6D733355 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D73361D,00000022,FlsSetValue,6D7481A4,6D7481AC,00000000,?,6D73310E,00000006,000000FF,?,6D73262E,00000000,00000000), ref: 6D733416

Strings

ext-ms-, xrefs: 6D7333C0
api-ms-, xrefs: 6D7333AC
.&sm, xrefs: 6D733357

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: .&sm$api-ms-$ext-ms-
API String ID: 3664257935-3253423881
Opcode ID: aebfeed67fe25f7f706dd5e22aa04d440862bbd53d7b23e1429d8cf54b5794c0
Instruction ID: 8df534ccc66db37de7bcd4180ec8bc6332a6cb7b6f891334b88d7d7e06c091fc
Opcode Fuzzy Hash: aebfeed67fe25f7f706dd5e22aa04d440862bbd53d7b23e1429d8cf54b5794c0
Instruction Fuzzy Hash: DF21C935905122ABDB229B29DD84B6EB774EB42775F228131ED15A7192EB30DA00C5D3

Function 6D6D8B60 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 388COMMON

Download Yara Rule

APIs

K32QueryWorkingSetEx.KERNEL32(?,00000008,BEFF0931), ref: 6D6D8D9F

Strings

mods updated: %s, xrefs: 6D6D8CAB
Unknown, xrefs: 6D6D8C9B
Unknown, xrefs: 6D6D8CA5, 6D6D8CAA

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: QueryWorking
String ID: Unknown$Unknown$mods updated: %s
API String ID: 380726023-2432842809
Opcode ID: bad50fe0cfa98bbaa01c4679c788678b397c28b70981e420b796982acaf885a9
Instruction ID: ed2624eb87771ff49accb02daaefe280bb4b7ec206c90be963dd99607167aaab
Opcode Fuzzy Hash: bad50fe0cfa98bbaa01c4679c788678b397c28b70981e420b796982acaf885a9
Instruction Fuzzy Hash: 89F15770A043858FEB81CB39E558B7AFBF1AB4B309F24827ED4519B295D3709845CB93

Function 6D736E06 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6D736E8C

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f30d69ebd9c3244c8ffa272c56fca57c4a1bed504d5da9b0f0469bcbf4574be5
Instruction ID: 5757178d278ecbdb84318048672995899092117873dc57b58296dd357dbf1892
Opcode Fuzzy Hash: f30d69ebd9c3244c8ffa272c56fca57c4a1bed504d5da9b0f0469bcbf4574be5
Instruction Fuzzy Hash: FBB16972E04376DFDB118F68CD81BAE7BA5EF45360F164166E904AB283D374D901C7A2

Function 6D6D58B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,BEFF0931), ref: 6D6D58F0
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6D6D5904

Strings

mscoree.dll, xrefs: 6D6D58D6
[!] IsLoadable, xrefs: 6D6D5B21
CLRCreateInstance, xrefs: 6D6D58FE
v4.0.30319, xrefs: 6D6D593C

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CLRCreateInstance$[!] IsLoadable$mscoree.dll$v4.0.30319
API String ID: 1646373207-3271391130
Opcode ID: 84027b7e2bce4c3ad6b52c28ec1329add85bb437a04478b53a414d2415c63c51
Instruction ID: e7899524b84ae5a2ad2155f08b5ded86e924321cf7b22fb2810cb48a1b0cfa96
Opcode Fuzzy Hash: 84027b7e2bce4c3ad6b52c28ec1329add85bb437a04478b53a414d2415c63c51
Instruction Fuzzy Hash: 1031A470A042069FDB05DFA4DE84FBF7BB8EF4A725F004119E415EB551EB309A04CBA2

Function 6D6FE070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32(?), ref: 6D6FE099
ImmSetCompositionWindow.IMM32(00000000,00000020), ref: 6D6FE0D4
ImmSetCandidateWindow.IMM32(00000000,00000000), ref: 6D6FE111
ImmReleaseContext.IMM32(?,00000000), ref: 6D6FE119

