Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mpclient.dll

Overview

General Information

Sample name:mpclient.dll
Analysis ID:1396494
MD5:5bc232f3354125b5fa634e101657f598
SHA1:bd5360cae7760ed1dd72fbb90fa448f02e1e0ab8
SHA256:2b1056d4345ad77e4307f89a6e9181b96f20d7b82d4fec18dbc9be1e0636b0b7
Tags:dllHUN
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6488 cmdline: loaddll32.exe "C:\Users\user\Desktop\mpclient.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2340 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1720 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • WerFault.exe (PID: 6732 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 696 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 6208 cmdline: rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAddDynamicSignatureFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7228 cmdline: rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAllocMemory MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7268 cmdline: rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpCleanOpen MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7736 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAddDynamicSignatureFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7744 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAllocMemory MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7760 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpCleanOpen MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7784 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",dbkFCallWrapperAddr MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7980 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 688 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7800 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",__dbk_fcall_wrapper MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7820 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 8048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 688 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7840 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpWDEnable MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUtilsExportFunctions MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7884 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateTSModeEx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7896 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStartEx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7912 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStart MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7932 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdatePlatform MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockSignatures MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8012 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockPlatform MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8040 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockEngine MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8060 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatOpen MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8072 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatEnumerate MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8088 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpSetTPState MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8108 cmdline: rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpServiceLogMessage MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: mpclient.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: mpclient.dllReversingLabs: Detection: 36%
Machine Learning detection for sample
Source: mpclient.dllJoe Sandbox ML: detected
Source: mpclient.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010FE100 FindFirstFileW,FindClose,0_2_010FE100
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010FDB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_010FDB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040E100 FindFirstFileW,FindClose,5_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040DB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0040E100 FindFirstFileW,FindClose,22_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,22_2_0040DB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0040E100 FindFirstFileW,FindClose,24_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,24_2_0040DB34
Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010FC4EC0_2_010FC4EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040C4EC5_2_0040C4EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0040C4EC22_2_0040C4EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0040C4EC24_2_0040C4EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0040CD8C appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0040A750 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00411190 appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 696
Source: mpclient.dllStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: mpclient.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal60.winDLL@87/13@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7784
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7820
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1720
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9685e274-cec7-4250-8d9d-b9a6150e6d34Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAddDynamicSignatureFile
Source: mpclient.dllReversingLabs: Detection: 36%
Source: loaddll32.exeString found in binary or memory: application/vnd.groove-help
Source: loaddll32.exeString found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: loaddll32.exeString found in binary or memory: application/x-install-instructions
Source: rundll32.exeString found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: rundll32.exeString found in binary or memory: application/vnd.groove-help
Source: rundll32.exeString found in binary or memory: application/x-install-instructions
Source: rundll32.exeString found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: rundll32.exeString found in binary or memory: application/vnd.groove-help
Source: rundll32.exeString found in binary or memory: application/x-install-instructions
Source: rundll32.exeString found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: rundll32.exeString found in binary or memory: application/vnd.groove-help
Source: rundll32.exeString found in binary or memory: application/x-install-instructions
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mpclient.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAddDynamicSignatureFile
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAllocMemory
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpCleanOpen
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAddDynamicSignatureFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAllocMemory
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpCleanOpen
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",__dbk_fcall_wrapper
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",TMethodImplementationIntercept
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpWDEnable
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUtilsExportFunctions
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateTSModeEx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStartEx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStart
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdatePlatform
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockSignatures
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockPlatform
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockEngine
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatOpen
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatEnumerate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpSetTPState
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpServiceLogMessage
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAddDynamicSignatureFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAllocMemoryJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpCleanOpenJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAddDynamicSignatureFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAllocMemoryJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpCleanOpenJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",dbkFCallWrapperAddrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",__dbk_fcall_wrapperJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",TMethodImplementationInterceptJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpWDEnableJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUtilsExportFunctionsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateTSModeExJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStartExJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStartJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdatePlatformJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockSignaturesJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockPlatformJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockEngineJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatOpenJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatEnumerateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpSetTPStateJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpServiceLogMessageJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1Jump to behavior
Source: mpclient.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: mpclient.dllStatic file information: File size 3725950 > 1048576
Source: mpclient.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2a3a00
Source: mpclient.dllStatic PE information: section name: .didata
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0110090A push ecx; mov dword ptr [esp], edx0_2_0110090D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011009FC push ecx; mov dword ptr [esp], edx0_2_011009FD
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01100870 push ecx; mov dword ptr [esp], edx0_2_01100871
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0110087C push ecx; mov dword ptr [esp], edx0_2_0110087D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01100864 push ecx; mov dword ptr [esp], edx0_2_01100865
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011008C2 push ecx; mov dword ptr [esp], edx0_2_011008C5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011008E8 push ecx; mov dword ptr [esp], edx0_2_011008E9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F73C8 push ecx; mov dword ptr [esp], eax0_2_010F73C9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01100A14 push ecx; mov dword ptr [esp], edx0_2_01100A15
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0110024C push ecx; mov dword ptr [esp], edx0_2_0110024D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01100FB8 push 0110103Bh; ret 0_2_01101033
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00410864 push ecx; mov dword ptr [esp], edx5_2_00410865
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00410870 push ecx; mov dword ptr [esp], edx5_2_00410871
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0041087C push ecx; mov dword ptr [esp], edx5_2_0041087D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_004108C2 push ecx; mov dword ptr [esp], edx5_2_004108C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_004108E8 push ecx; mov dword ptr [esp], edx5_2_004108E9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0041090A push ecx; mov dword ptr [esp], edx5_2_0041090D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_004109FC push ecx; mov dword ptr [esp], edx5_2_004109FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0041024C push ecx; mov dword ptr [esp], edx5_2_0041024D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00410A14 push ecx; mov dword ptr [esp], edx5_2_00410A15
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040EAA1 pushad ; retf 0041h5_2_0041EAF1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_004073C8 push ecx; mov dword ptr [esp], eax5_2_004073C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00410FB8 push 0041103Bh; ret 5_2_00411033
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_00410864 push ecx; mov dword ptr [esp], edx22_2_00410865
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_00410870 push ecx; mov dword ptr [esp], edx22_2_00410871
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0041087C push ecx; mov dword ptr [esp], edx22_2_0041087D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_004108C2 push ecx; mov dword ptr [esp], edx22_2_004108C5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_004108E8 push ecx; mov dword ptr [esp], edx22_2_004108E9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0041090A push ecx; mov dword ptr [esp], edx22_2_0041090D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_004109FC push ecx; mov dword ptr [esp], edx22_2_004109FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0041024C push ecx; mov dword ptr [esp], edx22_2_0041024D
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-6469
Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-6511
Source: C:\Windows\System32\loaddll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-6497
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-6455
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010FE100 FindFirstFileW,FindClose,0_2_010FE100
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010FDB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_010FDB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040E100 FindFirstFileW,FindClose,5_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040DB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0040E100 FindFirstFileW,FindClose,22_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,22_2_0040DB34
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0040E100 FindFirstFileW,FindClose,24_2_0040E100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_0040DB34 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,24_2_0040DB34
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0110003C GetSystemInfo,0_2_0110003C
Source: Amcache.hve.8.drBinary or memory string: VMware
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.drBinary or memory string: vmci.sys
Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.drBinary or memory string: VMware20,1
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end nodegraph_0-6651
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_5-6645
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_22-6645
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_24-6645
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F8500 cpuid 0_2_010F8500
Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_010FE238
Source: C:\Windows\System32\loaddll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_010FD6D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,5_2_0040E238
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0040D6D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,22_2_0040E238
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,22_2_0040D6D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,24_2_0040E238
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,24_2_0040D6D8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01100050 GetVersion,0_2_01100050
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1396494 Sample: mpclient.dll Startdate: 21/02/2024 Architecture: WINDOWS Score: 60 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 21 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 12->20         started        22 WerFault.exe 14->22         started        process6 24 WerFault.exe 22 16 18->24         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mpclient.dll37%ReversingLabsWin32.Trojan.SpywareX
mpclient.dll100%AviraHEUR/AGEN.1338291
mpclient.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.8.drfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1396494
    Start date and time:2024-02-21 21:30:06 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 7m 42s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:42
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:mpclient.dll
    Detection:MAL
    Classification:mal60.winDLL@87/13@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .dll

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.189.173.22, 52.182.143.212
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • VT rate limit hit for: mpclient.dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    21:31:06API Interceptor3x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f9428fc69f80b8fcc03e3341cbf863e0bcfdc7_7522e4b5_52103b4a-3fcb-4747-9090-aad0eb711ac4\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9243115583553735
    Encrypted:false
    SSDEEP:192:mjlBLiGOTMT0BU/wjeTQWAzuiFi9Z24IO84ci:8lBLiH4ABU/wjeczuiF2Y4IO84ci
    MD5:6647A6C8F14386E2AE0366BA95746844
    SHA1:D4C8C62F5957FA3846BD9BE5DF1D24CA22BAE0D6
    SHA-256:A6C1753249C454329DA281AE9FA90DCBDCA3E9A572D963B1B3C9251A63B6525F
    SHA-512:2452490B5202DDB1D62A1321E8E5035B2340AC030790EDA60E8446B6B8A0B6A57D74A15ADA6145ADB535FEF36AA12BA4ACF23BE75D7505492067143C610F0236
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.3.0.2.1.0.6.5.6.6.0.6.8.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.3.0.2.1.0.6.7.6.4.5.0.4.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.1.0.3.b.4.a.-.3.f.c.b.-.4.7.4.7.-.9.0.9.0.-.a.a.d.0.e.b.7.1.1.a.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.d.4.e.5.b.d.-.3.f.0.9.-.4.6.b.a.-.8.1.3.3.-.1.f.8.c.e.b.0.0.4.d.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.6.8.-.0.0.0.1.-.0.0.1.4.-.d.0.4.a.-.e.f.e.3.0.4.6.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f9428fc69f80b8fcc03e3341cbf863e0bcfdc7_7522e4b5_ab4840ec-f641-4ca3-ac94-4c3332b26cf8\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9242324153677586
    Encrypted:false
    SSDEEP:192:yIiW/OwT0BU/wjeTQ2AzuiFi9Z24IO84ci:piWmwABU/wje8zuiF2Y4IO84ci
    MD5:75408B3169C326D7C4661164FB3546CF
    SHA1:86D167F155115B7997E24F8F694AAC741F1002B9
    SHA-256:D3871B0CEF792E0E3B41AD0E797AB4303BD529632B1193497EE44B640B02EE05
    SHA-512:5661A4CF0D2B5C7597CE24C1D396CD3B6C642C94D0DF885916D3019FAABEB16CD3F1E1793809C534D5997C88D2068098459B84AADE30F610185ED724580B3338
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.3.0.2.1.0.5.5.1.3.9.1.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.3.0.2.1.0.5.5.9.2.0.3.4.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.4.8.4.0.e.c.-.f.6.4.1.-.4.c.a.3.-.a.c.9.4.-.4.c.3.3.3.2.b.2.6.c.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.4.4.b.3.c.b.-.a.c.7.e.-.4.8.1.c.-.9.0.b.6.-.7.e.6.a.d.3.7.a.d.8.8.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.b.8.-.0.0.0.1.-.0.0.1.4.-.7.8.b.4.-.5.7.d.e.0.4.6.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9c8c3888a72df77b28b6ce79de7796e2729c18e5_7522e4b5_aae2bca9-da81-47d2-81db-5aabcf737fdc\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.918952360429739
    Encrypted:false
    SSDEEP:192:QiiWOOU0BU/wjeTQ2AzuiFi9Z24IO8dci:xiXOPBU/wje8zuiF2Y4IO8dci
    MD5:29442D7BA32B32475084F0D41F521A81
    SHA1:4043E01050555556A5221B8204765177B32C6F83
    SHA-256:9EFD894CC662ADD45BE08A11D210E16C2A21DF200F6CE685E107E80508D5269B
    SHA-512:574AD2186E547D2D12BE3C4C1E6825F05937CC74D83F0C1CACDEBB006EA65F5073EC1BFDBC8BF2FC813350B3598E2DC5A315E53B1CF128E74DAE238CD73F1446
    Malicious:false
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.3.0.2.1.0.6.6.3.8.8.4.9.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.3.0.2.1.0.6.7.6.8.5.3.5.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.e.2.b.c.a.9.-.d.a.8.1.-.4.7.d.2.-.8.1.d.b.-.5.a.a.b.c.f.7.3.7.f.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.2.f.9.c.1.d.-.a.9.9.8.-.4.6.e.4.-.b.4.a.a.-.f.5.2.b.d.9.b.c.5.1.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.c.-.0.0.0.1.-.0.0.1.4.-.8.6.d.9.-.1.2.e.4.0.4.6.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F93.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Wed Feb 21 20:30:55 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):46648
    Entropy (8bit):1.9043360935014533
    Encrypted:false
    SSDEEP:192:/8K7EPjx2BX/XNq8TXO5H4bAzU1OPgRVHh7/OxWADv+:oPl2l1q15H6AzU1OP8Hh/w
    MD5:4803DDCD33DDBAB8C0038369426A3EB8
    SHA1:31A3A4AC72E87BFB2E12310609A2FF6A844C822B
    SHA-256:58FEBFD4C9057ADC8606C6137740CF0223EBF510F95E856A1297961D413311C8
    SHA-512:9F5CC1C5E719FE771BF441055A5AD8DF118F2A72CBBF63FDF08A5D900841C91FE29CB02BB85D877A72C79DF7D767987C389EF63B2C23DE0A802D36669DA43A36
    Malicious:false
    Preview:MDMP..a..... ........].e.........................................,..........T.......8...........T...........................0...........................................................................................eJ..............GenuineIntel............T...........~].e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER20BD.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8322
    Entropy (8bit):3.6872388688085804
    Encrypted:false
    SSDEEP:192:R6l7wVeJRQ6x3xZ6YuDw6ngmf8Epprp89b2Zsf0Xym:R6lXJW6x3xZ6Ygw6ngmf8Ey2yf2
    MD5:1350DBEA34379E3E1BEE182F9B4FC8CD
    SHA1:2B5F3298C5A62778363BFA7D14C8E9CF210CC2DE
    SHA-256:608DA4E081017AC89A36BDE36EA1864287586E725E9B25104F71D933B31913BF
    SHA-512:A55E9588BD51E9BB8B9CDD60B41159A0F14995E465B14D8CC706778063AC2007AEA3D4A7679E9500E83C75B123E0199556B3B420E09AD7437786C067219BC931
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.2.0.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER211C.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4747
    Entropy (8bit):4.439452559601604
    Encrypted:false
    SSDEEP:48:cvIwWl8zssJg77aI9sSyWpW8VYlYm8M4JCdPcDFwJ+q8vjPcsGScSCd:uIjfqI7qO7VxJwJKFJ3Cd
    MD5:08CE697291A7DC614831EF11F798D52D
    SHA1:8162652DBF2DBFE889D54FDBD7F9CFD46D0E39D6
    SHA-256:EE4B12FF745E851C87D81C0FE8D8BCB8EA6F38EC38004B56B3D13C86E6038FA0
    SHA-512:69FE517E0C7A3D83B1FA59295B7D56859C19DFA045CC12E235BD17ED49CDE3C045208FB878B38C6286917D898D245EC58ED636EAEE34E16ABBA98FBADC72047E
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="203733" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER48A7.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Wed Feb 21 20:31:06 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):51048
    Entropy (8bit):1.856562796215349
    Encrypted:false
    SSDEEP:192:ecNGP4tLiXMIsO5H4Lkp2us+C8fpeUe1PPtIdI:Ztd05HqqxtE13aO
    MD5:DBE5E3FF67EEEB56515A3DBD266BB3E9
    SHA1:838E86033D24E871319435192F17B900D1178A61
    SHA-256:CB4FB657932DAD11CD2DF9643409EFE9F5A6F132EC64668358B36088F17401E1
    SHA-512:6123B276D2E326B002DB8C15ECC52DD87158C674B60690CA2B0FF2605AAFEA929E4454420D223ACB4807C680E8D845D68F3F56B8B379A47760EE55A7E5332DDB
    Malicious:false
    Preview:MDMP..a..... ........].e....................................T..../..........T.......8...........T...........h...............`...........L...............................................................................eJ..............GenuineIntel............T.......h....].e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B95.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Wed Feb 21 20:31:07 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):45420
    Entropy (8bit):1.9855617826938738
    Encrypted:false
    SSDEEP:192:7UJ7Edjx2BX/XNwO5H4b0W4okc/CFL2bl85oxnTKepc:wSdl2l1H5H60W4okDFLGl82nWe
    MD5:3BFA24BA657F733CE76EAAD51DBF3706
    SHA1:5EAD070180028155947EAC1352B462226215C2AB
    SHA-256:6602D18E737916FEE87E41638CC188FA475F15C2DA84964A04B93D7FA38133D9
    SHA-512:79BE703B4C06306B7258FB45FB6AD8395E971F67A559F912DCC9ABEE32ABFE3B2CF16F504DE695CF7DE7D5D729D1FF3544C0720C435B8A4731451BF65364E908
    Malicious:false
    Preview:MDMP..a..... ........].e....................................$....,..........T.......8...........T...........h...............0...........................................................................................eJ..............GenuineIntel............T............].e.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DD8.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8356
    Entropy (8bit):3.688958633944492
    Encrypted:false
    SSDEEP:192:R6l7wVeJ516qgA6Y4n6vcmiGgmf8EpprRb89babgsfClOUjm:R6lXJL6qgA6YA6vtDgmf8ENcabzfClZ6
    MD5:366C128542622EB8C1D07E2D0B1F900C
    SHA1:C82C24813557598A91D8B27E2ADE8FD4F70E7152
    SHA-256:0C477BAD68A82CC43D83647D876D6387D3F7F36DA02E3C41F12BBC3256FB2258
    SHA-512:D7A76D4E4F4A2547D27B1199EE4F8FA8A97831BF75B6D4B25BECE9DA244FD9D61BF49815ED311A61CDE648C50539690A936C67A072D6963A985E5D828CE3759A
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.8.4.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4DF7.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8292
    Entropy (8bit):3.69190602742538
    Encrypted:false
    SSDEEP:192:R6l7wVeJwP6Ry56Y4U6vcmiGgmfTQpprR289babqsf0uvUjm:R6lXJY6Ry56Yj6vtDgmfTQNfabJfw6
    MD5:0835CA902FE6183131BB18A9CDADAF63
    SHA1:0C08FE72E87C5CE03866AB4AB6A3BA63C5C32813
    SHA-256:36366719BA09C1DA8EB980E2B3A8551E05ECB3A3F97BD55A75BCFF8E3641A7B6
    SHA-512:938A24F10AD1D3D708CF12D784EADCBD6BBBCB2BCD7A3AE48F4E5BA53CE06B01B5DD660A68D5BF377F215A781E8EE68C762152E902D008571538E4B821DBA08F
    Malicious:false
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.2.0.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E18.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4747
    Entropy (8bit):4.439362785660993
    Encrypted:false
    SSDEEP:48:cvIwWl8zssJg77aI9sSyWpW8VYtYm8M4JCdPcDFvG+q8vjPc6GScSrd:uIjfqI7qO7VZJvGKfJ3rd
    MD5:57A08767AD84CB6629C711BF0796E2B0
    SHA1:35825E01B83F6343C290F93DADF3101A7C13B761
    SHA-256:5E056BF4015A8BB1A7EF34DBD5721AF58D56220A1A100D87380A39FFC6417995
    SHA-512:64B2CE9DBE7A123E3584C3D653A1F110DDDD6C950A1D3B7A9E495698A06E5756CAACCE0129D47F7EC8F224DE42143670384E77ECD361A43AB5BD9C43FC9914DD
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="203733" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E47.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4646
    Entropy (8bit):4.453441104320309
    Encrypted:false
    SSDEEP:48:cvIwWl8zssJg77aI9sSyWpW8VYMYm8M4JCdPxF/+q8/HQZGScSgd:uIjfqI7qO7VoJAzZJ3gd
    MD5:6F146C00F3D455BE9CB0D53A81E10E90
    SHA1:CA0B899C2FB8270F4F0EFE9E087D86C757254208
    SHA-256:486DE956C1AAFDE54EA29D8157E7D4247166457F5CFD4B800966B317ED49B839
    SHA-512:5E4E8EC65D9C1F00A9959E17103A22C6B5F1D9894D838BE34A76EA441A77F58FF5D3CA5290DADDDD0B6531C2E191BFD87B98E8947C2A5B2B2C63983CCE5C5EB5
    Malicious:false
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="203733" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1835008
    Entropy (8bit):4.417437693130665
    Encrypted:false
    SSDEEP:6144:Lcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:wi58oSWIZBk2MM6AFBWo
    MD5:6A9C2F1199B50D44E9C325F51580DDDB
    SHA1:B2488D232B208D0DABC3E1C7840C95DB1C399B32
    SHA-256:2EDEC52C9E2D86A947787F1567AA6E57C01F8120758B22BDE7B203FC3A965A12
    SHA-512:432AF4D00B429B7CAAE781D8DC4714D3338A56CAC9A8EAC68B04BD773988B55C6D963FC6EA9CFDB02CA10C07417B50475CCDBCA7623D0E1E8703E43BAC3B6B5B
    Malicious:false
    Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz...e...............................................................................................................................................................................................................................................................................................................................................q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.969982441395311
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 95.46%
    • Win32 EXE PECompact compressed (generic) (41571/9) 3.96%
    • Win16/32 Executable Delphi generic (2074/23) 0.20%
    • Generic Win/DOS Executable (2004/3) 0.19%
    • DOS Executable Generic (2002/1) 0.19%
    File name:mpclient.dll
    File size:3'725'950 bytes
    MD5:5bc232f3354125b5fa634e101657f598
    SHA1:bd5360cae7760ed1dd72fbb90fa448f02e1e0ab8
    SHA256:2b1056d4345ad77e4307f89a6e9181b96f20d7b82d4fec18dbc9be1e0636b0b7
    SHA512:1a3f9a9838354dea0fbacca5e140e0ce86b7b63c6a5a83749ccd71b6d10994db84f1257dfc98f8865666a232a9bbdcf189cf9a5a3d0333200f99de304249ce34
    SSDEEP:49152:JoI12hcK75SJYzZmHUxS3qNqTs07EXIUe/+/MuvzqAwoI:JoIsdtS3a2+0EI
    TLSH:DB069E22B288653FD0AB0A3A4537E558993F77723926CD1777F4094C8F3A6416E3E60B
    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

    File Icon

    Icon Hash:7ae282899bbab082

    Static PE Info

    General

    Entrypoint:0x6a6804
    Entrypoint Section:.itext
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
    DLL Characteristics:
    Time Stamp:0x65D5D342 [Wed Feb 21 10:41:06 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:dae1a3f04a7cd51523ba31141bb95f1e

    Entrypoint Preview

    Instruction
    push ebp
    mov ebp, esp
    add esp, FFFFFFC0h
    mov eax, 0069D2E0h
    call 00007FDFB0D4BF2Dh
    push 00000000h
    call 00007FDFB0D77C56h
    call 00007FDFB0FD7741h
    test al, al
    je 00007FDFB0FE1047h
    call 00007FDFB0FD7600h
    call 00007FDFB0D44C97h
    mov eax, eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x2c20000x71f.edata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2bd0000x3886.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3000000x7800.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c40000x3b244.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x2bd9f40x8c8.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2c10000xc12.didata
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2a39a00x2a3a00f66de12fa2effbc18c040b7b5ecb2acdunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .itext0x2a50000x18300x1a0078bccb694dacca915718b0e8b4343a6aFalse0.51953125data6.087679747375109IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x2a70000xe8a40xea002e8ab70067463a0ce2a6e72300a44a8bFalse0.5816639957264957data6.683669416799232IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .bss0x2b60000x64fc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0x2bd0000x38860x3a00b01f942c0fb53b6c8816455fa54ac147False0.32873114224137934data5.249046088725915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .didata0x2c10000xc120xe002443c5f77c5b50aae3dee90880615c0dFalse0.3071986607142857data3.8844486128614415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .edata0x2c20000x71f0x800524589c39bf033b50e55207aae3f3ffaFalse0.4619140625data5.170699436764405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rdata0x2c30000x450x200820ba320e186d50625bbdab2141723aaFalse0.158203125ASCII text, with no line terminators1.168054808516945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x2c40000x3b2440x3b40052d0d346ff81996cb299a42df150f6d3False0.565067082014768data6.720570492852226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .rsrc0x3000000x78000x78009ce2a1f753e430c178e87469216cb9b7False0.28958333333333336data4.047208832050841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_CURSOR0x300a100x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
    RT_CURSOR0x300b440x134dataEnglishUnited States0.4642857142857143
    RT_CURSOR0x300c780x134dataEnglishUnited States0.4805194805194805
    RT_CURSOR0x300dac0x134dataEnglishUnited States0.38311688311688313
    RT_CURSOR0x300ee00x134dataEnglishUnited States0.36038961038961037
    RT_CURSOR0x3010140x134dataEnglishUnited States0.4090909090909091
    RT_CURSOR0x3011480x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
    RT_STRING0x30127c0x1d8data0.3389830508474576
    RT_STRING0x3014540x408data0.3808139534883721
    RT_STRING0x30185c0x488data0.371551724137931
    RT_STRING0x301ce40x364data0.33410138248847926
    RT_STRING0x3020480x418data0.40935114503816794
    RT_STRING0x3024600x134data0.5974025974025974
    RT_STRING0x3025940xd0data0.6778846153846154
    RT_STRING0x3026640x290data0.47103658536585363
    RT_STRING0x3028f40x388data0.3805309734513274
    RT_STRING0x302c7c0x3c4data0.38070539419087135
    RT_STRING0x3030400x438data0.38425925925925924
    RT_STRING0x3034780x464data0.3087188612099644
    RT_STRING0x3038dc0x358data0.39953271028037385
    RT_STRING0x303c340x388data0.4081858407079646
    RT_STRING0x303fbc0x520data0.3544207317073171
    RT_STRING0x3044dc0x4c8data0.397875816993464
    RT_STRING0x3049a40x40cdata0.3465250965250965
    RT_STRING0x304db00x38cdata0.3513215859030837
    RT_STRING0x30513c0x44cdata0.39181818181818184
    RT_STRING0x3055880x19cdata0.441747572815534
    RT_STRING0x3057240xccdata0.6274509803921569
    RT_STRING0x3057f00x198data0.5612745098039216
    RT_STRING0x3059880x3c8data0.37913223140495866
    RT_STRING0x305d500x3b4data0.3407172995780591
    RT_STRING0x3061040x354data0.3826291079812207
    RT_STRING0x3064580x2f0data0.3949468085106383
    RT_RCDATA0x3067480x15aDelphi compiled form 'ApplicationFrameInputSinkWindow'0.7196531791907514
    RT_RCDATA0x3068a40x10data1.5
    RT_RCDATA0x3068b40x874data0.5415896487985212
    RT_RCDATA0x3071280x2dataEnglishUnited States5.0
    RT_RCDATA0x30712c0xebDelphi compiled form 'TCCNCGICQUQ'0.8042553191489362
    RT_RCDATA0x3072180x2ebDelphi compiled form 'TSBMDMITVSC'0.5582329317269076
    RT_GROUP_CURSOR0x3075040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
    RT_GROUP_CURSOR0x3075180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
    RT_GROUP_CURSOR0x30752c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x3075400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x3075540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x3075680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_GROUP_CURSOR0x30757c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
    RT_VERSION0x3075900x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79EnglishUnited States0.55

    Imports

    DLLImport
    winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
    comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
    shell32.dllSHGetFolderPathW, Shell_NotifyIconW
    user32.dllCopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, SendMessageA, EnumWindows, ShowOwnedPopups, GetClassInfoExW, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetAsyncKeyState, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, mouse_event, CreateWindowExA, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, AttachThreadInput, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, keybd_event, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, GetCursor, KillTimer, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, InflateRect, DrawFocusRect, ReleaseCapture, SendInput, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, ToAscii, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, FindWindowA, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, GetKeyboardState, ScreenToClient, DrawFrameControl, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CloseClipboard, DestroyCursor, PostMessageA, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, HideCaret, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
    version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
    oleaut32.dllSysFreeString, VariantClear, VariantInit, GetErrorInfo, SysReAllocStringLen, SafeArrayCreate, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, VariantChangeType
    advapi32.dllRegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegFlushKey, RegQueryValueExW, RegEnumValueW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
    netapi32.dllNetWkstaGetInfo, NetApiBufferFree
    msvcrt.dllmemcpy, memset
    winhttp.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
    kernel32.dllGetFileType, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TlsAlloc, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, GetCPInfoExW, WriteProcessMemory, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, ReadFile, GetUserDefaultLCID, HeapSize, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, WinExec, GetVersionExW, GetModuleHandleA, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, TlsFree, GetConsoleOutputCP, GetConsoleCP, lstrlenW, SetEndOfFile, QueryPerformanceCounter, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
    wsock32.dllgethostbyaddr, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, inet_addr, getpeername, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName
    ole32.dllIsEqualGUID, OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc
    gdi32.dllPie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, SetAbortProc, SetTextColor, StretchBlt, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, FrameRgn, BitBlt, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CombineRgn, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries

    Exports

    NameOrdinalAddress
    MpAddDynamicSignatureFile610x69d2cc
    MpAllocMemory600x69cf3c
    MpCleanOpen590x69cf4c
    MpCleanStart580x69cf5c
    MpClientUtilExportFunctions570x69cf6c
    MpConfigClose560x69cf7c
    MpConfigDelValue550x69cf8c
    MpConfigGetValue540x69cf9c
    MpConfigGetValueAlloc530x69cfac
    MpConfigInitialize520x69cfbc
    MpConfigIteratorClose510x69cfcc
    MpConfigIteratorEnum500x69cfdc
    MpConfigIteratorOpen490x69cfec
    MpConfigOpen480x69cffc
    MpConfigSetValue470x69d00c
    MpConfigUninitialize460x69d01c
    MpConveySampleSubmissionResult450x69d02c
    MpDynamicSignatureEnumerate440x69d03c
    MpDynamicSignatureOpen430x69d04c
    MpFreeMemory420x69d05c
    MpGetDevMode400x69d07c
    MpGetDeviceControlSecurityPolicies410x69d06c
    MpGetNpSupportFile390x69d08c
    MpGetSampleChunk380x69d09c
    MpGetTDTFeatureStatus360x69d0bc
    MpGetTDTFeatureStatusEx350x69d0cc
    MpGetTPStateInfo340x69d0dc
    MpGetTSModeInfo330x69d0ec
    MpGetTaskSchedulerStrings370x69d0ac
    MpHandleClose320x69d0fc
    MpManagerEnable310x69d10c
    MpManagerOpen300x69d11c
    MpManagerStatusQuery290x69d12c
    MpManagerStatusQueryEx280x69d13c
    MpManagerVersionQuery270x69d14c
    MpNetworkCapture260x69d15c
    MpQuarantineRequest250x69d16c
    MpQueryEngineConfigDword240x69d17c
    MpRemoveDynamicSignatureFile230x69d18c
    MpRollbackPlatform220x69d19c
    MpSampleQuery210x69d1ac
    MpSampleSubmit200x69d1bc
    MpScanControl190x69d1cc
    MpScanResult180x69d1dc
    MpScanStartEx170x69d1ec
    MpServiceLogMessage160x69d1fc
    MpSetTPState150x69d20c
    MpThreatEnumerate140x69d21c
    MpThreatOpen130x69d22c
    MpUnblockEngine120x69d23c
    MpUnblockPlatform110x69d24c
    MpUnblockSignatures100x69d25c
    MpUpdatePlatform90x69d26c
    MpUpdateStart80x69d27c
    MpUpdateStartEx70x69d28c
    MpUpdateTSModeEx60x69d29c
    MpUtilsExportFunctions50x69d2ac
    MpWDEnable40x69d2bc
    TMethodImplementationIntercept30x465380
    __dbk_fcall_wrapper20x4115d0
    dbkFCallWrapperAddr10x6b9640

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\mpclient.dll"
    Imagebase:0x9f0000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:false

    General

    Target ID:1
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff75da10000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:3
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1
    Imagebase:0x410000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:4
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAddDynamicSignatureFile
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:5
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",#1
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:8
    Start time:21:30:54
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 696
    Imagebase:0xb90000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:10
    Start time:21:30:57
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpAllocMemory
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:11
    Start time:21:31:00
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe C:\Users\user\Desktop\mpclient.dll,MpCleanOpen
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:19
    Start time:21:31:03
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAddDynamicSignatureFile
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:20
    Start time:21:31:03
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpAllocMemory
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:21
    Start time:21:31:03
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpCleanOpen
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:22
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",dbkFCallWrapperAddr
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high
    Has exited:true

    General

    Target ID:23
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",__dbk_fcall_wrapper
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:24
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",TMethodImplementationIntercept
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:26
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpWDEnable
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:27
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUtilsExportFunctions
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:28
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateTSModeEx
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:29
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStartEx
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:30
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdateStart
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:32
    Start time:21:31:04
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUpdatePlatform
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:33
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 688
    Imagebase:0xb90000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:34
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockSignatures
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:35
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockPlatform
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:36
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpUnblockEngine
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:37
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 688
    Imagebase:0xb90000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    General

    Target ID:38
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatOpen
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:39
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpThreatEnumerate
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:40
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpSetTPState
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    General