Strings

@, xrefs: 6D6FE0E7
, xrefs: 6D6FE0AA

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ContextWindow$CandidateCompositionRelease
String ID: $@
API String ID: 3969737024-1077428164
Opcode ID: 40ffc572467ab6174e4dc06b415ea04a543690c2b154daf286294d54957cff81
Instruction ID: c7c2bfe7077cc1a6fc3202b758415bed827b20315e606951065ce5bca9244d1d
Opcode Fuzzy Hash: 40ffc572467ab6174e4dc06b415ea04a543690c2b154daf286294d54957cff81
Instruction Fuzzy Hash: C32156B28147449FC712DF24D585A6BFBF9BF8A614F40562AF9948B204EB30D880CB92

Function 6D734FD6 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f993726d06b893d14da656c471e6994dfa8be2703d3b8704cde174a32e5fcf66
Instruction ID: de0b6ec907913fe952446e116d53833631345e33cf9e18f55b024a30d9111c8f
Opcode Fuzzy Hash: f993726d06b893d14da656c471e6994dfa8be2703d3b8704cde174a32e5fcf66
Instruction Fuzzy Hash: D8B11EB0A08265AFDF01CFA8D984BBDBBB1BF46334F164169E5109B247C7719941CBA3

Function 6D6E0310 Relevance: 9.1, APIs: 6, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,771B04C0,00000000,6D6DE663,00000000,?,?,?,6D6E35EA), ref: 6D6E0338
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6E0354
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,771B04C0,00000000,6D6DE663,00000000,?,?,?,6D6E35EA), ref: 6D6E037B
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6E0397
VirtualProtect.KERNEL32(00000000,00000000,00000040,?,00000000,?,771B04C0,00000000,6D6DE663,00000000,?,?,?,6D6E35EA), ref: 6D6E03BE
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6E03DA

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cb3716b504f244e87e7ef129deb02cb138205d1599388529667f694105bcb699
Instruction ID: 2c7f7425db66b1159efa97c1dbbfd19aa493dd0082f1404096fff14661dff285
Opcode Fuzzy Hash: cb3716b504f244e87e7ef129deb02cb138205d1599388529667f694105bcb699
Instruction Fuzzy Hash: 2221FF714081507EEB1186929C84F7BFBBDEB8F23EF240039FA5852101D3B0A905E7A7

Function 6D72707F Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D726F9E,6D724C62,6D725126,?,6D72535E,?,00000001,?,?,00000001,?,6D780D08,0000000C,6D725457), ref: 6D72708D
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D72709B
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D7270B4
SetLastError.KERNEL32(00000000,6D72535E,?,00000001,?,?,00000001,?,6D780D08,0000000C,6D725457,?,00000001,?), ref: 6D727106

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3f16af5d75c5424257abf599d7d8d4345efd69ec67f13409463686baf91f154d
Instruction ID: 2973aaddae47c9e5e253353c912ee46caeac9ba4cd594793454a18bcd803d89f
Opcode Fuzzy Hash: 3f16af5d75c5424257abf599d7d8d4345efd69ec67f13409463686baf91f154d
Instruction Fuzzy Hash: E701D836D1CB535EE7211578AF88B2666B4EB03BB77B5023BE620810D0FF624C054183

Function 6D6D5316 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(System.Runtime.InteropServices.GCHandle), ref: 6D6D5374
SysFreeString.OLEAUT32(00000000), ref: 6D6D53BA
_com_issue_error.COMSUPP ref: 6D6D56A0

Strings

System.Runtime.InteropServices.GCHandle, xrefs: 6D6D5368
kxm, xrefs: 6D6D532D
[!] GetType (0x%X), xrefs: 6D6D53C7

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: String$AllocFree_com_issue_error
String ID: kxm$System.Runtime.InteropServices.GCHandle$[!] GetType (0x%X)
API String ID: 1786537486-2725604465
Opcode ID: f9ad2e974a151b7ebf7f93c668a0319e3dc5837b9955b77ea4ef39d0ede13be5
Instruction ID: f2243ee5096f66b6dbc9edc22d32b3e1017ba9b3115bf9829153ca8a8ad6e35f
Opcode Fuzzy Hash: f9ad2e974a151b7ebf7f93c668a0319e3dc5837b9955b77ea4ef39d0ede13be5
Instruction Fuzzy Hash: A6318171D05219DFDB00CF98D948BAEFBF8EB4A715F14426DE805A7340D775AA048BA2

Function 6D73809D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6D7380B9

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bf7602d558112dc58eaa517f0f4a803f2079c0396acfbf5e2718d1fd992923dd
Instruction ID: 5d4510ea0e0e9c28bcd170b96d989175a555a78beba8d23cec1cdebe8c2be66c
Opcode Fuzzy Hash: bf7602d558112dc58eaa517f0f4a803f2079c0396acfbf5e2718d1fd992923dd
Instruction Fuzzy Hash: 3A21F9B1208126AFC7119F698E8496B77B8FF013747138A2EE615D7252E731EC0187A2

Function 6D6DF4F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF53D
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF559
VirtualProtect.KERNEL32(00000000,00000000,00000040,?), ref: 6D6DF580
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6D6DF59C

Part of subcall function 6D6D1660: VirtualProtect.KERNELBASE(?,00000005,00000040,?,771AF550,?,?,6D784004,6D6D19CC), ref: 6D6D167B
Part of subcall function 6D6D1660: VirtualProtect.KERNEL32(?,00000005,?,?,opengl32.dll), ref: 6D6D169A
Part of subcall function 6D6D1660: VirtualFree.KERNEL32(6D7869C8,00000000,00008000,?,?,opengl32.dll), ref: 6D6D16B4

Strings

?xm, xrefs: 6D6DF50C

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Free
String ID: ?xm
API String ID: 3866829018-3498921408
Opcode ID: ec27739d016fa1e87602b82d924c454cfdd70968b6b73e7d14b171d3d0150557
Instruction ID: 8a3c45369652be8a5cd0c2d9b60f1c1140b311d798eb837b415fe62ca1767605
Opcode Fuzzy Hash: ec27739d016fa1e87602b82d924c454cfdd70968b6b73e7d14b171d3d0150557
Instruction Fuzzy Hash: 5511BFA24081C57EEB118A21EC44F7BBFBDEB8F229F6400B9F64892141D3B4A40597B7

Function 6D728D01 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BEFF0931,00000000,?,00000000,6D7433E0,000000FF,?,6D728C9B,?,?,6D728C6F,?), ref: 6D728D36
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D728D48
FreeLibrary.KERNEL32(00000000,?,00000000,6D7433E0,000000FF,?,6D728C9B,?,?,6D728C6F,?), ref: 6D728D6A

Strings

CorExitProcess, xrefs: 6D728D40
mscoree.dll, xrefs: 6D728D2F

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a18486a617ed81aba37fbb356debc4c71028b129f9f011339f43b07ca449b1b6
Instruction ID: 5b8329aa6160b1e98e6e0e4e86c2dd77cb2bd5d9b561a32a5a81dc9e23ca0f0e
Opcode Fuzzy Hash: a18486a617ed81aba37fbb356debc4c71028b129f9f011339f43b07ca449b1b6
Instruction Fuzzy Hash: E3016731900959AFDF129F54DD04BBEB7B8FB05721F004636F821A2690DB759940CA91

Function 6D6D5C70 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 6D6D5D5B
std::_Throw_Cpp_error.LIBCPMT ref: 6D6D5D66
std::_Throw_Cpp_error.LIBCPMT ref: 6D6D5E49
std::_Throw_Cpp_error.LIBCPMT ref: 6D6D5E54
__Cnd_unregister_at_thread_exit.LIBCPMT ref: 6D6D5E79

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Cnd_unregister_at_thread_exit
String ID:
API String ID: 1267939008-0
Opcode ID: 0fe78f68203ef9a20f006c1d6ece6d4976979fe1fa9ec2cf738e865bf1762968
Instruction ID: aa6e86976c5e1657d3092458ac67401b2922a7b611d37eb20ac7086ebf8f21a6
Opcode Fuzzy Hash: 0fe78f68203ef9a20f006c1d6ece6d4976979fe1fa9ec2cf738e865bf1762968
Instruction Fuzzy Hash: 2D514C71C087859FD711CBB4E908BBBBBF8EF0A328F00056DD66592A90D775A508C7A3

Function 6D73C794 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D73C819
__alloca_probe_16.LIBCMT ref: 6D73C8E2
__freea.LIBCMT ref: 6D73C949