    Target ID:41
    Start time:21:31:05
    Start date:21/02/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\mpclient.dll",MpServiceLogMessage
    Imagebase:0x1000000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:4%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:12.2%
      Total number of Nodes:238
      Total number of Limit Nodes:12
      execution_graph 6394 10f5a28 6395 10f5c88 6394->6395 6396 10f5a40 6394->6396 6397 10f5c4c 6395->6397 6398 10f5da0 6395->6398 6406 10f5a52 6396->6406 6409 10f5add Sleep 6396->6409 6404 10f5c66 Sleep 6397->6404 6410 10f5ca6 6397->6410 6399 10f5da9 6398->6399 6400 10f57d4 VirtualAlloc 6398->6400 6402 10f580f 6400->6402 6403 10f57ff 6400->6403 6401 10f5a61 6418 10f5788 6403->6418 6408 10f5c7c Sleep 6404->6408 6404->6410 6406->6401 6407 10f5b40 6406->6407 6412 10f5b21 Sleep 6406->6412 6417 10f5b4c 6407->6417 6423 10f570c 6407->6423 6408->6397 6409->6406 6411 10f5af3 Sleep 6409->6411 6413 10f570c VirtualAlloc 6410->6413 6414 10f5cc4 6410->6414 6411->6396 6412->6407 6416 10f5b37 Sleep 6412->6416 6413->6414 6416->6406 6419 10f5791 6418->6419 6420 10f57d0 6418->6420 6419->6420 6421 10f579c Sleep 6419->6421 6420->6402 6421->6420 6422 10f57b6 Sleep 6421->6422 6422->6419 6427 10f56a0 6423->6427 6425 10f5715 VirtualAlloc 6426 10f572c 6425->6426 6426->6417 6428 10f5640 6427->6428 6428->6425 6429 10fd1b4 6430 10fd1e0 6429->6430 6431 10fd1c4 GetModuleFileNameW 6429->6431 6433 10fe428 GetModuleFileNameW 6431->6433 6434 10fe476 6433->6434 6439 10fe304 6434->6439 6436 10fe4a2 6437 10fe4b4 LoadLibraryExW 6436->6437 6438 10fe4bc 6436->6438 6437->6438 6438->6430 6443 10fe325 6439->6443 6440 10fe3ad 6440->6436 6442 10fe39a 6444 10fe3af GetUserDefaultUILanguage 6442->6444 6445 10fe3a0 6442->6445 6443->6440 6457 10fe040 6443->6457 6463 10fd9f0 EnterCriticalSection 6444->6463 6446 10fe16c 2 API calls 6445->6446 6446->6440 6448 10fe3bc 6483 10fe16c 6448->6483 6450 10fe3c9 6451 10fe3f1 6450->6451 6452 10fe3d7 GetSystemDefaultUILanguage 6450->6452 6451->6440 6487 10fe238 6451->6487 6454 10fd9f0 17 API calls 6452->6454 6455 10fe3e4 6454->6455 6456 10fe16c 2 API calls 6455->6456 6456->6451 6458 10fe062 6457->6458 6461 10fe074 6457->6461 6495 10fdd24 6458->6495 6460 10fe06c 6516 10fe0a4 6460->6516 6461->6442 6464 10fda3c LeaveCriticalSection 6463->6464 6465 10fda1c 6463->6465 6582 10fa750 6464->6582 6467 10fda2d LeaveCriticalSection 6465->6467 6476 10fdade 6467->6476 6468 10fda4d IsValidLocale 6469 10fda5c 6468->6469 6470 10fdaab EnterCriticalSection 6468->6470 6472 10fda65 6469->6472 6473 10fda70 6469->6473 6471 10fdac3 6470->6471 6479 10fdad4 LeaveCriticalSection 6471->6479 6584 10fd8d4 GetThreadUILanguage 6472->6584 6597 10fd6d8 6473->6597 6476->6448 6477 10fda79 GetSystemDefaultUILanguage 6477->6470 6478 10fda83 6477->6478 6480 10fda94 GetSystemDefaultUILanguage 6478->6480 6479->6476 6481 10fd6d8 3 API calls 6480->6481 6482 10fda6e 6481->6482 6482->6470 6485 10fe18a 6483->6485 6484 10fe205 6484->6450 6485->6484 6606 10fe100 6485->6606 6611 10fa834 6487->6611 6490 10fe288 6491 10fe100 2 API calls 6490->6491 6492 10fe29c 6491->6492 6493 10fe2ca 6492->6493 6494 10fe100 2 API calls 6492->6494 6493->6440 6494->6493 6496 10fdd3b 6495->6496 6497 10fdd4f GetModuleFileNameW 6496->6497 6498 10fdd64 6496->6498 6497->6498 6499 10fdd8c RegOpenKeyExW 6498->6499 6505 10fdf33 6498->6505 6500 10fde4d 6499->6500 6501 10fddb3 RegOpenKeyExW 6499->6501 6522 10fdb34 GetModuleHandleW 6500->6522 6501->6500 6503 10fddd1 RegOpenKeyExW 6501->6503 6503->6500 6506 10fddef RegOpenKeyExW 6503->6506 6504 10fde6b RegQueryValueExW 6507 10fdebc RegQueryValueExW 6504->6507 6508 10fde89 6504->6508 6505->6460 6506->6500 6509 10fde0d RegOpenKeyExW 6506->6509 6510 10fded8 6507->6510 6515 10fdeba 6507->6515 6512 10fde91 RegQueryValueExW 6508->6512 6509->6500 6511 10fde2b RegOpenKeyExW 6509->6511 6513 10fdee0 RegQueryValueExW 6510->6513 6511->6500 6511->6505 6512->6515 6513->6515 6514 10fdf22 RegCloseKey 6514->6460 6515->6514 6517 10fe0bc 6516->6517 6518 10fe0b2 6516->6518 6520 10fe0d9 6517->6520 6558 10f5a28 6517->6558 6538 10f5dac 6518->6538 6520->6461 6523 10fdb5c GetProcAddress 6522->6523 6524 10fdb6d 6522->6524 6523->6524 6527 10fdb83 6524->6527 6530 10fdbcf 6524->6530 6534 10fdb10 6524->6534 6527->6504 6528 10fdb10 CharNextW 6528->6530 6529 10fdb10 CharNextW 6529->6530 6530->6527 6530->6529 6531 10fdc54 FindFirstFileW 6530->6531 6533 10fdcbe lstrlenW 6530->6533 6531->6527 6532 10fdc70 FindClose lstrlenW 6531->6532 6532->6527 6532->6530 6533->6530 6536 10fdb1e 6534->6536 6535 10fdb2c 6535->6527 6535->6528 6536->6535 6537 10fdb16 CharNextW 6536->6537 6537->6536 6539 10f5ea4 6538->6539 6540 10f5dc1 6538->6540 6541 10f5dc7 6539->6541 6542 10f5838 6539->6542 6540->6541 6545 10f5e3e Sleep 6540->6545 6544 10f5dd0 6541->6544 6549 10f5e82 Sleep 6541->6549 6554 10f5eb9 6541->6554 6543 10f5f9e 6542->6543 6546 10f5788 2 API calls 6542->6546 6543->6517 6544->6517 6545->6541 6547 10f5e58 Sleep 6545->6547 6548 10f5849 6546->6548 6547->6540 6550 10f585f VirtualFree 6548->6550 6551 10f5879 6548->6551 6552 10f5e98 Sleep 6549->6552 6549->6554 6555 10f5870 6550->6555 6553 10f5882 VirtualQuery VirtualFree 6551->6553 6551->6555 6552->6541 6553->6551 6553->6555 6556 10f5f38 VirtualFree 6554->6556 6557 10f5edc 6554->6557 6555->6517 6556->6517 6557->6517 6559 10f5c88 6558->6559 6560 10f5a40 6558->6560 6561 10f5c4c 6559->6561 6562 10f5da0 6559->6562 6570 10f5a52 6560->6570 6573 10f5add Sleep 6560->6573 6568 10f5c66 Sleep 6561->6568 6574 10f5ca6 6561->6574 6563 10f5da9 6562->6563 6564 10f57d4 VirtualAlloc 6562->6564 6563->6520 6566 10f580f 6564->6566 6567 10f57ff 6564->6567 6565 10f5a61 6565->6520 6566->6520 6569 10f5788 2 API calls 6567->6569 6572 10f5c7c Sleep 6568->6572 6568->6574 6569->6566 6570->6565 6571 10f5b40 6570->6571 6576 10f5b21 Sleep 6570->6576 6579 10f570c VirtualAlloc 6571->6579 6581 10f5b4c 6571->6581 6572->6561 6573->6570 6575 10f5af3 Sleep 6573->6575 6577 10f570c VirtualAlloc 6574->6577 6578 10f5cc4 6574->6578 6575->6560 6576->6571 6580 10f5b37 Sleep 6576->6580 6577->6578 6578->6520 6579->6581 6580->6570 6581->6520 6583 10fa756 6582->6583 6583->6468 6585 10fd949 6584->6585 6586 10fd8f0 6584->6586 6588 10fd890 2 API calls 6585->6588 6602 10fd890 GetThreadPreferredUILanguages 6586->6602 6593 10fd951 6588->6593 6590 10fd998 SetThreadPreferredUILanguages 6592 10fd890 2 API calls 6590->6592 6594 10fd9ae 6592->6594 6593->6590 6596 10fd9d9 6593->6596 6595 10fd9c9 SetThreadPreferredUILanguages 6594->6595 6594->6596 6595->6596 6596->6482 6598 10fd713 6597->6598 6599 10fd77c IsValidLocale 6598->6599 6601 10fd7ca 6598->6601 6600 10fd78f GetLocaleInfoW GetLocaleInfoW 6599->6600 6599->6601 6600->6601 6601->6477 6603 10fd8ca SetThreadPreferredUILanguages 6602->6603 6604 10fd8b1 6602->6604 6603->6585 6605 10fd8ba GetThreadPreferredUILanguages 6604->6605 6605->6603 6607 10fe115 6606->6607 6608 10fe132 FindFirstFileW 6607->6608 6609 10fe142 FindClose 6608->6609 6610 10fe148 6608->6610 6609->6610 6610->6485 6612 10fa838 GetUserDefaultUILanguage GetLocaleInfoW 6611->6612 6612->6490 6613 1396804 6621 11016fc 6613->6621 6618 1396824 6628 138cde4 6618->6628 6620 1396829 6622 1101707 6621->6622 6634 10fa134 6622->6634 6625 138cf1c 6666 138cf08 GetUserDefaultLCID 6625->6666 6627 138cf27 6627->6618 6627->6620 6667 10f72b0 6628->6667 6630 138ce0c 6631 138ce24 FindWindowA ShowWindow GetModuleHandleW GetCurrentProcessId OpenProcess 6630->6631 6632 138ce81 WriteProcessMemory CloseHandle 6631->6632 6633 138cede 6631->6633 6632->6633 6633->6620 6635 10fa148 GetCurrentThreadId 6634->6635 6636 10fa143 6634->6636 6637 10fa17e 6635->6637 6636->6635 6638 10fa1f1 6637->6638 6639 10fa480 6637->6639 6653 10fa0c8 6638->6653 6640 10fa4ad 6639->6640 6644 10fa49c 6639->6644 6642 10fa4b6 GetCurrentThreadId 6640->6642 6647 10fa4c3 6640->6647 6642->6647 6657 10fa3e8 6644->6657 6646 10fa4a6 6646->6640 6648 10f6ff4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6647->6648 6649 10fa553 FreeLibrary 6647->6649 6650 10fa57b 6647->6650 6648->6647 6649->6647 6651 10fa58a ExitProcess 6650->6651 6652 10fa584 6650->6652 6652->6651 6654 10fa110 CoInitialize 6653->6654 6655 10fa0d8 6653->6655 6654->6625 6655->6654 6663 110003c GetSystemInfo 6655->6663 6658 10fa44f 6657->6658 6659 10fa3f2 GetStdHandle WriteFile 6657->6659 6658->6646 6664 10faf50 6659->6664 6662 10fa43f GetStdHandle WriteFile 6662->6646 6663->6655 6665 10faf56 6664->6665 6665->6662 6666->6627 6668 10f72c4 6667->6668 6669 10f72c8 GetModuleFileNameW 6668->6669 6670 10f72e6 GetCommandLineW 6668->6670 6671 10f72e4 6669->6671 6670->6671 6671->6630