Part of subcall function 6D733BD9: HeapAlloc.KERNEL32(00000000,6D738616,?,?,6D738616,00000220,?,00000000,?), ref: 6D733C0B

__freea.LIBCMT ref: 6D73C95C
__freea.LIBCMT ref: 6D73C969

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b8f583652f744b99cef2344c903cd6aaf819d4e19cfcfc2bf348ea6a517a8eea
Instruction ID: c149de2f6aa21f4da3eb060a619295a7ce9a0e5d39b56986e93c6a354117b222
Opcode Fuzzy Hash: b8f583652f744b99cef2344c903cd6aaf819d4e19cfcfc2bf348ea6a517a8eea
Instruction Fuzzy Hash: A651E772604237AFEB114E65CE84EBB36A9EF44A35F13013AFE14D6156EB31CD108662

Function 6D7244BA Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6D7244CE
AcquireSRWLockExclusive.KERNEL32(-6CCF2438,?,6D6D69B0,?,BEFF0931,-6CCF2440), ref: 6D7244ED
AcquireSRWLockExclusive.KERNEL32(-6CCF2438,?,?,?,6D6D69B0,?,BEFF0931,-6CCF2440), ref: 6D72451B
TryAcquireSRWLockExclusive.KERNEL32(-6CCF2438,?,?,?,6D6D69B0,?,BEFF0931,-6CCF2440), ref: 6D724576
TryAcquireSRWLockExclusive.KERNEL32(-6CCF2438,?,?,?,6D6D69B0,?,BEFF0931,-6CCF2440), ref: 6D72458D

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 86ac11ce3f682532e5ee638ee8e72b96825fe4e3206b298f2c2b870e78daa59b
Instruction ID: 9971b0cf0259a60c650b777c5c0f0e1b1812a2662ce6b1deab461fe74d0621c6
Opcode Fuzzy Hash: 86ac11ce3f682532e5ee638ee8e72b96825fe4e3206b298f2c2b870e78daa59b
Instruction Fuzzy Hash: E8419D30504A8ADBCB11DF26C68696AF7F4FF2E338B10493BE19687640D730E581DB52

Function 6D6D1867 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6D6D1882
wglGetCurrentDC.OPENGL32 ref: 6D6D188D
WindowFromDC.USER32(00000000), ref: 6D6D1894

Part of subcall function 6D6E1A30: GetCurrentThreadId.KERNEL32 ref: 6D6E1A60
Part of subcall function 6D6E1A30: GetModuleHandleA.KERNEL32(00000000), ref: 6D6E1A6A
Part of subcall function 6D6E1A30: SetWindowsHookExA.USER32(00000003,6D6E1460,00000000,00000000), ref: 6D6E1A79
Part of subcall function 6D6E1A30: GetModuleFileNameW.KERNEL32(6D788238,00000208), ref: 6D6E1B9B
Part of subcall function 6D6E1A30: GetLastError.KERNEL32 ref: 6D6E1BAB

CreateThread.KERNEL32(00000000,00000000,6D6DE0B0,00000000,00000000,00000000), ref: 6D6D18B5
CloseHandle.KERNEL32(00000000), ref: 6D6D18BC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Current$HandleModuleThread$CloseCreateErrorFileFromHookLastNameProcessWindowWindows
String ID:
API String ID: 3610768000-0
Opcode ID: 6937ba9d26275678e6ef348adede916779c3b2d847d164882042c4fef7ffc21e
Instruction ID: 2a7b42504704af48adfc9c9bd014f3e8cb440c885039eb757e57e238fb1472cd
Opcode Fuzzy Hash: 6937ba9d26275678e6ef348adede916779c3b2d847d164882042c4fef7ffc21e
Instruction Fuzzy Hash: F0F05E70A09340ABDF51BBB0AC1D73DBA347B47746F61483AE302D61D0DBB891408A6B

Function 6D708CB0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

SingleTap, xrefs: 6D708CB0

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID:
String ID: SingleTap
API String ID: 0-3144083996
Opcode ID: 2f502c1f29c135cf2b3ab08369f1354fa5c755819606c5d4f5c5203439000326
Instruction ID: 2b9538ce9799c9da7ed1e22b4cc5f28eb384b88abdd63e6c69b207ce46114294
Opcode Fuzzy Hash: 2f502c1f29c135cf2b3ab08369f1354fa5c755819606c5d4f5c5203439000326
Instruction Fuzzy Hash: 5391B1719187098EC302DF3A954152AF7F1AF9E354F18CF2AF98876191F730A5D8CA86

Function 6D728142 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D7280F3,00000000,?,00000001,?,?,?,6D7281E2,00000001,FlsFree,6D746B88,FlsFree), ref: 6D72814F
GetLastError.KERNEL32(?,6D7280F3,00000000,?,00000001,?,?,?,6D7281E2,00000001,FlsFree,6D746B88,FlsFree,00000000,?,6D727154), ref: 6D728159
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D728181

Strings

api-ms-, xrefs: 6D728166

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fda604dc1d13c29916fdd3c9097b4063ce4ce4b5d5f9943b3b2afcf4add775e7
Instruction ID: 293d913fefcfd2c2ff3cf37f77802494fa5a22e58d7fbbda6d589bc51c0638c8
Opcode Fuzzy Hash: fda604dc1d13c29916fdd3c9097b4063ce4ce4b5d5f9943b3b2afcf4add775e7
Instruction Fuzzy Hash: CDE04F34644205BBFF112F70EE0BF683E68AB01B69F644032FA0DE80E5EB62955185C7

Function 6D73556B Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BEFF0931,00000000,00000000,?), ref: 6D7355CE

Part of subcall function 6D738BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D73C93F,?,00000000,-00000008), ref: 6D738C4B

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D735820
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D735866
GetLastError.KERNEL32 ref: 6D735909

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: aabf82d06df3f4278941f41660fae13a29f8dc3a971e1671d4f063f02455f6bb
Instruction ID: b475318b946d6ef99dc0936fdf9b1f2db72649f6ca87d8c7cb9c4b7964d5c35f
Opcode Fuzzy Hash: aabf82d06df3f4278941f41660fae13a29f8dc3a971e1671d4f063f02455f6bb
Instruction Fuzzy Hash: C3D1AA75D04268AFCF01CFA8D984AEDBBB5FF09320F25412AE565EB352D730A901CB51

Function 6D72715F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6D727226
___AdjustPointer.LIBCMT ref: 6D727249
___AdjustPointer.LIBCMT ref: 6D7272E5

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 04928869f2333d00c030b17be5502dceb956e1055c3fd2a1d15d280135592a3c
Instruction ID: ac56f644eb383a6bba03ce6b6bb0a8751d4391f5d2d72811aef27a22126c9c0c
Opcode Fuzzy Hash: 04928869f2333d00c030b17be5502dceb956e1055c3fd2a1d15d280135592a3c
Instruction Fuzzy Hash: 2C51BC72A05683AFEB198F50CB41B7A77B5FF45334F20452EE91196291E731EA80CB92

Function 6D6D1E00 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6D7247B5: QueryPerformanceFrequency.KERNEL32(6D7234CB,?,?,6D7234CB,6D6D1E12,?,6D7234CC,6D7234CB,?,00000020,6D7234CB,00000000,?), ref: 6D7247D3

Part of subcall function 6D72479E: QueryPerformanceCounter.KERNEL32(6D7234CB,?,?,?,6D6D1E21,?,6D7234CC,6D7234CB,?,00000020,6D7234CB,00000000,?), ref: 6D7247A7

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D6D1E63
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D6D1E95
__alldvrm.LIBCMT ref: 6D6D1EB8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D6D1EDC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 5bc31e4a5047d1f8e994e6d0e8e73c730afa4f17a177c175571736e83d129d53
Instruction ID: 043e5fd79efefb9956b3899d66e1a2c1fc713aeb4eb562692bbce1514dcc1a63
Opcode Fuzzy Hash: 5bc31e4a5047d1f8e994e6d0e8e73c730afa4f17a177c175571736e83d129d53
Instruction Fuzzy Hash: 022133713083142FD304DE2D5D44B3BBAEDDBC82A4F02852DFA09DB362E6789C0806A6

Function 6D737939 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D738BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D73C93F,?,00000000,-00000008), ref: 6D738C4B