      Executed Functions

      Function 010FE238 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,010FE2F8,?,?), ref: 010FE26A
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,010FE2F8,?,?), ref: 010FE273
        • Part of subcall function 010FE100: FindFirstFileW.KERNEL32(00000000,?,00000000,010FE15E,?,00000001), ref: 010FE133
        • Part of subcall function 010FE100: FindClose.KERNEL32(00000000,00000000,?,00000000,010FE15E,?,00000001), ref: 010FE143
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: e62ff993989a445d8cfd4043f97a68928bac4c71d7ebb7f05f9710f7548d4721
      • Instruction ID: 3fa1108d6f33f07ab0945a999ca88982a4366dbb1dc74648009ff5ffc21e7295
      • Opcode Fuzzy Hash: e62ff993989a445d8cfd4043f97a68928bac4c71d7ebb7f05f9710f7548d4721
      • Instruction Fuzzy Hash: 97117274A0020A9FDB00EF94C982AEDB3B9FF55300F91447DEB44A7A50EB746E05CB61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FE100 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,010FE15E,?,00000001), ref: 010FE133
      • FindClose.KERNEL32(00000000,00000000,?,00000000,010FE15E,?,00000001), ref: 010FE143
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 740864b584d2544057adcc8e509abc207be998bb51e3458fa3119203ea787525
      • Instruction ID: 20ee79172fffb3e20f89362a3ae231c98a39a40755776e2c4e86eee270f953d2
      • Opcode Fuzzy Hash: 740864b584d2544057adcc8e509abc207be998bb51e3458fa3119203ea787525
      • Instruction Fuzzy Hash: AAF08271900709FFDB60FBB9CD538DEB7ECFB4561079605A9A684D3E90E734AE009510
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0110003C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 242 110003c-110004c GetSystemInfo
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction ID: add8ae61a016a85bae647bcc5a109505f222a858f59c7f23af8c585dd9765e22
      • Opcode Fuzzy Hash: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction Fuzzy Hash: C3A012144084010BC444A7184C4344F31801942010FC4031474DCA5681E605856443DB
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FDD24 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,010FDF49,?,?), ref: 010FDD5D
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,010FDF49,?,?), ref: 010FDDA6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,010FDF49,?,?), ref: 010FDDC8
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 010FDDE6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 010FDE04
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 010FDE22
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 010FDE40
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,010FDF2C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,010FDF49), ref: 010FDE80
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,010FDF2C,?,80000001), ref: 010FDEAB
      • RegCloseKey.ADVAPI32(?,010FDF33,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,010FDF2C,?,80000001,Software\Embarcadero\Locales), ref: 010FDF26
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: cfce49ec313c1a7950982ffc52f985c3d35c734d3ec05d135af3bde3c4977d4e
      • Instruction ID: 5d44b503c5450a51fb2736f2052f94b2ca135d178e2ed9767508a2446dd12f0d
      • Opcode Fuzzy Hash: cfce49ec313c1a7950982ffc52f985c3d35c734d3ec05d135af3bde3c4977d4e
      • Instruction Fuzzy Hash: 59513075A40209BEEB50EBD4CC43FEE77BCEB18704F5040ADB744E6981E6B0AA44CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FD9F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • EnterCriticalSection.KERNEL32(013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B,?,?,00000000,00000000,00000000), ref: 010FDA0E
      • LeaveCriticalSection.KERNEL32(013A8C14,013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B,?,?,00000000,00000000), ref: 010FDA32
      • LeaveCriticalSection.KERNEL32(013A8C14,013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B,?,?,00000000,00000000), ref: 010FDA41
      • IsValidLocale.KERNEL32(00000000,00000002,013A8C14,013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B), ref: 010FDA53
      • EnterCriticalSection.KERNEL32(013A8C14,00000000,00000002,013A8C14,013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B), ref: 010FDAB0
      • LeaveCriticalSection.KERNEL32(013A8C14,013A8C14,00000000,00000002,013A8C14,013A8C14,00000000,010FDAF4,?,?,?,00000000,?,010FE3BC,00000000,010FE41B), ref: 010FDAD9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-GB,en,en-US,
      • API String ID: 975949045-3021119265
      • Opcode ID: e70b50c00aa5bc07a13e9edc0b33cbf0b78cced5b06611d8b760ce3d8c65480f
      • Instruction ID: 7f7adbaf2d0c0841029e6a2bbfd431d545777a8acec9b63fd47db00a77b5ff7f
      • Opcode Fuzzy Hash: e70b50c00aa5bc07a13e9edc0b33cbf0b78cced5b06611d8b760ce3d8c65480f
      • Instruction Fuzzy Hash: 06210520305207ABEB51B7E88C4369D769AEB55605FC044ADE3C097F80DAA49C05CBA6
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FA134 Relevance: 6.2, APIs: 4, Instructions: 161threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 10fa134-10fa141 68 10fa148-10fa17c GetCurrentThreadId 67->68 69 10fa143 67->69 70 10fa17e 68->70 71 10fa180-10fa1ac call 10fa018 68->71 69->68 70->71 74 10fa1ae-10fa1b0 71->74 75 10fa1b5-10fa1bc 71->75 74->75 76 10fa1b2 74->76 77 10fa1be-10fa1c1 75->77 78 10fa1c6-10fa1cc 75->78 76->75 77->78 79 10fa1ce 78->79 80 10fa1d1-10fa1d8 78->80 79->80 81 10fa1da-10fa1e1 80->81 82 10fa1e7-10fa1eb 80->82 81->82 83 10fa1f1-10fa1f6 call 10fa0c8 82->83 84 10fa480-10fa49a 82->84 85 10fa4ad-10fa4b4 84->85 86 10fa49c-10fa4a8 call 10fa360 call 10fa3e8 84->86 89 10fa4d7-10fa4db 85->89 90 10fa4b6-10fa4c1 GetCurrentThreadId 85->90 86->85 94 10fa4dd-10fa4e1 89->94 95 10fa4f5-10fa4f9 89->95 90->89 93 10fa4c3-10fa4d2 call 10fa038 call 10fa3bc 90->93 93->89 94->95 100 10fa4e3-10fa4f3 94->100 96 10fa4fb-10fa4fe 95->96 97 10fa505-10fa509 95->97 96->97 101 10fa500-10fa502 96->101 102 10fa50b-10fa514 call 10f6ff4 97->102 103 10fa528-10fa531 call 10fa060 97->103 100->95 101->97 102->103 114 10fa516-10fa526 call 10f88e4 call 10f6ff4 102->114 112 10fa538-10fa53d 103->112 113 10fa533-10fa536 103->113 115 10fa559-10fa564 call 10fa038 112->115 116 10fa53f-10fa54d call 10fe65c 112->116 113->112 113->115 114->103 125 10fa569-10fa56d 115->125 126 10fa566 115->126 116->115 124 10fa54f-10fa551 116->124 124->115 128 10fa553-10fa554 FreeLibrary 124->128 129 10fa56f-10fa571 call 10fa3bc 125->129 130 10fa576-10fa579 125->130 126->125 128->115 129->130 131 10fa57b-10fa582 130->131 132 10fa592-10fa5a3 130->132 134 10fa58a-10fa58d ExitProcess 131->134 135 10fa584 131->135 132->95 135->134
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 010FA16B
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID:
      • API String ID: 2882836952-0
      • Opcode ID: 54e732e5d0243d8ee35427e0b24e91eb2da571cb2f5c6fc66b521e1544b405bc
      • Instruction ID: 8764610eae84886a4c442f8a98cb20ae85a36408b65e67cd4998bb4ce1eade7c
      • Opcode Fuzzy Hash: 54e732e5d0243d8ee35427e0b24e91eb2da571cb2f5c6fc66b521e1544b405bc
      • Instruction Fuzzy Hash: AF51AEB4700206DFDB65DF6CC88A79A7BE4FB48324F54859DEA8D8BA41C774E884CB11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FE428 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,010FE4E2,?,MZP,01397C24), ref: 010FE464
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,010FE4E2,?,MZP,01397C24), ref: 010FE4B5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID: MZP
      • API String ID: 1159719554-2889622443
      • Opcode ID: bfc95b2015109baffcbe8c31c4de35b34967d7c3e2002fd14f80f7ca7e78f254
      • Instruction ID: d055dea339d924192bab855d3974f8e9825a358a95f36bfabf4b74231ab5db9b
      • Opcode Fuzzy Hash: bfc95b2015109baffcbe8c31c4de35b34967d7c3e2002fd14f80f7ca7e78f254
      • Instruction Fuzzy Hash: 7F11A334A4021D9FDB10EB64CC86FDE77B8EB54300F5240EDE648A7A90DA746F848EA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FD1B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 152 10fd1b4-10fd1c2 153 10fd1ef-10fd1fa 152->153 154 10fd1c4-10fd1db GetModuleFileNameW call 10fe428 152->154 156 10fd1e0-10fd1e7 154->156 156->153 157 10fd1e9-10fd1ec 156->157 157->153
      APIs
      • GetModuleFileNameW.KERNEL32(MZP,?,0000020A), ref: 010FD1D2
        • Part of subcall function 010FE428: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,010FE4E2,?,MZP,01397C24), ref: 010FE464
        • Part of subcall function 010FE428: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,010FE4E2,?,MZP,01397C24), ref: 010FE4B5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID: MZP
      • API String ID: 4113206344-2889622443
      • Opcode ID: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction ID: d3cd48e0ea52264a8f5b574e464572ed771c125548768ff7c7bb1a8c10a4dc2d
      • Opcode Fuzzy Hash: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction Fuzzy Hash: E1E0ED71A003109BDB50DF9CC8C5A4737D4AB08755F044A99AE58CF246E371E910C7E1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FE304 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,010FE41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,010FE4A2,00000000,?,00000105), ref: 010FE3AF
      • GetSystemDefaultUILanguage.KERNEL32(00000000,010FE41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,010FE4A2,00000000,?,00000105), ref: 010FE3D7
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: 69363a1543af5227b1a6307f150d8f5f00dfd88424b17e1df02858367ac55ef3
      • Instruction ID: 0542d9644375987c1fcab87b094e071ce6a84884c7f80c13890c2f16fdd6d869
      • Opcode Fuzzy Hash: 69363a1543af5227b1a6307f150d8f5f00dfd88424b17e1df02858367ac55ef3
      • Instruction Fuzzy Hash: 4B312E30A0020A9FDB10EB99C886AEEB7F5FF44300F51856DE680A7A60DB74AD85CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 01396804 Relevance: 2.3, APIs: 1, Instructions: 1013COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 1396804-139681b call 11016fc CoInitialize call 138cf1c 236 1396820-1396822 232->236 237 1396829-1396830 call 10fa480 236->237 238 1396824 call 138cde4 236->238 238->237
      APIs
      • CoInitialize.OLE32(00000000), ref: 01396816
        • Part of subcall function 0138CDE4: FindWindowA.USER32(00000000,00000000), ref: 0138CE27
        • Part of subcall function 0138CDE4: ShowWindow.USER32(00000000,00000000,00000000,0138CEFC), ref: 0138CE2D
        • Part of subcall function 0138CDE4: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0138CEFC), ref: 0138CE34
        • Part of subcall function 0138CDE4: GetCurrentProcessId.KERNEL32(0138CEFC), ref: 0138CE66
        • Part of subcall function 0138CDE4: OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0138CEFC), ref: 0138CE73
        • Part of subcall function 0138CDE4: WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0138CEFC), ref: 0138CED0
        • Part of subcall function 0138CDE4: CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0138CEFC), ref: 0138CED9
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Process$HandleWindow$CloseCurrentFindInitializeMemoryModuleOpenShowWrite
      • String ID:
      • API String ID: 866042729-0
      • Opcode ID: 66bd5d53911b9dd70b8a745ee4499452ae30daa3b476944c29cb1591eca7ca26
      • Instruction ID: 1662ecd7b39dc0a7077b12570e22656d6d502175596e3e8bd212478f490ab9be
      • Opcode Fuzzy Hash: 66bd5d53911b9dd70b8a745ee4499452ae30daa3b476944c29cb1591eca7ca26
      • Instruction Fuzzy Hash: B3D0124060934716DD0133FD5C067CA3E440F621ACF080556E544CB6C7DE88951941FB
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F570C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 243 10f570c-10f572a call 10f56a0 VirtualAlloc 246 10f572c-10f5779 243->246 247 10f577a-10f5785 243->247
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,010F5D23), ref: 010F5723
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 4714aabe60960147acd8a1190977fe865a508f515766aa5b358c90aaeeb3f019
      • Instruction ID: c462be1d63664debde3cdc8389d7e061ea29b284cc1cd2a22fdcd8844b147cfa
      • Opcode Fuzzy Hash: 4714aabe60960147acd8a1190977fe865a508f515766aa5b358c90aaeeb3f019
      • Instruction Fuzzy Hash: A0F0AFF2F003114FE7248F79A9527417BD8FB08350F58827EEA49DBB88D7B088018780
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 010FDB34 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 010FDB51
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 010FDB62
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 010FDC62
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 010FDC74
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 010FDC80
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 010FDCC5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: 52c019afa1382769415233025bedd6c41a98717056c236d175512a1be12d2293
      • Instruction ID: 947f034a40060522916187de5893947ddd33a2ac4d4cace211f3b9f3471f99cf
      • Opcode Fuzzy Hash: 52c019afa1382769415233025bedd6c41a98717056c236d175512a1be12d2293
      • Instruction Fuzzy Hash: 11419F71E0061E9BDB10EFD8CC96BDEB7B5AF44310F1885A88784E7640E7B4AE45CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FD6D8 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • IsValidLocale.KERNEL32(?,00000002,00000000,010FD83D,?,?,?,00000000), ref: 010FD782
      • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,010FD83D,?,?,?,00000000), ref: 010FD79E
      • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,010FD83D,?,?,?,00000000), ref: 010FD7AF
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Locale$Info$Valid
      • String ID:
      • API String ID: 1826331170-0
      • Opcode ID: 96a0aba0d1893eb54b9bf72ebc50d3369ed49bebbd090af098a6ffeabfc01116
      • Instruction ID: a4cce454dace6d647f729b1d25056ba59e8778dff08ee951824ec9bb62f45b60
      • Opcode Fuzzy Hash: 96a0aba0d1893eb54b9bf72ebc50d3369ed49bebbd090af098a6ffeabfc01116
      • Instruction Fuzzy Hash: 7E31A074A00748ABEF21DB94CC82BDE77B9FB45701F5005EDA748A7684E6356E81CF11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 01100050 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Version
      • String ID:
      • API String ID: 1889659487-0
      • Opcode ID: 61d1e6ac23695329b6daa16fa9e9ac161fb870f1f2965e0d968752766508c0ae
      • Instruction ID: 8cdaeb13efee10f5aa7f124f743dde03a04892aacc64ad899774491f3216b04f
      • Opcode Fuzzy Hash: 61d1e6ac23695329b6daa16fa9e9ac161fb870f1f2965e0d968752766508c0ae
      • Instruction Fuzzy Hash: 0CD0C7B5D1150305DB358654CE823BC2595F3D67C4FE84179D10545DDED7FD84C1A216
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FC4EC Relevance: .1, Instructions: 64COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
      • Instruction ID: 2d7ffe78bb5bc62d6255d73ab66b05f186e0f6af7a1c21129f9b1ab1338c0414
      • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
      • Instruction Fuzzy Hash: F0019632B057150B974CDD7ECD99A2ABAD3ABC8910F49C73D96C9C76C4DD318C1AC682
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F8500 Relevance: .0, Instructions: 14COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
      • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
      • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
      • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F7974 Relevance: 19.7, APIs: 13, Instructions: 189COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 299 10f7974-10f798e 300 10f799f-10f79b0 299->300 301 10f7990-10f7993 299->301 304 10f79d6-10f79e2 300->304 302 10f7995-10f7998 301->302 303 10f79b2-10f79c3 301->303 307 10f799a 302->307 308 10f79c5-10f79cf 302->308 303->304 305 10f7a8c-10f7aac CreateFileW 304->305 306 10f79e8-10f79ec 304->306 312 10f7aae-10f7abb GetLastError 305->312 313 10f7ac0-10f7ac8 305->313 309 10f79fe-10f7a0b 306->309 310 10f79ee-10f79f7 306->310 311 10f7bd7-10f7bdd 307->311 308->304 316 10f7a0d-10f7a13 309->316 317 10f7a2b-10f7a32 GetStdHandle 309->317 310->309 312->311 314 10f7ace-10f7ae3 GetFileSize 313->314 315 10f7b90-10f7b98 313->315 318 10f7ae5-10f7aee call 10f795c 314->318 319 10f7af3-10f7afb 314->319 322 10f7b9a-10f7ba1 315->322 323 10f7ba8-10f7bae 315->323 320 10f7a1c 316->320 321 10f7a15-10f7a1a 316->321 324 10f7a34-10f7a3c 317->324 318->311 327 10f7aff-10f7b0d SetFilePointer 319->327 328 10f7afd 319->328 326 10f7a21-10f7a29 GetStdHandle 320->326 321->326 322->323 323->311 330 10f7bb0-10f7bbb GetFileType 323->330 324->323 329 10f7a42-10f7a4d GetFileType 324->329 326->324 332 10f7b0f-10f7b2c ReadFile 327->332 333 10f7b2e-10f7b37 call 10f795c 327->333 328->327 334 10f7a4f-10f7a55 329->334 335 10f7a79-10f7a87 329->335 336 10f7bbd-10f7bbe 330->336 337 10f7bc2-10f7bce call 10f795c 330->337 332->333 338 10f7b3c-10f7b40 332->338 333->311 340 10f7a68-10f7a74 GetConsoleCP 334->340 341 10f7a57-10f7a63 GetConsoleOutputCP 334->341 335->323 342 10f7bd0 336->342 343 10f7bc0 336->343 337->311 338->315 346 10f7b42-10f7b46 338->346 340->323 341->323 342->311 343->311 346->315 348 10f7b48-10f7b4e 346->348 348->315 349 10f7b50-10f7b53 348->349 350 10f7b59-10f7b5c 349->350 351 10f7b5e-10f7b72 SetFilePointer 350->351 352 10f7b8b-10f7b8e 350->352 353 10f7b74-10f7b7e SetEndOfFile 351->353 354 10f7b80-10f7b89 call 10f795c 351->354 352->315 352->350 353->315 353->354 354->311
      APIs
      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 010F7A22
      • GetStdHandle.KERNEL32(000000F6), ref: 010F7A2D
      • GetFileType.KERNEL32(00000000), ref: 010F7A45
      • GetConsoleOutputCP.KERNEL32(00000000), ref: 010F7A57
      • GetConsoleCP.KERNEL32(00000000), ref: 010F7A68
      • GetFileType.KERNEL32(00000000), ref: 010F7BB3
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: ConsoleFileHandleType$Output
      • String ID:
      • API String ID: 393880136-0
      • Opcode ID: 1c32de9d15f159708bd38b5d961365f5dcd54eda81e093a9572b0040ff26d109
      • Instruction ID: 81f0a18a924d8fb7723b13ca2181931cb41785c3be3e58f94b11363f45ee3b26
      • Opcode Fuzzy Hash: 1c32de9d15f159708bd38b5d961365f5dcd54eda81e093a9572b0040ff26d109
      • Instruction Fuzzy Hash: 6151D5705042069AEB61EF68CC867A636E4BF46310F1886ADDFD5CFA86E734C844C763
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F90E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 010F90F5
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 010F90FB
      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 010F910E
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 010F9117
      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,010F918E,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 010F9142
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
      • String ID: @$GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 1184211438-79381301
      • Opcode ID: f732834e5e7f0da502752b8091267c80a95e55a87881a6bf853a0bb2ae9fce36
      • Instruction ID: 14e41b5127fdac361f299aec1d1284de41e3a00de68f575ed3d7774fb6f47b60
      • Opcode Fuzzy Hash: f732834e5e7f0da502752b8091267c80a95e55a87881a6bf853a0bb2ae9fce36
      • Instruction Fuzzy Hash: 03117F70D04209AEDB60EBA9CC4BBADB7F8FB40308F4081EDFA94A7941D7759A408B11
      Uniqueness