GetLastError.KERNEL32 ref: 6D73799D
__dosmaperr.LIBCMT ref: 6D7379A4
GetLastError.KERNEL32(?,?,?,?), ref: 6D7379DE
__dosmaperr.LIBCMT ref: 6D7379E5

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: e8a6c7502d2803681c06866a3bbcb7653b4363f53b6ab8550393bd59d00a001a
Instruction ID: 4fa42389ed3b1eebe1bd90e3363783b8e67444e0e12e1eb4c4f3364d3537cbfa
Opcode Fuzzy Hash: e8a6c7502d2803681c06866a3bbcb7653b4363f53b6ab8550393bd59d00a001a
Instruction Fuzzy Hash: 70212871A08227EFC7009F75CAC092AB7B9FF053783038729E91997201DB30EC418BA2

Function 6D738C8D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D738C95

Part of subcall function 6D738BEA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D73C93F,?,00000000,-00000008), ref: 6D738C4B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D738CCD
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D738CED

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4c5984ff8367ea5caaee01c78f23c33b8e6a761c2bf65a1c4f5bb4c38a472b9b
Instruction ID: 9b5196e04662756b86350d946181f7d46f8683f3a396dc2e03a56623a7c44687
Opcode Fuzzy Hash: 4c5984ff8367ea5caaee01c78f23c33b8e6a761c2bf65a1c4f5bb4c38a472b9b
Instruction Fuzzy Hash: 7911A5E552952ABEA72217755E8CD7F696CDD5A2B83130527F505D1102FB30DD4042F3

Function 6D73CCB9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D73A3A1,00000000,00000001,00000000,?,?,6D73595D,?,00000000,00000000), ref: 6D73CCD0
GetLastError.KERNEL32(?,6D73A3A1,00000000,00000001,00000000,?,?,6D73595D,?,00000000,00000000,?,?,?,6D735F37,00000000), ref: 6D73CCDC

Part of subcall function 6D73CCA2: CloseHandle.KERNEL32(FFFFFFFE,6D73CCEC,?,6D73A3A1,00000000,00000001,00000000,?,?,6D73595D,?,00000000,00000000,?,?), ref: 6D73CCB2

___initconout.LIBCMT ref: 6D73CCEC

Part of subcall function 6D73CC64: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D73CC93,6D73A38E,?,?,6D73595D,?,00000000,00000000,?), ref: 6D73CC77

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D73A3A1,00000000,00000001,00000000,?,?,6D73595D,?,00000000,00000000,?), ref: 6D73CD01

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: bfd08180c74f507125e19bc57d5ed5657751ef6519300a3d95d199de53609a1d
Instruction ID: dafcfbb56cac238b04f27b2e8c33a8871d2419853fc53ae8ad3992ccc9e73641
Opcode Fuzzy Hash: bfd08180c74f507125e19bc57d5ed5657751ef6519300a3d95d199de53609a1d
Instruction Fuzzy Hash: E0F0303A004135BBCF132F9ADD08A997F36FF4A3B6B1A4531FA0985120D7328860DB93

Function 6D726330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 6D72636F
__IsNonwritableInCurrentImage.LIBCMT ref: 6D726423

Strings

csm, xrefs: 6D72640D

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 2fe24a080800828bcd1e8d8d884ae83b807dfb0d839cac1df61e9eec6c0723c9
Instruction ID: 718a39d7cd1c72966aed3a5c44dbb32afa3ddc2366ae224c3db3c0c79f40e3b3
Opcode Fuzzy Hash: 2fe24a080800828bcd1e8d8d884ae83b807dfb0d839cac1df61e9eec6c0723c9
Instruction Fuzzy Hash: A7418234904299DBCF00DF68C984AAEBBB5FF45338F108167E9549B252D731AB46CBD2

Function 6D72775B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D727780

Strings

RCC, xrefs: 6D72779A
MOC, xrefs: 6D727792

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 36c2a87500f1605d4b0fc3cbbc660ddf296094432a08d73988b161f56131cd4e
Instruction ID: 4a03ff293530322666545556901291c5a06ab07fd095645a2885d31f4f496720
Opcode Fuzzy Hash: 36c2a87500f1605d4b0fc3cbbc660ddf296094432a08d73988b161f56131cd4e
Instruction Fuzzy Hash: 11418B31D0019AAFCF06CF94CE80AEE7BB5FF48324F15806AFA1567265E3359990DB52

Function 6D6D8550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6D6D6CD0: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6D6D6CE5
Part of subcall function 6D6D6CD0: SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6D6D6D18

SafeArrayDestroy.OLEAUT32(?), ref: 6D6D85C1
_com_issue_error.COMSUPP ref: 6D6D8609

Strings

[!] Invoke (0x%X), xrefs: 6D6D85CC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector_com_issue_error
String ID: [!] Invoke (0x%X)
API String ID: 378831089-2656373395
Opcode ID: 2b7768a60ecd1cdcaebb3f3b9efa1d33b396ae987a03793abeb46b05d3ae4c5b
Instruction ID: e3b4cdbaf00263c6cb7f2169c93ab1a5e65082a5c8d27e100deb7a81a5e01d5e
Opcode Fuzzy Hash: 2b7768a60ecd1cdcaebb3f3b9efa1d33b396ae987a03793abeb46b05d3ae4c5b
Instruction Fuzzy Hash: EC21D571C04608DBCB02DFA8C908BADB7B4FF5D728F208559E919A7201E7326A41CBA1

Function 6D724127 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D7241AF
RaiseException.KERNEL32(?,?,?,?), ref: 6D7241D4

Part of subcall function 6D72682B: RaiseException.KERNEL32(E06D7363,00000001,00000003,6D6D1D8A,-6CCF2440,?,?,?,6D6D1D8A,6D781510,6D781510), ref: 6D72688B

Part of subcall function 6D728607: IsProcessorFeaturePresent.KERNEL32(00000017,6D728775,?,6D7286E4,?,00000000,6D7288F3,?,?,?,?,?,00000000,?,00000000,?), ref: 6D728623

Strings

csm, xrefs: 6D724163

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: ec53bc50fc7606b65ac52135bffe9ad83c643dfb224d379c215a96301adc4bbe
Instruction ID: d6b374bfa1898018e93daea647f8c2653d2f13576dcc1fbcf869e888c55e3b7e
Opcode Fuzzy Hash: ec53bc50fc7606b65ac52135bffe9ad83c643dfb224d379c215a96301adc4bbe
Instruction Fuzzy Hash: 2921D331D002589BCF20CF95DE85AAEB7B5EF28728F11042AE516AB240C730AE45DB83

Function 6D6DDA60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,6D7869E0,0000001F,00000000,00000000,?,00000000,?,00000000,6D6DE7EF,BEFF0931,?,00000000), ref: 6D6DDACB

Strings

TOwm, xrefs: 6D6DDA90
@Owm, xrefs: 6D6DDA75

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: @Owm$TOwm
API String ID: 626452242-219552977
Opcode ID: 222f70302f63c8c90f003debc40d3e634a9ef5a5c3c88789aa2b1d78d364586c
Instruction ID: 0a84d81c39848c5415474677d90db90205ce977d4d4a8915b26394c914de3e1a
Opcode Fuzzy Hash: 222f70302f63c8c90f003debc40d3e634a9ef5a5c3c88789aa2b1d78d364586c
Instruction Fuzzy Hash: 5A0126312482496FD7209A54EC80FBAB7AAEFCA354F2CC4B9E511CB151D731D8458F52

Function 6D6DE1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000000,00000040,5nm,00000000,771B04C0,?,6D6E0106,?,6D6DE58D,00000000,?,?,?,6D6E35EA), ref: 6D6DE202
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE222

Strings

5nm, xrefs: 6D6DE1F2, 6D6DE1FD

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: 5nm
API String ID: 544645111-3246554561
Opcode ID: 60ccc02212c2ced9327ab18abd6f3a78a1cbcee068eaf9a86412485ce9959ac9
Instruction ID: 5ab2a943d43e8839c7728b70a8260aeb95b45fa2dc21350c9c1f1b267ac2336c
Opcode Fuzzy Hash: 60ccc02212c2ced9327ab18abd6f3a78a1cbcee068eaf9a86412485ce9959ac9
Instruction Fuzzy Hash: 01014FA19082C57EEF518625E848B2BFFBC678B726F24107EF585C1196D374808CC7A3