      Uniqueness Score: -1.00%

      Function 01101748 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01101800
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID:
      • API String ID: 3997070919-0
      • Opcode ID: 6e56c3a3a8173d835215ec33c23305d4fa96e8c1d44dccba05e5cd5acae5b25e
      • Instruction ID: 3fa5c41787f9482303c2d9e9fd75618475e3b0a884fdfc58afef4accc50e0cab
      • Opcode Fuzzy Hash: 6e56c3a3a8173d835215ec33c23305d4fa96e8c1d44dccba05e5cd5acae5b25e
      • Instruction Fuzzy Hash: F6A18075E00209AFDB2ADFA8D580BAEBBF9BF58310F14411AE505A72C4EBB4D944CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F5DAC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,?), ref: 010F5E42
      • Sleep.KERNEL32(0000000A,00000000,?), ref: 010F5E5C
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 4c1a947d0ac92f98e8122130c667c2b8939e635e6dfd9683c26b736b6cee4a07
      • Instruction ID: c5b61619ef52a07eec1bb297fc24d5250bd9898ee1763dc4ae108c9b2e01748b
      • Opcode Fuzzy Hash: 4c1a947d0ac92f98e8122130c667c2b8939e635e6dfd9683c26b736b6cee4a07
      • Instruction Fuzzy Hash: 2171F4716057008FE76ACF2CDD8675ABBD8AF85310F58C1AED6C48BA96D6B0C845CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F5FA4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1ff3bb0373151f8b37fdb75bba9274126e16039e40f13be5cbd9da6c1d4a5135
      • Instruction ID: 4dfd6ca202640c4ddf4303237592b8e5056bace6b1fbcc4d4a047a1db5dd3b94
      • Opcode Fuzzy Hash: 1ff3bb0373151f8b37fdb75bba9274126e16039e40f13be5cbd9da6c1d4a5135
      • Instruction Fuzzy Hash: D6C125A27107010BE7249A7CDC873AEB6D69BC5321F1C827EE3D4CBBC6DA66C8458750
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F9368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 010F97F4: GetCurrentThreadId.KERNEL32 ref: 010F97F7
      • GetTickCount.KERNEL32 ref: 010F939F
      • GetTickCount.KERNEL32 ref: 010F93B7
      • GetCurrentThreadId.KERNEL32 ref: 010F93E6
      • GetTickCount.KERNEL32 ref: 010F9411
      • GetTickCount.KERNEL32 ref: 010F9448
      • GetTickCount.KERNEL32 ref: 010F9472
      • GetCurrentThreadId.KERNEL32 ref: 010F94E2
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: 0f474d3fdcecbe7f6c76d7435ea16f93bb48c0993786b1b1b45095b12ad018a2
      • Instruction ID: fc0df5f4754b6f2cb88570ae8901810cd65a59a6abb701a70c9875f541b6bd55
      • Opcode Fuzzy Hash: 0f474d3fdcecbe7f6c76d7435ea16f93bb48c0993786b1b1b45095b12ad018a2
      • Instruction Fuzzy Hash: ED41A4302083429ED761DF7CC88575EBFD1AFA4358F14896CFAD887A81EB74A4858742
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0138CDE4 Relevance: 10.6, APIs: 7, Instructions: 96injectionCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 010F72B0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,0138CE0C,00000000,00000000,0138CEFC), ref: 010F72D4
      • FindWindowA.USER32(00000000,00000000), ref: 0138CE27
      • ShowWindow.USER32(00000000,00000000,00000000,0138CEFC), ref: 0138CE2D
      • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0138CEFC), ref: 0138CE34
      • GetCurrentProcessId.KERNEL32(0138CEFC), ref: 0138CE66
      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0138CEFC), ref: 0138CE73
      • WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0138CEFC), ref: 0138CED0
      • CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0138CEFC), ref: 0138CED9
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Process$HandleModuleWindow$CloseCurrentFileFindMemoryNameOpenShowWrite
      • String ID:
      • API String ID: 3984213049-0
      • Opcode ID: 35feb5ecc0c92d347855624ef96f9da80fcdbdefd555f3208a2cf3a6237b4d3d
      • Instruction ID: c53c40d22e41a3a320ec14c2eea63ba5e2974cc8c7c70f58262b816be56e1177
      • Opcode Fuzzy Hash: 35feb5ecc0c92d347855624ef96f9da80fcdbdefd555f3208a2cf3a6237b4d3d
      • Instruction Fuzzy Hash: 4D313871E0424AAFDB41EFE8C881AEEBBF8EF19214F544155E144FB281D774AA05CBA1
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FA3E8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,01396814,00000000,?,010FA4A6,?,?,013A8B9C,013A8B9C,?,?,01397C40,01101747,01396814), ref: 010FA421
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,01396814,00000000,?,010FA4A6,?,?,013A8B9C,013A8B9C,?,?,01397C40,01101747), ref: 010FA427
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,01396814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,01396814,00000000,?,010FA4A6,?,?,013A8B9C), ref: 010FA442
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,01396814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,01396814,00000000,?,010FA4A6,?,?), ref: 010FA448
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: Error$Runtime error at 00000000
      • API String ID: 3320372497-2970929446
      • Opcode ID: ec9d967fe31e3892847cfdf8ccb3872adae7c37e4f8a9fff05fc2ea7ff69bfa0
      • Instruction ID: a41b34160a111a3d0875251ea500682fc7290b5c77e7ed127192692071780d52
      • Opcode Fuzzy Hash: ec9d967fe31e3892847cfdf8ccb3872adae7c37e4f8a9fff05fc2ea7ff69bfa0
      • Instruction Fuzzy Hash: F7F0F6E1798341B9EA21E3695C0BFA9364CA755F15F98420DF3E85A8C5DBA0A0C44B22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F62F0 Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 010F6312
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 010F6318
      • GetStdHandle.KERNEL32(000000F4,010F5460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 010F6337
      • WriteFile.KERNEL32(00000000,000000F4,010F5460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 010F633D
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,010F5460,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 010F6354
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,010F5460,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 010F635A
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID:
      • API String ID: 3320372497-0
      • Opcode ID: 2cb89ea49a2663b9abf4f22d28597c9000fc85699b714321814a670657043f8c
      • Instruction ID: 5f92b414ff67b182673741a8e4c9e9e780d86d1e37b9370d9ff2cb6250190813
      • Opcode Fuzzy Hash: 2cb89ea49a2663b9abf4f22d28597c9000fc85699b714321814a670657043f8c
      • Instruction Fuzzy Hash: 1C01AFE12082167EE110F2BE9C87FDB2ACCEB19720F00461C739CD74C1C9A19C408776
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010F5A28 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000), ref: 010F5ADF
      • Sleep.KERNEL32(0000000A,00000000), ref: 010F5AF5
      • Sleep.KERNEL32(00000000), ref: 010F5B23
      • Sleep.KERNEL32(0000000A,00000000), ref: 010F5B39
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 73468eb8f0bec9cccabfc7743d4b9196b4059544b7f3693f51000727730923bc
      • Instruction ID: 228227ca41de81d11ccfde1b1b7ffe9fd18c3fbc375a5ffad5a06b3966a4db54
      • Opcode Fuzzy Hash: 73468eb8f0bec9cccabfc7743d4b9196b4059544b7f3693f51000727730923bc
      • Instruction Fuzzy Hash: A8C123B26013118FE725CF2DEC9675ABFE4AB85310F4C82ADD6958BBC9D3B09445CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Function 010FD8D4 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 010FD8E5
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 010FD943
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 010FD9A0
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 010FD9D3
        • Part of subcall function 010FD890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,010FD951), ref: 010FD8A7
        • Part of subcall function 010FD890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,010FD951), ref: 010FD8C4
      Memory Dump Source
      • Source File: 00000000.00000002.2446475963.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
      • Associated: 00000000.00000002.2446331341.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447854022.0000000001397000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2447987959.0000000001398000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448107166.0000000001399000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448467408.000000000139D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448651584.000000000139E000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448762019.00000000013A2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448887373.00000000013A4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2448983482.00000000013AB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449062818.00000000013AF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449170454.00000000013B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2449280137.00000000013B4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_10f0000_loaddll32.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: c9828fd8f421f8c48567498fd53e538064ee0894c58831d4fffaa27ec3a8066e
      • Instruction ID: baf10b3304572c377f50e322da6977adab9af7a408e463374764fb9a74722bda
      • Opcode Fuzzy Hash: c9828fd8f421f8c48567498fd53e538064ee0894c58831d4fffaa27ec3a8066e
      • Instruction Fuzzy Hash: 18318C30E0421AABDB10DFE8C882AEEB7F9FF04310F4045AAD695E7691DB749A05CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:4%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:237
      Total number of Limit Nodes:12
      execution_graph 6387 40d1b4 6388 40d1c4 GetModuleFileNameW 6387->6388 6389 40d1e0 6387->6389 6391 40e428 GetModuleFileNameW 6388->6391 6392 40e476 6391->6392 6397 40e304 6392->6397 6394 40e4a2 6395 40e4b4 LoadLibraryExW 6394->6395 6396 40e4bc 6394->6396 6395->6396 6396->6389 6401 40e325 6397->6401 6398 40e3ad 6398->6394 6400 40e39a 6402 40e3a0 6400->6402 6403 40e3af GetUserDefaultUILanguage 6400->6403 6401->6398 6415 40e040 6401->6415 6404 40e16c 2 API calls 6402->6404 6421 40d9f0 EnterCriticalSection 6403->6421 6404->6398 6406 40e3bc 6441 40e16c 6406->6441 6408 40e3c9 6409 40e3f1 6408->6409 6410 40e3d7 GetSystemDefaultUILanguage 6408->6410 6409->6398 6445 40e238 6409->6445 6412 40d9f0 17 API calls 6410->6412 6413 40e3e4 6412->6413 6414 40e16c 2 API calls 6413->6414 6414->6409 6416 40e062 6415->6416 6420 40e074 6415->6420 6453 40dd24 6416->6453 6418 40e06c 6474 40e0a4 6418->6474 6420->6400 6422 40da3c LeaveCriticalSection 6421->6422 6423 40da1c 6421->6423 6551 40a750 6422->6551 6425 40da2d LeaveCriticalSection 6423->6425 6435 40dade 6425->6435 6426 40da4d IsValidLocale 6427 40daab EnterCriticalSection 6426->6427 6428 40da5c 6426->6428 6431 40dac3 6427->6431 6429 40da70 6428->6429 6430 40da65 6428->6430 6566 40d6d8 6429->6566 6553 40d8d4 GetThreadUILanguage 6430->6553 6436 40dad4 LeaveCriticalSection 6431->6436 6434 40da79 GetSystemDefaultUILanguage 6434->6427 6437 40da83 6434->6437 6435->6406 6436->6435 6438 40da94 GetSystemDefaultUILanguage 6437->6438 6439 40d6d8 3 API calls 6438->6439 6440 40da6e 6439->6440 6440->6427 6443 40e18a 6441->6443 6442 40e205 6442->6408 6443->6442 6575 40e100 6443->6575 6580 40a834 6445->6580 6448 40e288 6449 40e100 2 API calls 6448->6449 6450 40e29c 6449->6450 6451 40e2ca 6450->6451 6452 40e100 2 API calls 6450->6452 6451->6398 6452->6451 6454 40dd3b 6453->6454 6455 40dd4f GetModuleFileNameW 6454->6455 6456 40dd64 6454->6456 6455->6456 6457 40dd8c RegOpenKeyExW 6456->6457 6463 40df33 6456->6463 6458 40ddb3 RegOpenKeyExW 6457->6458 6459 40de4d 6457->6459 6458->6459 6461 40ddd1 RegOpenKeyExW 6458->6461 6480 40db34 GetModuleHandleW 6459->6480 6461->6459 6464 40ddef RegOpenKeyExW 6461->6464 6462 40de6b RegQueryValueExW 6465 40de89 6462->6465 6466 40debc RegQueryValueExW 6462->6466 6463->6418 6464->6459 6467 40de0d RegOpenKeyExW 6464->6467 6470 40de91 RegQueryValueExW 6465->6470 6468 40ded8 6466->6468 6473 40deba 6466->6473 6467->6459 6469 40de2b RegOpenKeyExW 6467->6469 6471 40dee0 RegQueryValueExW 6468->6471 6469->6459 6469->6463 6470->6473 6471->6473 6472 40df22 RegCloseKey 6472->6418 6473->6472 6475 40e0b2 6474->6475 6477 40e0bc 6474->6477 6496 405dac 6475->6496 6479 40e0d9 6477->6479 6516 405a28 6477->6516 6479->6420 6481 40db5c GetProcAddress 6480->6481 6482 40db6d 6480->6482 6481->6482 6484 40db83 6482->6484 6488 40dbcf 6482->6488 6492 40db10 6482->6492 6484->6462 6486 40db10 CharNextW 6486->6488 6487 40db10 CharNextW 6487->6488 6488->6484 6488->6487 6489 40dc54 FindFirstFileW 6488->6489 6491 40dcbe lstrlenW 6488->6491 6489->6484 6490 40dc70 FindClose lstrlenW 6489->6490 6490->6484 6490->6488 6491->6488 6493 40db1e 6492->6493 6494 40db2c 6493->6494 6495 40db16 CharNextW 6493->6495 6494->6484 6494->6486 6495->6493 6497 405dc1 6496->6497 6498 405ea4 6496->6498 6500 405dc7 6497->6500 6504 405e3e Sleep 6497->6504 6499 405838 6498->6499 6498->6500 6502 405f9e 6499->6502 6540 405788 6499->6540 6501 405dd0 6500->6501 6505 405e82 Sleep 6500->6505 6510 405eb9 6500->6510 6501->6477 6502->6477 6504->6500 6507 405e58 Sleep 6504->6507 6508 405e98 Sleep 6505->6508 6505->6510 6507->6497 6508->6500 6509 40585f VirtualFree 6514 405870 6509->6514 6512 405f38 VirtualFree 6510->6512 6515 405edc 6510->6515 6511 405882 VirtualQuery VirtualFree 6513 405879 6511->6513 6511->6514 6512->6477 6513->6511 6513->6514 6514->6477 6515->6477 6517 405c88 6516->6517 6524 405a40 6516->6524 6518 405da0 6517->6518 6523 405c4c 6517->6523 6519 4057d4 VirtualAlloc 6518->6519 6520 405da9 6518->6520 6526 40580f 6519->6526 6527 4057ff 6519->6527 6520->6479 6521 405a61 6521->6479 6522 405a52 6522->6521 6530 405b40 6522->6530 6535 405b21 Sleep 6522->6535 6525 405ca6 6523->6525 6528 405c66 Sleep 6523->6528 6524->6522 6532 405add Sleep 6524->6532 6533 40570c VirtualAlloc 6525->6533 6537 405cc4 6525->6537 6526->6479 6529 405788 2 API calls 6527->6529 6528->6525 6531 405c7c Sleep 6528->6531 6529->6526 6539 405b4c 6530->6539 6545 40570c 6530->6545 6531->6523 6532->6522 6534 405af3 Sleep 6532->6534 6533->6537 6534->6524 6535->6530 6536 405b37 Sleep 6535->6536 6536->6522 6537->6479 6539->6479 6541 4057d0 6540->6541 6542 405791 6540->6542 6541->6509 6541->6513 6542->6541 6543 40579c Sleep 6542->6543 6543->6541 6544 4057b6 Sleep 6543->6544 6544->6542 6549 4056a0 6545->6549 6547 405715 VirtualAlloc 6548 40572c 6547->6548 6548->6539 6550 405640 6549->6550 6550->6547 6552 40a756 6551->6552 6552->6426 6554 40d8f0 6553->6554 6555 40d949 6553->6555 6571 40d890 GetThreadPreferredUILanguages 6554->6571 6557 40d890 2 API calls 6555->6557 6563 40d951 6557->6563 6559 40d998 SetThreadPreferredUILanguages 6561 40d890 2 API calls 6559->6561 6562 40d9ae 6561->6562 6564 40d9c9 SetThreadPreferredUILanguages 6562->6564 6565 40d9d9 6562->6565 6563->6559 6563->6565 6564->6565 6565->6440 6567 40d713 6566->6567 6568 40d77c IsValidLocale 6567->6568 6570 40d7ca 6567->6570 6569 40d78f GetLocaleInfoW GetLocaleInfoW 6568->6569 6568->6570 6569->6570 6570->6434 6572 40d8b1 6571->6572 6573 40d8ca SetThreadPreferredUILanguages 6571->6573 6574 40d8ba GetThreadPreferredUILanguages 6572->6574 6573->6555 6574->6573 6576 40e115 6575->6576 6577 40e132 FindFirstFileW 6576->6577 6578 40e142 FindClose 6577->6578 6579 40e148 6577->6579 6578->6579 6579->6443 6581 40a838 GetUserDefaultUILanguage GetLocaleInfoW 6580->6581 6581->6448 6582 405a28 6583 405c88 6582->6583 6590 405a40 6582->6590 6584 405da0 6583->6584 6589 405c4c 6583->6589 6585 4057d4 VirtualAlloc 6584->6585 6586 405da9 6584->6586 6592 40580f 6585->6592 6593 4057ff 6585->6593 6587 405a61 6588 405a52 6588->6587 6596 405b40 6588->6596 6601 405b21 Sleep 6588->6601 6591 405ca6 6589->6591 6594 405c66 Sleep 6589->6594 6590->6588 6598 405add Sleep 6590->6598 6599 40570c VirtualAlloc 6591->6599 6603 405cc4 6591->6603 6595 405788 2 API calls 6593->6595 6594->6591 6597 405c7c Sleep 6594->6597 6595->6592 6604 40570c VirtualAlloc 6596->6604 6605 405b4c 6596->6605 6597->6589 6598->6588 6600 405af3 Sleep 6598->6600 6599->6603 6600->6590 6601->6596 6602 405b37 Sleep 6601->6602 6602->6588 6604->6605 6606 6a6804 6614 4116fc 6606->6614 6611 6a6824 6621 69cde4 6611->6621 6613 6a6829 6615 411707 6614->6615 6627 40a134 6615->6627 6618 69cf1c 6659 69cf08 GetUserDefaultLCID 6618->6659 6620 69cf27 6620->6611 6620->6613 6660 4072b0 6621->6660 6623 69ce0c 6624 69ce24 FindWindowA ShowWindow GetModuleHandleW GetCurrentProcessId OpenProcess 6623->6624 6625 69ce81 WriteProcessMemory CloseHandle 6624->6625 6626 69cede 6624->6626 6625->6626 6626->6613 6628 40a143 6627->6628 6629 40a148 GetCurrentThreadId 6627->6629 6628->6629 6630 40a17e 6629->6630 6631 40a480 6630->6631 6632 40a1f1 6630->6632 6634 40a49c 6631->6634 6635 40a4ad 6631->6635 6646 40a0c8 6632->6646 6650 40a3e8 6634->6650 6636 40a4b6 GetCurrentThreadId 6635->6636 6640 40a4c3 6635->6640 6636->6640 6639 40a4a6 6639->6635 6641 406ff4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6640->6641 6642 40a553 FreeLibrary 6640->6642 6643 40a57b 6640->6643 6641->6640 6642->6640 6644 40a584 6643->6644 6645 40a58a ExitProcess 6643->6645 6644->6645 6647 40a110 CoInitialize 6646->6647 6648 40a0d8 6646->6648 6647->6618 6648->6647 6656 41003c GetSystemInfo 6648->6656 6651 40a44f 6650->6651 6653 40a3f2 GetStdHandle WriteFile 6650->6653 6651->6639 6657 40af50 6653->6657 6655 40a43f GetStdHandle WriteFile 6655->6639 6656->6648 6658 40af56 6657->6658 6658->6655 6659->6620 6661 4072c4 6660->6661 6662 4072e6 GetCommandLineW 6661->6662 6663 4072c8 GetModuleFileNameW 6661->6663 6664 4072e4 6662->6664 6663->6664 6664->6623