Function 6D6D9230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,XAxm,00000040,6D6DFC2A,00000000,?,?,6D6DFC2A,6D784158,00000000,6D6E3216), ref: 6D6D924F
VirtualProtect.KERNEL32(00000000,XAxm,?,?,6D784158,00000000,6D6E3216), ref: 6D6D927A

Strings

XAxm, xrefs: 6D6D9232, 6D6D924D, 6D6D9255, 6D6D9278

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: XAxm
API String ID: 544645111-2319511997
Opcode ID: 5ca97083fe0c95470b5228152725b124285108d733c1d480a1d3af99869c7dc2
Instruction ID: e70f2f4f79d005ce473eaea3b0da6a737b9cd084d1b8b370991d9ddb3f188377
Opcode Fuzzy Hash: 5ca97083fe0c95470b5228152725b124285108d733c1d480a1d3af99869c7dc2
Instruction Fuzzy Hash: D7F0E2721443497FC6108E6AECC4D7BFB7DEBC6624F01013FF21042140CB22A8495632

Function 6D6E0100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D6DE1B0: VirtualProtect.KERNEL32(00000000,00000000,00000040,5nm,00000000,771B04C0,?,6D6E0106,?,6D6DE58D,00000000,?,?,?,6D6E35EA), ref: 6D6DE202
Part of subcall function 6D6DE1B0: VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6DE222

VirtualProtect.KERNEL32(00000000,00000000,00000040,5nm,00000000,771B04C0,?,6D6DE58D,00000000,?,?,?,6D6E35EA), ref: 6D6E0126
VirtualProtect.KERNEL32(00000000,00000000,?,?,?,?,6D6E35EA), ref: 6D6E0146

Strings

5nm, xrefs: 6D6E0116, 6D6E0121

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: 5nm
API String ID: 544645111-3246554561
Opcode ID: ef571a6f9ceb51a7f5ddda8289af06c01482e4c549e00b68099ddc6e12a45d2e
Instruction ID: 42107ecdc311755c516717d874ded6815d42c114379eb4721bf39f752fe32b38
Opcode Fuzzy Hash: ef571a6f9ceb51a7f5ddda8289af06c01482e4c549e00b68099ddc6e12a45d2e
Instruction Fuzzy Hash: B7F0A0B6808280BADB108661EC48F57FFBDEB9FA1AF60043AF24991152E3B4D044D762

Function 6D6E9D30 Relevance: 5.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,BEFF0931,?,?,6D787DA6,?,?,?,?,?,6D744280), ref: 6D6E9D87
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6D775EB8,000000FF,00000000,00000000,?,?,?,?,?,6D744280,000000FF), ref: 6D6E9D9C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,6D775EB8,?,?,?,?,?,?,6D744280,000000FF), ref: 6D6E9DD6
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,?,?,?,?,6D744280,000000FF), ref: 6D6E9DEC

Memory Dump Source

Source File: 00000004.00000002.1596717139.000000006D6D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6D6D0000, based on PE: true

Associated: 00000004.00000002.1596698172.000000006D6D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596773244.000000006D745000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596809062.000000006D783000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1596826846.000000006D789000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6d6d0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 107237d9f18cead5e2569cede86a94c0416590e97a267ebd31eb6b19d5969f6f
Instruction ID: 2320e871e71c293641ce7cce0609e3071518061c80849b75c3b7e5f8623c984e
Opcode Fuzzy Hash: 107237d9f18cead5e2569cede86a94c0416590e97a267ebd31eb6b19d5969f6f
Instruction Fuzzy Hash: 3B21EC72A04245AFEB219FA58C45FBFBB74EB05720F20433AF625AB1C0EB7155048791

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report main.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4bf71269e42599aca6dd6e6e3b744db6dcf1974_7522e4b5_f39e2f26-38ae-4b7c-88e0-3cfc3351528d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A98.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B73.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BA3.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
main.dll

Function 6D6D1920 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 130
librarysleeploaderCOMMON

Function 6D725255 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6D725305 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6D6D1560 Relevance: 4.6, APIs: 3, Instructions: 95
memoryCOMMON

Function 6D6D1660 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Function 6D72514E Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6D73456D Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 6D6D1B00 Relevance: 3.0, APIs: 2, Instructions: 15
threadCOMMONLIBRARYCODE