      Executed Functions

      Function 0040E238 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E26A
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E273
        • Part of subcall function 0040E100: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
        • Part of subcall function 0040E100: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction ID: 28d3534d03da62792b10c904a4318156777dd031835c1a9ea2f19a665f1be834
      • Opcode Fuzzy Hash: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction Fuzzy Hash: 08114570A042099BDB04EFA6C952AAEB3B8EF45304F5044BEF504B73C1DB789E15CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E100 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 222 40e100-40e140 call 40a834 call 40b24c FindFirstFileW 227 40e142-40e143 FindClose 222->227 228 40e148-40e15d call 40a750 222->228 227->228
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
      • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction ID: 56f2b90e81b5c8edb50ad5567bfaa682a622e3270deca986461dceb52667ff6f
      • Opcode Fuzzy Hash: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction Fuzzy Hash: 9DF05E71900608AEC720FBB6CD5295EB7ACEB483147A109B6B404F66D1E7389E209958
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DD24 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040DF49,?,?), ref: 0040DD5D
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDA6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDC8
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040DDE6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040DE04
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040DE22
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040DE40
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49), ref: 0040DE80
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001), ref: 0040DEAB
      • RegCloseKey.ADVAPI32(?,0040DF33,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales), ref: 0040DF26
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction ID: 1673f75d9ce236f1382a5bb3be95f5d58a4b5f9b2541baf46879199abf1317e9
      • Opcode Fuzzy Hash: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction Fuzzy Hash: 9E510275A40609BEEB10EAD5CC46FAE73BCDB08704F6044BBB605F61C1D678A944CA6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D9F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000,00000000), ref: 0040DA0E
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA32
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA41
      • IsValidLocale.KERNEL32(00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DA53
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAB0
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAD9
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-GB,en,en-US,
      • API String ID: 975949045-3021119265
      • Opcode ID: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction ID: d21c8168fba803f94385bdecea8a5f36267ba655c33cd6148cba17b487a9e3d3
      • Opcode Fuzzy Hash: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction Fuzzy Hash: 7D2192A0B056145FD711B7FA8C4265A365ADB45708B91457BB000BB2C6CFBC8D45CBBE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A134 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 40a134-40a141 68 40a143 67->68 69 40a148-40a17c GetCurrentThreadId 67->69 68->69 70 40a180-40a1ac call 40a018 69->70 71 40a17e 69->71 74 40a1b5-40a1bc 70->74 75 40a1ae-40a1b0 70->75 71->70 77 40a1c6-40a1cc 74->77 78 40a1be-40a1c1 74->78 75->74 76 40a1b2 75->76 76->74 79 40a1d1-40a1d8 77->79 80 40a1ce 77->80 78->77 81 40a1e7-40a1eb 79->81 82 40a1da-40a1e1 79->82 80->79 83 40a480-40a49a 81->83 84 40a1f1-40a1f6 call 40a0c8 81->84 82->81 86 40a49c-40a4a8 call 40a360 call 40a3e8 83->86 87 40a4ad-40a4b4 83->87 86->87 88 40a4b6-40a4c1 GetCurrentThreadId 87->88 89 40a4d7-40a4db 87->89 88->89 92 40a4c3-40a4d2 call 40a038 call 40a3bc 88->92 93 40a4f5-40a4f9 89->93 94 40a4dd-40a4e1 89->94 92->89 98 40a505-40a509 93->98 99 40a4fb-40a4fe 93->99 94->93 97 40a4e3-40a4f3 94->97 97->93 103 40a528-40a531 call 40a060 98->103 104 40a50b-40a514 call 406ff4 98->104 99->98 102 40a500-40a502 99->102 102->98 113 40a533-40a536 103->113 114 40a538-40a53d 103->114 104->103 112 40a516-40a526 call 4088e4 call 406ff4 104->112 112->103 113->114 116 40a559-40a564 call 40a038 113->116 114->116 117 40a53f-40a54d call 40e65c 114->117 124 40a566 116->124 125 40a569-40a56d 116->125 117->116 127 40a54f-40a551 117->127 124->125 128 40a576-40a579 125->128 129 40a56f-40a571 call 40a3bc 125->129 127->116 130 40a553-40a554 FreeLibrary 127->130 132 40a592-40a5a3 128->132 133 40a57b-40a582 128->133 129->128 130->116 132->93 134 40a584 133->134 135 40a58a-40a58d ExitProcess 133->135 134->135
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 0040A16B
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: Q@
      • API String ID: 2882836952-827177241
      • Opcode ID: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction ID: 781f18a19abcf40cf44b1ee7d294638a41a04d59b97bcd06910df213058bb242
      • Opcode Fuzzy Hash: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction Fuzzy Hash: C8518EB46003059FDB24EF6AC88875B77E5AB19314F14857FE805AB292C77CD894CB1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E428 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID: MZP
      • API String ID: 1159719554-2889622443
      • Opcode ID: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction ID: 8b0ddcd5631d6391d412feb92a5e48b4c884d5e368d3e2e335997cb5982417f9
      • Opcode Fuzzy Hash: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction Fuzzy Hash: BF118230A4061C9BDB10EB65C886BDE73B8DB04304F5144FEB508B32D1DB785F848EA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D1B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 152 40d1b4-40d1c2 153 40d1c4-40d1db GetModuleFileNameW call 40e428 152->153 154 40d1ef-40d1fa 152->154 156 40d1e0-40d1e7 153->156 156->154 157 40d1e9-40d1ec 156->157 157->154
      APIs
      • GetModuleFileNameW.KERNEL32(MZP,?,0000020A), ref: 0040D1D2
        • Part of subcall function 0040E428: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
        • Part of subcall function 0040E428: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID: MZP
      • API String ID: 4113206344-2889622443
      • Opcode ID: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction ID: 7d7c94543843ebaf992f1e55d63de1191d90912a4012a3754dc0aeace693fc51
      • Opcode Fuzzy Hash: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction Fuzzy Hash: 84E06D71A003108BCB10DE98C8C5A4737D4AF08714F0009A6AC18DF387E774DD248BE5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E304 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 158 40e304-40e346 call 40a834 * 2 call 40a750 165 40e400-40e41a call 40a7b0 158->165 166 40e34c-40e35c call 40ab78 158->166 172 40e363-40e368 166->172 173 40e35e-40e361 166->173 174 40e36a-40e373 172->174 175 40e38f-40e39e call 40e040 172->175 173->172 177 40e375-40e388 call 40b628 174->177 178 40e38a-40e38d 174->178 182 40e3a0-40e3ad call 40e16c 175->182 183 40e3af-40e3cc GetUserDefaultUILanguage call 40d9f0 call 40e16c 175->183 177->175 178->174 178->175 182->165 190 40e3f1-40e3f4 183->190 191 40e3ce-40e3d5 183->191 190->165 192 40e3f6-40e3fb call 40e238 190->192 191->190 193 40e3d7-40e3ec GetSystemDefaultUILanguage call 40d9f0 call 40e16c 191->193 192->165 193->190
      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3AF
      • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3D7
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction ID: 9683e73c6c0abcf4b746f8888c172bfa536fcfe37ae3f08e60084418d48e7ebc
      • Opcode Fuzzy Hash: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction Fuzzy Hash: 7C310170A10219DFDB10EBA6C881BAEB7B5EF44304F50497BE800B72D2D7789D95CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A6804 Relevance: 2.3, APIs: 1, Instructions: 1013COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 6a6804-6a681b call 4116fc CoInitialize call 69cf1c 236 6a6820-6a6822 232->236 237 6a6829-6a6830 call 40a480 236->237 238 6a6824 call 69cde4 236->238 238->237
      APIs
      • CoInitialize.OLE32(00000000), ref: 006A6816
        • Part of subcall function 0069CDE4: FindWindowA.USER32(00000000,00000000), ref: 0069CE27
        • Part of subcall function 0069CDE4: ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
        • Part of subcall function 0069CDE4: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
        • Part of subcall function 0069CDE4: GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
        • Part of subcall function 0069CDE4: OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
        • Part of subcall function 0069CDE4: WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
        • Part of subcall function 0069CDE4: CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleWindow$CloseCurrentFindInitializeMemoryModuleOpenShowWrite
      • String ID:
      • API String ID: 866042729-0
      • Opcode ID: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction ID: 8ee61a971f8ed6d7737626084e6d53a6920c98cf0355f7440c56fb86b9d06e2e
      • Opcode Fuzzy Hash: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction Fuzzy Hash: 4DD0120050434106C94037FB190379A3A4E0F02368F08017BB954DB7D7DD8D991541FF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041003C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 242 41003c-41004c GetSystemInfo
      APIs
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction ID: 40e128d564f27c1df9189ac710c0684b370c18922a3c8b57750d9bcb46e27ff2
      • Opcode Fuzzy Hash: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction Fuzzy Hash: B2A012104088000AC404A7194C4340F32805D41114FC40368749CB52C2E61985644BDF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040570C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 243 40570c-40572a call 4056a0 VirtualAlloc 246 40577a-405785 243->246 247 40572c-405779 243->247
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405D23,FFFFFFDC,004059F6), ref: 00405723
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction ID: 3f211e621d06bbfd93bf5e4038dd372af13e1d8d3e47f4f6d791379e334aaa67
      • Opcode Fuzzy Hash: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction Fuzzy Hash: 18F019F2A012114BDB149F78D945B427AD6E748354B11827EF909FB695D7B888418B84
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0040DB34 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 0040DB51
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040DB62
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 0040DC62
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 0040DC74
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 0040DC80
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 0040DCC5
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction ID: 3a66766b1a2f5ebb02d859c4633afff12ee1ea1894cab7932bbfdd16adf4ed9c
      • Opcode Fuzzy Hash: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction Fuzzy Hash: 7B41C271E006189BDB10EBD8CC85ADEB3B5EF44300F5485BAD804F72C5E7B8AE49CA49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407974 Relevance: 19.7, APIs: 13, Instructions: 189COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 299 407974-40798e 300 407990-407993 299->300 301 40799f-4079b0 299->301 302 4079b2-4079c3 300->302 303 407995-407998 300->303 304 4079d6-4079e2 301->304 302->304 307 4079c5-4079cf 303->307 308 40799a 303->308 305 4079e8-4079ec 304->305 306 407a8c-407aac CreateFileW 304->306 309 4079fe-407a0b 305->309 310 4079ee-4079f7 305->310 312 407ac0-407ac8 306->312 313 407aae-407abb GetLastError 306->313 307->304 311 407bd7-407bdd 308->311 316 407a2b-407a32 GetStdHandle 309->316 317 407a0d-407a13 309->317 310->309 314 407b90-407b98 312->314 315 407ace-407ae3 GetFileSize 312->315 313->311 322 407ba8-407bae 314->322 323 407b9a-407ba1 314->323 318 407af3-407afb 315->318 319 407ae5-407aee call 40795c 315->319 324 407a34-407a3c 316->324 320 407a15-407a1a 317->320 321 407a1c 317->321 327 407afd 318->327 328 407aff-407b0d SetFilePointer 318->328 319->311 326 407a21-407a29 GetStdHandle 320->326 321->326 322->311 330 407bb0-407bbb GetFileType 322->330 323->322 324->322 329 407a42-407a4d GetFileType 324->329 326->324 327->328 332 407b2e-407b37 call 40795c 328->332 333 407b0f-407b2c ReadFile 328->333 334 407a79-407a87 329->334 335 407a4f-407a55 329->335 336 407bc2-407bce call 40795c 330->336 337 407bbd-407bbe 330->337 332->311 333->332 338 407b3c-407b40 333->338 334->322 340 407a57-407a63 GetConsoleOutputCP 335->340 341 407a68-407a74 GetConsoleCP 335->341 336->311 342 407bd0 337->342 343 407bc0 337->343 338->314 346 407b42-407b46 338->346 340->322 341->322 342->311 343->311 346->314 348 407b48-407b4e 346->348 348->314 349 407b50-407b53 348->349 350 407b59-407b5c 349->350 351 407b8b-407b8e 350->351 352 407b5e-407b72 SetFilePointer 350->352 351->314 351->350 353 407b80-407b89 call 40795c 352->353 354 407b74-407b7e SetEndOfFile 352->354 353->311 354->314 354->353
      APIs
      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 00407A22
      • GetStdHandle.KERNEL32(000000F6), ref: 00407A2D
      • GetFileType.KERNEL32(00000000), ref: 00407A45
      • GetConsoleOutputCP.KERNEL32(00000000), ref: 00407A57
      • GetConsoleCP.KERNEL32(00000000), ref: 00407A68
      • GetFileType.KERNEL32(00000000), ref: 00407BB3
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: ConsoleFileHandleType$Output
      • String ID:
      • API String ID: 393880136-0
      • Opcode ID: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction ID: 30289f512e7bf1b7cb34ce6aac11ef24264cbf54aec5bb3a909e88f5c38db94a
      • Opcode Fuzzy Hash: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction Fuzzy Hash: 10519670E0821196EB10AF65888876736A4EF45318F14867BE905BF2C6E77CFC418B6F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00411748 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00411800
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID: T|j$t|j
      • API String ID: 3997070919-3083990741
      • Opcode ID: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction ID: d5dd79b9b552fdc03a2ab43394edbffd5d5b1b05cd2b1dd8b0c60eaa66e5cf02
      • Opcode Fuzzy Hash: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction Fuzzy Hash: 00A161B59002099FDB10DFA9D891BEEBBF5FF48310F10811AE615A73A0EB74A9C4CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069CDE4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96injectionCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004072B0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,0069CE0C,00000000,00000000,0069CEFC), ref: 004072D4
      • FindWindowA.USER32(00000000,00000000), ref: 0069CE27
      • ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
      • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
      • GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
      • WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
      • CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleModuleWindow$CloseCurrentFileFindMemoryNameOpenShowWrite
      • String ID: )hj
      • API String ID: 3984213049-3365850516
      • Opcode ID: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction ID: 1b617b1f081cfb87ec44673049fe2d1cca7a79426b3064f672e4726a263717ac
      • Opcode Fuzzy Hash: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction Fuzzy Hash: 24312871E042499FDB00DFF9C882AEEBBF8EF49314F50416AE114F7281D634AA45CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004090E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004090F5
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090FB
      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 0040910E
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409117
      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,0040918E,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409142
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
      • String ID: @$GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 1184211438-79381301
      • Opcode ID: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction ID: 89cfa98a069330e8236ef271302e03ab3a445760a3001fe59fa097df563e4f53
      • Opcode Fuzzy Hash: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction Fuzzy Hash: 7A114570E04609AEEB10EBA5D849A5EB7B9DB44304F5085BBF814BB2C2D67C9E408F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004062F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00406312
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00406318
      • GetStdHandle.KERNEL32(000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406337
      • WriteFile.KERNEL32(00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040633D
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406354
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 0040635A
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: `T@
      • API String ID: 3320372497-530435058
      • Opcode ID: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction ID: 6d0ca2db81dbab3755941434efdbfc046d46aff50fd6c8f7007ffdffb872457a
      • Opcode Fuzzy Hash: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction Fuzzy Hash: EF0186F12087103EE600B67B9D86F5B268CDB09768F10063A7618FA0D2C57C9C418B7A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405DAC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,?,?,00000000,00405A1E), ref: 00405E42
      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405A1E), ref: 00405E5C
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction ID: c4469594b470b865f1642b59d964024665ff5604766939db138d5a73fbbf0ef9
      • Opcode Fuzzy Hash: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction Fuzzy Hash: EF71C172605B008FEB15DB29C984727BBD4EB85314F18C27FE884AB3D2D6B88941CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405FA4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction ID: 81f4691e347223e406ef7b1e8a498026a848fa64952474416199e4cf9fbec979
      • Opcode Fuzzy Hash: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction Fuzzy Hash: BEC100A2710A004BDB14AA6DDC8536BB286DBC4325F19823FF615EB3D6DA7CCC458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004097F4: GetCurrentThreadId.KERNEL32 ref: 004097F7
      • GetTickCount.KERNEL32 ref: 0040939F
      • GetTickCount.KERNEL32 ref: 004093B7
      • GetCurrentThreadId.KERNEL32 ref: 004093E6
      • GetTickCount.KERNEL32 ref: 00409411
      • GetTickCount.KERNEL32 ref: 00409448
      • GetTickCount.KERNEL32 ref: 00409472
      • GetCurrentThreadId.KERNEL32 ref: 004094E2
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction ID: 7b880953a4aa2c8bbecb6bcd19a3254470beb066c8f2509cda68c75541b3e4c7
      • Opcode Fuzzy Hash: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction Fuzzy Hash: 70414B3120C7419ED721AE7CC48431BBBD1AB84354F14897EE8D9A73C3E7789C829B56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A3E8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747,006A6814), ref: 0040A421
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747), ref: 0040A427
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C), ref: 0040A442
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?), ref: 0040A448
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: Error$Runtime error at 00000000
      • API String ID: 3320372497-2970929446
      • Opcode ID: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction ID: 4fc56a2188866e669887ee9220089279a8b6405ca6482420f7ade7e3a18fb3d6
      • Opcode Fuzzy Hash: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction Fuzzy Hash: 24F0A9A1A8834478EB10B3668C0EF6B22999740B14F50223FB310B90D2C7FC98C08E2E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405A28 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,FFFFFFDC,004059F6), ref: 00405ADF
      • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,004059F6), ref: 00405AF5
      • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,004059F6), ref: 00405B23
      • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,004059F6), ref: 00405B39
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction ID: ad550f8c0c7d09b6c462ac94dd9e24e91e455ab99917dd16c23bac2c9dd5ccf4
      • Opcode Fuzzy Hash: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction Fuzzy Hash: 33C1F6B2601B118FDB15CF29D884727BBA1EB85310F18827FE415AB3D5D7B8A881CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D8D4 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040D8E5
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040D943
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040D9A0
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040D9D3
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040D951), ref: 0040D8A7
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040D951), ref: 0040D8C4
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction ID: 5fcc8e5a48e46c6ce1fc6056201c55695d2f12a30709e1edab39e047bba2382d
      • Opcode Fuzzy Hash: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction Fuzzy Hash: DA314FB1E0011A9BDB10EBE9C885AAFB7B9FF04314F00457AE551F7291DB789A48CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409B62 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00409C36
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction ID: 85e2221f4e687e19dee718121c1a3824eb1d5c310de91a6583c76a6122328412
      • Opcode Fuzzy Hash: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction Fuzzy Hash: 34418D70A082419FE724DB14D984F67B7E5FB84324F14856AE449AB3A2C738EC81CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409A36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00409AA2
      • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009A38), ref: 00409ADF
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.1314686075.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000005.00000002.1314641569.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315136350.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315207930.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315263156.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315315570.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315370459.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315414139.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315491751.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315533883.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315584134.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315647556.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315698089.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315739908.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000005.00000002.1315780856.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction ID: c2068604784093e2f7711804bf7866461b0e9479efabc809ad64dbe8b969e22d
      • Opcode Fuzzy Hash: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction Fuzzy Hash: FD3161B0604341AFDB10EB15D984F27BBFAEB84764F14856EF44897292C738FC40CA69
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:4%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:237
      Total number of Limit Nodes:12
      execution_graph 6387 40d1b4 6388 40d1c4 GetModuleFileNameW 6387->6388 6389 40d1e0 6387->6389 6391 40e428 GetModuleFileNameW 6388->6391 6392 40e476 6391->6392 6397 40e304 6392->6397 6394 40e4a2 6395 40e4b4 LoadLibraryExW 6394->6395 6396 40e4bc 6394->6396 6395->6396 6396->6389 6401 40e325 6397->6401 6398 40e3ad 6398->6394 6400 40e39a 6402 40e3a0 6400->6402 6403 40e3af GetUserDefaultUILanguage 6400->6403 6401->6398 6415 40e040 6401->6415 6404 40e16c 2 API calls 6402->6404 6421 40d9f0 EnterCriticalSection 6403->6421 6404->6398 6406 40e3bc 6441 40e16c 6406->6441 6408 40e3c9 6409 40e3f1 6408->6409 6410 40e3d7 GetSystemDefaultUILanguage 6408->6410 6409->6398 6445 40e238 6409->6445 6412 40d9f0 17 API calls 6410->6412 6413 40e3e4 6412->6413 6414 40e16c 2 API calls 6413->6414 6414->6409 6416 40e062 6415->6416 6420 40e074 6415->6420 6453 40dd24 6416->6453 6418 40e06c 6474 40e0a4 6418->6474 6420->6400 6422 40da3c LeaveCriticalSection 6421->6422 6423 40da1c 6421->6423 6551 40a750 6422->6551 6425 40da2d LeaveCriticalSection 6423->6425 6435 40dade 6425->6435 6426 40da4d IsValidLocale 6427 40daab EnterCriticalSection 6426->6427 6428 40da5c 6426->6428 6431 40dac3 6427->6431 6429 40da70 6428->6429 6430 40da65 6428->6430 6566 40d6d8 6429->6566 6553 40d8d4 GetThreadUILanguage 6430->6553 6436 40dad4 LeaveCriticalSection 6431->6436 6434 40da79 GetSystemDefaultUILanguage 6434->6427 6437 40da83 6434->6437 6435->6406 6436->6435 6438 40da94 GetSystemDefaultUILanguage 6437->6438 6439 40d6d8 3 API calls 6438->6439 6440 40da6e 6439->6440 6440->6427 6443 40e18a 6441->6443 6442 40e205 6442->6408 6443->6442 6575 40e100 6443->6575 6580 40a834 6445->6580 6448 40e288 6449 40e100 2 API calls 6448->6449 6450 40e29c 6449->6450 6451 40e2ca 6450->6451 6452 40e100 2 API calls 6450->6452 6451->6398 6452->6451 6454 40dd3b 6453->6454 6455 40dd4f GetModuleFileNameW 6454->6455 6456 40dd64 6454->6456 6455->6456 6457 40dd8c RegOpenKeyExW 6456->6457 6463 40df33 6456->6463 6458 40ddb3 RegOpenKeyExW 6457->6458 6459 40de4d 6457->6459 6458->6459 6461 40ddd1 RegOpenKeyExW 6458->6461 6480 40db34 GetModuleHandleW 6459->6480 6461->6459 6464 40ddef RegOpenKeyExW 6461->6464 6462 40de6b RegQueryValueExW 6465 40de89 6462->6465 6466 40debc RegQueryValueExW 6462->6466 6463->6418 6464->6459 6467 40de0d RegOpenKeyExW 6464->6467 6470 40de91 RegQueryValueExW 6465->6470 6468 40ded8 6466->6468 6473 40deba 6466->6473 6467->6459 6469 40de2b RegOpenKeyExW 6467->6469 6471 40dee0 RegQueryValueExW 6468->6471 6469->6459 6469->6463 6470->6473 6471->6473 6472 40df22 RegCloseKey 6472->6418 6473->6472 6475 40e0b2 6474->6475 6477 40e0bc 6474->6477 6496 405dac 6475->6496 6479 40e0d9 6477->6479 6516 405a28 6477->6516 6479->6420 6481 40db5c GetProcAddress 6480->6481 6482 40db6d 6480->6482 6481->6482 6484 40db83 6482->6484 6488 40dbcf 6482->6488 6492 40db10 6482->6492 6484->6462 6486 40db10 CharNextW 6486->6488 6487 40db10 CharNextW 6487->6488 6488->6484 6488->6487 6489 40dc54 FindFirstFileW 6488->6489 6491 40dcbe lstrlenW 6488->6491 6489->6484 6490 40dc70 FindClose lstrlenW 6489->6490 6490->6484 6490->6488 6491->6488 6493 40db1e 6492->6493 6494 40db2c 6493->6494 6495 40db16 CharNextW 6493->6495 6494->6484 6494->6486 6495->6493 6497 405dc1 6496->6497 6498 405ea4 6496->6498 6500 405dc7 6497->6500 6504 405e3e Sleep 6497->6504 6499 405838 6498->6499 6498->6500 6502 405f9e 6499->6502 6540 405788 6499->6540 6501 405dd0 6500->6501 6505 405e82 Sleep 6500->6505 6510 405eb9 6500->6510 6501->6477 6502->6477 6504->6500 6507 405e58 Sleep 6504->6507 6508 405e98 Sleep 6505->6508 6505->6510 6507->6497 6508->6500 6509 40585f VirtualFree 6514 405870 6509->6514 6512 405f38 VirtualFree 6510->6512 6515 405edc 6510->6515 6511 405882 VirtualQuery VirtualFree 6513 405879 6511->6513 6511->6514 6512->6477 6513->6511 6513->6514 6514->6477 6515->6477 6517 405c88 6516->6517 6524 405a40 6516->6524 6518 405da0 6517->6518 6523 405c4c 6517->6523 6519 4057d4 VirtualAlloc 6518->6519 6520 405da9 6518->6520 6526 40580f 6519->6526 6527 4057ff 6519->6527 6520->6479 6521 405a61 6521->6479 6522 405a52 6522->6521 6530 405b40 6522->6530 6535 405b21 Sleep 6522->6535 6525 405ca6 6523->6525 6528 405c66 Sleep 6523->6528 6524->6522 6532 405add Sleep 6524->6532 6533 40570c VirtualAlloc 6525->6533 6537 405cc4 6525->6537 6526->6479 6529 405788 2 API calls 6527->6529 6528->6525 6531 405c7c Sleep 6528->6531 6529->6526 6539 405b4c 6530->6539 6545 40570c 6530->6545 6531->6523 6532->6522 6534 405af3 Sleep 6532->6534 6533->6537 6534->6524 6535->6530 6536 405b37 Sleep 6535->6536 6536->6522 6537->6479 6539->6479 6541 4057d0 6540->6541 6542 405791 6540->6542 6541->6509 6541->6513 6542->6541 6543 40579c Sleep 6542->6543 6543->6541 6544 4057b6 Sleep 6543->6544 6544->6542 6549 4056a0 6545->6549 6547 405715 VirtualAlloc 6548 40572c 6547->6548 6548->6539 6550 405640 6549->6550 6550->6547 6552 40a756 6551->6552 6552->6426 6554 40d8f0 6553->6554 6555 40d949 6553->6555 6571 40d890 GetThreadPreferredUILanguages 6554->6571 6557 40d890 2 API calls 6555->6557 6563 40d951 6557->6563 6559 40d998 SetThreadPreferredUILanguages 6561 40d890 2 API calls 6559->6561 6562 40d9ae 6561->6562 6564 40d9c9 SetThreadPreferredUILanguages 6562->6564 6565 40d9d9 6562->6565 6563->6559 6563->6565 6564->6565 6565->6440 6567 40d713 6566->6567 6568 40d77c IsValidLocale 6567->6568 6570 40d7ca 6567->6570 6569 40d78f GetLocaleInfoW GetLocaleInfoW 6568->6569 6568->6570 6569->6570 6570->6434 6572 40d8b1 6571->6572 6573 40d8ca SetThreadPreferredUILanguages 6571->6573 6574 40d8ba GetThreadPreferredUILanguages 6572->6574 6573->6555 6574->6573 6576 40e115 6575->6576 6577 40e132 FindFirstFileW 6576->6577 6578 40e142 FindClose 6577->6578 6579 40e148 6577->6579 6578->6579 6579->6443 6581 40a838 GetUserDefaultUILanguage GetLocaleInfoW 6580->6581 6581->6448 6582 405a28 6583 405c88 6582->6583 6590 405a40 6582->6590 6584 405da0 6583->6584 6589 405c4c 6583->6589 6585 4057d4 VirtualAlloc 6584->6585 6586 405da9 6584->6586 6592 40580f 6585->6592 6593 4057ff 6585->6593 6587 405a61 6588 405a52 6588->6587 6596 405b40 6588->6596 6601 405b21 Sleep 6588->6601 6591 405ca6 6589->6591 6594 405c66 Sleep 6589->6594 6590->6588 6598 405add Sleep 6590->6598 6599 40570c VirtualAlloc 6591->6599 6603 405cc4 6591->6603 6595 405788 2 API calls 6593->6595 6594->6591 6597 405c7c Sleep 6594->6597 6595->6592 6604 40570c VirtualAlloc 6596->6604 6605 405b4c 6596->6605 6597->6589 6598->6588 6600 405af3 Sleep 6598->6600 6599->6603 6600->6590 6601->6596 6602 405b37 Sleep 6601->6602 6602->6588 6604->6605 6606 6a6804 6614 4116fc 6606->6614 6611 6a6824 6621 69cde4 6611->6621 6613 6a6829 6615 411707 6614->6615 6627 40a134 6615->6627 6618 69cf1c 6659 69cf08 GetUserDefaultLCID 6618->6659 6620 69cf27 6620->6611 6620->6613 6660 4072b0 6621->6660 6623 69ce0c 6624 69ce24 FindWindowA ShowWindow GetModuleHandleW GetCurrentProcessId OpenProcess 6623->6624 6625 69ce81 WriteProcessMemory CloseHandle 6624->6625 6626 69cede 6624->6626 6625->6626 6626->6613 6628 40a143 6627->6628 6629 40a148 GetCurrentThreadId 6627->6629 6628->6629 6630 40a17e 6629->6630 6631 40a480 6630->6631 6632 40a1f1 6630->6632 6634 40a49c 6631->6634 6635 40a4ad 6631->6635 6646 40a0c8 6632->6646 6650 40a3e8 6634->6650 6636 40a4b6 GetCurrentThreadId 6635->6636 6640 40a4c3 6635->6640 6636->6640 6639 40a4a6 6639->6635 6641 406ff4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6640->6641 6642 40a553 FreeLibrary 6640->6642 6643 40a57b 6640->6643 6641->6640 6642->6640 6644 40a584 6643->6644 6645 40a58a ExitProcess 6643->6645 6644->6645 6647 40a110 CoInitialize 6646->6647 6648 40a0d8 6646->6648 6647->6618 6648->6647 6656 41003c GetSystemInfo 6648->6656 6651 40a44f 6650->6651 6653 40a3f2 GetStdHandle WriteFile 6650->6653 6651->6639 6657 40af50 6653->6657 6655 40a43f GetStdHandle WriteFile 6655->6639 6656->6648 6658 40af56 6657->6658 6658->6655 6659->6620 6661 4072c4 6660->6661 6662 4072e6 GetCommandLineW 6661->6662 6663 4072c8 GetModuleFileNameW 6661->6663 6664 4072e4 6662->6664 6663->6664 6664->6623

      Executed Functions

      Function 0040E238 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E26A
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E273
        • Part of subcall function 0040E100: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
        • Part of subcall function 0040E100: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction ID: 28d3534d03da62792b10c904a4318156777dd031835c1a9ea2f19a665f1be834
      • Opcode Fuzzy Hash: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction Fuzzy Hash: 08114570A042099BDB04EFA6C952AAEB3B8EF45304F5044BEF504B73C1DB789E15CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E100 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 222 40e100-40e140 call 40a834 call 40b24c FindFirstFileW 227 40e142-40e143 FindClose 222->227 228 40e148-40e15d call 40a750 222->228 227->228
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
      • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction ID: 56f2b90e81b5c8edb50ad5567bfaa682a622e3270deca986461dceb52667ff6f
      • Opcode Fuzzy Hash: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction Fuzzy Hash: 9DF05E71900608AEC720FBB6CD5295EB7ACEB483147A109B6B404F66D1E7389E209958
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DD24 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040DF49,?,?), ref: 0040DD5D
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDA6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDC8
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040DDE6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040DE04
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040DE22
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040DE40
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49), ref: 0040DE80
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001), ref: 0040DEAB
      • RegCloseKey.ADVAPI32(?,0040DF33,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales), ref: 0040DF26
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction ID: 1673f75d9ce236f1382a5bb3be95f5d58a4b5f9b2541baf46879199abf1317e9
      • Opcode Fuzzy Hash: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction Fuzzy Hash: 9E510275A40609BEEB10EAD5CC46FAE73BCDB08704F6044BBB605F61C1D678A944CA6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D9F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000,00000000), ref: 0040DA0E
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA32
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA41
      • IsValidLocale.KERNEL32(00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DA53
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAB0
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAD9
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-GB,en,en-US,
      • API String ID: 975949045-3021119265
      • Opcode ID: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction ID: d21c8168fba803f94385bdecea8a5f36267ba655c33cd6148cba17b487a9e3d3
      • Opcode Fuzzy Hash: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction Fuzzy Hash: 7D2192A0B056145FD711B7FA8C4265A365ADB45708B91457BB000BB2C6CFBC8D45CBBE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A134 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 40a134-40a141 68 40a143 67->68 69 40a148-40a17c GetCurrentThreadId 67->69 68->69 70 40a180-40a1ac call 40a018 69->70 71 40a17e 69->71 74 40a1b5-40a1bc 70->74 75 40a1ae-40a1b0 70->75 71->70 77 40a1c6-40a1cc 74->77 78 40a1be-40a1c1 74->78 75->74 76 40a1b2 75->76 76->74 79 40a1d1-40a1d8 77->79 80 40a1ce 77->80 78->77 81 40a1e7-40a1eb 79->81 82 40a1da-40a1e1 79->82 80->79 83 40a480-40a49a 81->83 84 40a1f1-40a1f6 call 40a0c8 81->84 82->81 86 40a49c-40a4a8 call 40a360 call 40a3e8 83->86 87 40a4ad-40a4b4 83->87 86->87 88 40a4b6-40a4c1 GetCurrentThreadId 87->88 89 40a4d7-40a4db 87->89 88->89 92 40a4c3-40a4d2 call 40a038 call 40a3bc 88->92 93 40a4f5-40a4f9 89->93 94 40a4dd-40a4e1 89->94 92->89 98 40a505-40a509 93->98 99 40a4fb-40a4fe 93->99 94->93 97 40a4e3-40a4f3 94->97 97->93 103 40a528-40a531 call 40a060 98->103 104 40a50b-40a514 call 406ff4 98->104 99->98 102 40a500-40a502 99->102 102->98 113 40a533-40a536 103->113 114 40a538-40a53d 103->114 104->103 112 40a516-40a526 call 4088e4 call 406ff4 104->112 112->103 113->114 116 40a559-40a564 call 40a038 113->116 114->116 117 40a53f-40a54d call 40e65c 114->117 124 40a566 116->124 125 40a569-40a56d 116->125 117->116 127 40a54f-40a551 117->127 124->125 128 40a576-40a579 125->128 129 40a56f-40a571 call 40a3bc 125->129 127->116 130 40a553-40a554 FreeLibrary 127->130 132 40a592-40a5a3 128->132 133 40a57b-40a582 128->133 129->128 130->116 132->93 134 40a584 133->134 135 40a58a-40a58d ExitProcess 133->135 134->135
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 0040A16B
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: Q@
      • API String ID: 2882836952-827177241
      • Opcode ID: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction ID: 781f18a19abcf40cf44b1ee7d294638a41a04d59b97bcd06910df213058bb242
      • Opcode Fuzzy Hash: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction Fuzzy Hash: C8518EB46003059FDB24EF6AC88875B77E5AB19314F14857FE805AB292C77CD894CB1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E428 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID: MZP
      • API String ID: 1159719554-2889622443
      • Opcode ID: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction ID: 8b0ddcd5631d6391d412feb92a5e48b4c884d5e368d3e2e335997cb5982417f9
      • Opcode Fuzzy Hash: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction Fuzzy Hash: BF118230A4061C9BDB10EB65C886BDE73B8DB04304F5144FEB508B32D1DB785F848EA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D1B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 152 40d1b4-40d1c2 153 40d1c4-40d1db GetModuleFileNameW call 40e428 152->153 154 40d1ef-40d1fa 152->154 156 40d1e0-40d1e7 153->156 156->154 157 40d1e9-40d1ec 156->157 157->154
      APIs
      • GetModuleFileNameW.KERNEL32(MZP,?,0000020A), ref: 0040D1D2
        • Part of subcall function 0040E428: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
        • Part of subcall function 0040E428: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID: MZP
      • API String ID: 4113206344-2889622443
      • Opcode ID: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction ID: 7d7c94543843ebaf992f1e55d63de1191d90912a4012a3754dc0aeace693fc51
      • Opcode Fuzzy Hash: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction Fuzzy Hash: 84E06D71A003108BCB10DE98C8C5A4737D4AF08714F0009A6AC18DF387E774DD248BE5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E304 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 158 40e304-40e346 call 40a834 * 2 call 40a750 165 40e400-40e41a call 40a7b0 158->165 166 40e34c-40e35c call 40ab78 158->166 172 40e363-40e368 166->172 173 40e35e-40e361 166->173 174 40e36a-40e373 172->174 175 40e38f-40e39e call 40e040 172->175 173->172 177 40e375-40e388 call 40b628 174->177 178 40e38a-40e38d 174->178 182 40e3a0-40e3ad call 40e16c 175->182 183 40e3af-40e3cc GetUserDefaultUILanguage call 40d9f0 call 40e16c 175->183 177->175 178->174 178->175 182->165 190 40e3f1-40e3f4 183->190 191 40e3ce-40e3d5 183->191 190->165 192 40e3f6-40e3fb call 40e238 190->192 191->190 193 40e3d7-40e3ec GetSystemDefaultUILanguage call 40d9f0 call 40e16c 191->193 192->165 193->190
      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3AF
      • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3D7
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction ID: 9683e73c6c0abcf4b746f8888c172bfa536fcfe37ae3f08e60084418d48e7ebc
      • Opcode Fuzzy Hash: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction Fuzzy Hash: 7C310170A10219DFDB10EBA6C881BAEB7B5EF44304F50497BE800B72D2D7789D95CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A6804 Relevance: 2.3, APIs: 1, Instructions: 1013COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 6a6804-6a681b call 4116fc CoInitialize call 69cf1c 236 6a6820-6a6822 232->236 237 6a6829-6a6830 call 40a480 236->237 238 6a6824 call 69cde4 236->238 238->237
      APIs
      • CoInitialize.OLE32(00000000), ref: 006A6816
        • Part of subcall function 0069CDE4: FindWindowA.USER32(00000000,00000000), ref: 0069CE27
        • Part of subcall function 0069CDE4: ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
        • Part of subcall function 0069CDE4: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
        • Part of subcall function 0069CDE4: GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
        • Part of subcall function 0069CDE4: OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
        • Part of subcall function 0069CDE4: WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
        • Part of subcall function 0069CDE4: CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleWindow$CloseCurrentFindInitializeMemoryModuleOpenShowWrite
      • String ID:
      • API String ID: 866042729-0
      • Opcode ID: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction ID: 8ee61a971f8ed6d7737626084e6d53a6920c98cf0355f7440c56fb86b9d06e2e
      • Opcode Fuzzy Hash: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction Fuzzy Hash: 4DD0120050434106C94037FB190379A3A4E0F02368F08017BB954DB7D7DD8D991541FF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041003C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 242 41003c-41004c GetSystemInfo
      APIs
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction ID: 40e128d564f27c1df9189ac710c0684b370c18922a3c8b57750d9bcb46e27ff2
      • Opcode Fuzzy Hash: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction Fuzzy Hash: B2A012104088000AC404A7194C4340F32805D41114FC40368749CB52C2E61985644BDF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040570C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 243 40570c-40572a call 4056a0 VirtualAlloc 246 40577a-405785 243->246 247 40572c-405779 243->247
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405D23,FFFFFFDC,004059F6), ref: 00405723
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction ID: 3f211e621d06bbfd93bf5e4038dd372af13e1d8d3e47f4f6d791379e334aaa67
      • Opcode Fuzzy Hash: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction Fuzzy Hash: 18F019F2A012114BDB149F78D945B427AD6E748354B11827EF909FB695D7B888418B84
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0040DB34 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 0040DB51
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040DB62
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 0040DC62
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 0040DC74
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 0040DC80
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 0040DCC5
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction ID: 3a66766b1a2f5ebb02d859c4633afff12ee1ea1894cab7932bbfdd16adf4ed9c
      • Opcode Fuzzy Hash: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction Fuzzy Hash: 7B41C271E006189BDB10EBD8CC85ADEB3B5EF44300F5485BAD804F72C5E7B8AE49CA49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407974 Relevance: 19.7, APIs: 13, Instructions: 189COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 299 407974-40798e 300 407990-407993 299->300 301 40799f-4079b0 299->301 302 4079b2-4079c3 300->302 303 407995-407998 300->303 304 4079d6-4079e2 301->304 302->304 307 4079c5-4079cf 303->307 308 40799a 303->308 305 4079e8-4079ec 304->305 306 407a8c-407aac CreateFileW 304->306 309 4079fe-407a0b 305->309 310 4079ee-4079f7 305->310 312 407ac0-407ac8 306->312 313 407aae-407abb GetLastError 306->313 307->304 311 407bd7-407bdd 308->311 316 407a2b-407a32 GetStdHandle 309->316 317 407a0d-407a13 309->317 310->309 314 407b90-407b98 312->314 315 407ace-407ae3 GetFileSize 312->315 313->311 322 407ba8-407bae 314->322 323 407b9a-407ba1 314->323 318 407af3-407afb 315->318 319 407ae5-407aee call 40795c 315->319 324 407a34-407a3c 316->324 320 407a15-407a1a 317->320 321 407a1c 317->321 327 407afd 318->327 328 407aff-407b0d SetFilePointer 318->328 319->311 326 407a21-407a29 GetStdHandle 320->326 321->326 322->311 330 407bb0-407bbb GetFileType 322->330 323->322 324->322 329 407a42-407a4d GetFileType 324->329 326->324 327->328 332 407b2e-407b37 call 40795c 328->332 333 407b0f-407b2c ReadFile 328->333 334 407a79-407a87 329->334 335 407a4f-407a55 329->335 336 407bc2-407bce call 40795c 330->336 337 407bbd-407bbe 330->337 332->311 333->332 338 407b3c-407b40 333->338 334->322 340 407a57-407a63 GetConsoleOutputCP 335->340 341 407a68-407a74 GetConsoleCP 335->341 336->311 342 407bd0 337->342 343 407bc0 337->343 338->314 346 407b42-407b46 338->346 340->322 341->322 342->311 343->311 346->314 348 407b48-407b4e 346->348 348->314 349 407b50-407b53 348->349 350 407b59-407b5c 349->350 351 407b8b-407b8e 350->351 352 407b5e-407b72 SetFilePointer 350->352 351->314 351->350 353 407b80-407b89 call 40795c 352->353 354 407b74-407b7e SetEndOfFile 352->354 353->311 354->314 354->353
      APIs
      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 00407A22
      • GetStdHandle.KERNEL32(000000F6), ref: 00407A2D
      • GetFileType.KERNEL32(00000000), ref: 00407A45
      • GetConsoleOutputCP.KERNEL32(00000000), ref: 00407A57
      • GetConsoleCP.KERNEL32(00000000), ref: 00407A68
      • GetFileType.KERNEL32(00000000), ref: 00407BB3
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: ConsoleFileHandleType$Output
      • String ID:
      • API String ID: 393880136-0
      • Opcode ID: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction ID: 30289f512e7bf1b7cb34ce6aac11ef24264cbf54aec5bb3a909e88f5c38db94a
      • Opcode Fuzzy Hash: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction Fuzzy Hash: 10519670E0821196EB10AF65888876736A4EF45318F14867BE905BF2C6E77CFC418B6F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00411748 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00411800
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID: T|j$t|j
      • API String ID: 3997070919-3083990741
      • Opcode ID: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction ID: d5dd79b9b552fdc03a2ab43394edbffd5d5b1b05cd2b1dd8b0c60eaa66e5cf02
      • Opcode Fuzzy Hash: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction Fuzzy Hash: 00A161B59002099FDB10DFA9D891BEEBBF5FF48310F10811AE615A73A0EB74A9C4CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069CDE4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96injectionCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004072B0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,0069CE0C,00000000,00000000,0069CEFC), ref: 004072D4
      • FindWindowA.USER32(00000000,00000000), ref: 0069CE27
      • ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
      • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
      • GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
      • WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
      • CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleModuleWindow$CloseCurrentFileFindMemoryNameOpenShowWrite
      • String ID: )hj
      • API String ID: 3984213049-3365850516
      • Opcode ID: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction ID: 1b617b1f081cfb87ec44673049fe2d1cca7a79426b3064f672e4726a263717ac
      • Opcode Fuzzy Hash: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction Fuzzy Hash: 24312871E042499FDB00DFF9C882AEEBBF8EF49314F50416AE114F7281D634AA45CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004090E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004090F5
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090FB
      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 0040910E
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409117
      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,0040918E,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409142
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
      • String ID: @$GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 1184211438-79381301
      • Opcode ID: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction ID: 89cfa98a069330e8236ef271302e03ab3a445760a3001fe59fa097df563e4f53
      • Opcode Fuzzy Hash: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction Fuzzy Hash: 7A114570E04609AEEB10EBA5D849A5EB7B9DB44304F5085BBF814BB2C2D67C9E408F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004062F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00406312
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00406318
      • GetStdHandle.KERNEL32(000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406337
      • WriteFile.KERNEL32(00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040633D
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406354
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 0040635A
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: `T@
      • API String ID: 3320372497-530435058
      • Opcode ID: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction ID: 6d0ca2db81dbab3755941434efdbfc046d46aff50fd6c8f7007ffdffb872457a
      • Opcode Fuzzy Hash: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction Fuzzy Hash: EF0186F12087103EE600B67B9D86F5B268CDB09768F10063A7618FA0D2C57C9C418B7A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405DAC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,?,?,00000000,00405A1E), ref: 00405E42
      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405A1E), ref: 00405E5C
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction ID: c4469594b470b865f1642b59d964024665ff5604766939db138d5a73fbbf0ef9
      • Opcode Fuzzy Hash: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction Fuzzy Hash: EF71C172605B008FEB15DB29C984727BBD4EB85314F18C27FE884AB3D2D6B88941CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405FA4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction ID: 81f4691e347223e406ef7b1e8a498026a848fa64952474416199e4cf9fbec979
      • Opcode Fuzzy Hash: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction Fuzzy Hash: BEC100A2710A004BDB14AA6DDC8536BB286DBC4325F19823FF615EB3D6DA7CCC458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004097F4: GetCurrentThreadId.KERNEL32 ref: 004097F7
      • GetTickCount.KERNEL32 ref: 0040939F
      • GetTickCount.KERNEL32 ref: 004093B7
      • GetCurrentThreadId.KERNEL32 ref: 004093E6
      • GetTickCount.KERNEL32 ref: 00409411
      • GetTickCount.KERNEL32 ref: 00409448
      • GetTickCount.KERNEL32 ref: 00409472
      • GetCurrentThreadId.KERNEL32 ref: 004094E2
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction ID: 7b880953a4aa2c8bbecb6bcd19a3254470beb066c8f2509cda68c75541b3e4c7
      • Opcode Fuzzy Hash: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction Fuzzy Hash: 70414B3120C7419ED721AE7CC48431BBBD1AB84354F14897EE8D9A73C3E7789C829B56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A3E8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747,006A6814), ref: 0040A421
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747), ref: 0040A427
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C), ref: 0040A442
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?), ref: 0040A448
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: Error$Runtime error at 00000000
      • API String ID: 3320372497-2970929446
      • Opcode ID: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction ID: 4fc56a2188866e669887ee9220089279a8b6405ca6482420f7ade7e3a18fb3d6
      • Opcode Fuzzy Hash: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction Fuzzy Hash: 24F0A9A1A8834478EB10B3668C0EF6B22999740B14F50223FB310B90D2C7FC98C08E2E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405A28 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,FFFFFFDC,004059F6), ref: 00405ADF
      • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,004059F6), ref: 00405AF5
      • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,004059F6), ref: 00405B23
      • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,004059F6), ref: 00405B39
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction ID: ad550f8c0c7d09b6c462ac94dd9e24e91e455ab99917dd16c23bac2c9dd5ccf4
      • Opcode Fuzzy Hash: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction Fuzzy Hash: 33C1F6B2601B118FDB15CF29D884727BBA1EB85310F18827FE415AB3D5D7B8A881CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D8D4 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040D8E5
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040D943
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040D9A0
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040D9D3
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040D951), ref: 0040D8A7
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040D951), ref: 0040D8C4
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction ID: 5fcc8e5a48e46c6ce1fc6056201c55695d2f12a30709e1edab39e047bba2382d
      • Opcode Fuzzy Hash: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction Fuzzy Hash: DA314FB1E0011A9BDB10EBE9C885AAFB7B9FF04314F00457AE551F7291DB789A48CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409B62 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00409C36
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction ID: 85e2221f4e687e19dee718121c1a3824eb1d5c310de91a6583c76a6122328412
      • Opcode Fuzzy Hash: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction Fuzzy Hash: 34418D70A082419FE724DB14D984F67B7E5FB84324F14856AE449AB3A2C738EC81CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409A36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00409AA2
      • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009A38), ref: 00409ADF
      Strings
      Memory Dump Source
      • Source File: 00000016.00000002.1362605253.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000016.00000002.1362575156.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362890390.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362918239.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362940132.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1362983004.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363014625.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363039628.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363061958.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363086026.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363115028.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363142847.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363179616.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363212722.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000016.00000002.1363247284.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_22_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction ID: c2068604784093e2f7711804bf7866461b0e9479efabc809ad64dbe8b969e22d
      • Opcode Fuzzy Hash: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction Fuzzy Hash: FD3161B0604341AFDB10EB15D984F27BBFAEB84764F14856EF44897292C738FC40CA69
      Uniqueness

      Uniqueness Score: -1.00%

      Execution Graph

      Execution Coverage:4%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:0%
      Total number of Nodes:237
      Total number of Limit Nodes:12
      execution_graph 6387 40d1b4 6388 40d1c4 GetModuleFileNameW 6387->6388 6389 40d1e0 6387->6389 6391 40e428 GetModuleFileNameW 6388->6391 6392 40e476 6391->6392 6397 40e304 6392->6397 6394 40e4a2 6395 40e4b4 LoadLibraryExW 6394->6395 6396 40e4bc 6394->6396 6395->6396 6396->6389 6401 40e325 6397->6401 6398 40e3ad 6398->6394 6400 40e39a 6402 40e3a0 6400->6402 6403 40e3af GetUserDefaultUILanguage 6400->6403 6401->6398 6415 40e040 6401->6415 6404 40e16c 2 API calls 6402->6404 6421 40d9f0 EnterCriticalSection 6403->6421 6404->6398 6406 40e3bc 6441 40e16c 6406->6441 6408 40e3c9 6409 40e3f1 6408->6409 6410 40e3d7 GetSystemDefaultUILanguage 6408->6410 6409->6398 6445 40e238 6409->6445 6412 40d9f0 17 API calls 6410->6412 6413 40e3e4 6412->6413 6414 40e16c 2 API calls 6413->6414 6414->6409 6416 40e062 6415->6416 6420 40e074 6415->6420 6453 40dd24 6416->6453 6418 40e06c 6474 40e0a4 6418->6474 6420->6400 6422 40da3c LeaveCriticalSection 6421->6422 6423 40da1c 6421->6423 6551 40a750 6422->6551 6425 40da2d LeaveCriticalSection 6423->6425 6435 40dade 6425->6435 6426 40da4d IsValidLocale 6427 40daab EnterCriticalSection 6426->6427 6428 40da5c 6426->6428 6431 40dac3 6427->6431 6429 40da70 6428->6429 6430 40da65 6428->6430 6566 40d6d8 6429->6566 6553 40d8d4 GetThreadUILanguage 6430->6553 6436 40dad4 LeaveCriticalSection 6431->6436 6434 40da79 GetSystemDefaultUILanguage 6434->6427 6437 40da83 6434->6437 6435->6406 6436->6435 6438 40da94 GetSystemDefaultUILanguage 6437->6438 6439 40d6d8 3 API calls 6438->6439 6440 40da6e 6439->6440 6440->6427 6443 40e18a 6441->6443 6442 40e205 6442->6408 6443->6442 6575 40e100 6443->6575 6580 40a834 6445->6580 6448 40e288 6449 40e100 2 API calls 6448->6449 6450 40e29c 6449->6450 6451 40e2ca 6450->6451 6452 40e100 2 API calls 6450->6452 6451->6398 6452->6451 6454 40dd3b 6453->6454 6455 40dd4f GetModuleFileNameW 6454->6455 6456 40dd64 6454->6456 6455->6456 6457 40dd8c RegOpenKeyExW 6456->6457 6463 40df33 6456->6463 6458 40ddb3 RegOpenKeyExW 6457->6458 6459 40de4d 6457->6459 6458->6459 6461 40ddd1 RegOpenKeyExW 6458->6461 6480 40db34 GetModuleHandleW 6459->6480 6461->6459 6464 40ddef RegOpenKeyExW 6461->6464 6462 40de6b RegQueryValueExW 6465 40de89 6462->6465 6466 40debc RegQueryValueExW 6462->6466 6463->6418 6464->6459 6467 40de0d RegOpenKeyExW 6464->6467 6470 40de91 RegQueryValueExW 6465->6470 6468 40ded8 6466->6468 6473 40deba 6466->6473 6467->6459 6469 40de2b RegOpenKeyExW 6467->6469 6471 40dee0 RegQueryValueExW 6468->6471 6469->6459 6469->6463 6470->6473 6471->6473 6472 40df22 RegCloseKey 6472->6418 6473->6472 6475 40e0b2 6474->6475 6477 40e0bc 6474->6477 6496 405dac 6475->6496 6479 40e0d9 6477->6479 6516 405a28 6477->6516 6479->6420 6481 40db5c GetProcAddress 6480->6481 6482 40db6d 6480->6482 6481->6482 6484 40db83 6482->6484 6488 40dbcf 6482->6488 6492 40db10 6482->6492 6484->6462 6486 40db10 CharNextW 6486->6488 6487 40db10 CharNextW 6487->6488 6488->6484 6488->6487 6489 40dc54 FindFirstFileW 6488->6489 6491 40dcbe lstrlenW 6488->6491 6489->6484 6490 40dc70 FindClose lstrlenW 6489->6490 6490->6484 6490->6488 6491->6488 6493 40db1e 6492->6493 6494 40db2c 6493->6494 6495 40db16 CharNextW 6493->6495 6494->6484 6494->6486 6495->6493 6497 405dc1 6496->6497 6498 405ea4 6496->6498 6500 405dc7 6497->6500 6504 405e3e Sleep 6497->6504 6499 405838 6498->6499 6498->6500 6502 405f9e 6499->6502 6540 405788 6499->6540 6501 405dd0 6500->6501 6505 405e82 Sleep 6500->6505 6510 405eb9 6500->6510 6501->6477 6502->6477 6504->6500 6507 405e58 Sleep 6504->6507 6508 405e98 Sleep 6505->6508 6505->6510 6507->6497 6508->6500 6509 40585f VirtualFree 6514 405870 6509->6514 6512 405f38 VirtualFree 6510->6512 6515 405edc 6510->6515 6511 405882 VirtualQuery VirtualFree 6513 405879 6511->6513 6511->6514 6512->6477 6513->6511 6513->6514 6514->6477 6515->6477 6517 405c88 6516->6517 6524 405a40 6516->6524 6518 405da0 6517->6518 6523 405c4c 6517->6523 6519 4057d4 VirtualAlloc 6518->6519 6520 405da9 6518->6520 6526 40580f 6519->6526 6527 4057ff 6519->6527 6520->6479 6521 405a61 6521->6479 6522 405a52 6522->6521 6530 405b40 6522->6530 6535 405b21 Sleep 6522->6535 6525 405ca6 6523->6525 6528 405c66 Sleep 6523->6528 6524->6522 6532 405add Sleep 6524->6532 6533 40570c VirtualAlloc 6525->6533 6537 405cc4 6525->6537 6526->6479 6529 405788 2 API calls 6527->6529 6528->6525 6531 405c7c Sleep 6528->6531 6529->6526 6539 405b4c 6530->6539 6545 40570c 6530->6545 6531->6523 6532->6522 6534 405af3 Sleep 6532->6534 6533->6537 6534->6524 6535->6530 6536 405b37 Sleep 6535->6536 6536->6522 6537->6479 6539->6479 6541 4057d0 6540->6541 6542 405791 6540->6542 6541->6509 6541->6513 6542->6541 6543 40579c Sleep 6542->6543 6543->6541 6544 4057b6 Sleep 6543->6544 6544->6542 6549 4056a0 6545->6549 6547 405715 VirtualAlloc 6548 40572c 6547->6548 6548->6539 6550 405640 6549->6550 6550->6547 6552 40a756 6551->6552 6552->6426 6554 40d8f0 6553->6554 6555 40d949 6553->6555 6571 40d890 GetThreadPreferredUILanguages 6554->6571 6557 40d890 2 API calls 6555->6557 6563 40d951 6557->6563 6559 40d998 SetThreadPreferredUILanguages 6561 40d890 2 API calls 6559->6561 6562 40d9ae 6561->6562 6564 40d9c9 SetThreadPreferredUILanguages 6562->6564 6565 40d9d9 6562->6565 6563->6559 6563->6565 6564->6565 6565->6440 6567 40d713 6566->6567 6568 40d77c IsValidLocale 6567->6568 6570 40d7ca 6567->6570 6569 40d78f GetLocaleInfoW GetLocaleInfoW 6568->6569 6568->6570 6569->6570 6570->6434 6572 40d8b1 6571->6572 6573 40d8ca SetThreadPreferredUILanguages 6571->6573 6574 40d8ba GetThreadPreferredUILanguages 6572->6574 6573->6555 6574->6573 6576 40e115 6575->6576 6577 40e132 FindFirstFileW 6576->6577 6578 40e142 FindClose 6577->6578 6579 40e148 6577->6579 6578->6579 6579->6443 6581 40a838 GetUserDefaultUILanguage GetLocaleInfoW 6580->6581 6581->6448 6582 405a28 6583 405c88 6582->6583 6590 405a40 6582->6590 6584 405da0 6583->6584 6589 405c4c 6583->6589 6585 4057d4 VirtualAlloc 6584->6585 6586 405da9 6584->6586 6592 40580f 6585->6592 6593 4057ff 6585->6593 6587 405a61 6588 405a52 6588->6587 6596 405b40 6588->6596 6601 405b21 Sleep 6588->6601 6591 405ca6 6589->6591 6594 405c66 Sleep 6589->6594 6590->6588 6598 405add Sleep 6590->6598 6599 40570c VirtualAlloc 6591->6599 6603 405cc4 6591->6603 6595 405788 2 API calls 6593->6595 6594->6591 6597 405c7c Sleep 6594->6597 6595->6592 6604 40570c VirtualAlloc 6596->6604 6605 405b4c 6596->6605 6597->6589 6598->6588 6600 405af3 Sleep 6598->6600 6599->6603 6600->6590 6601->6596 6602 405b37 Sleep 6601->6602 6602->6588 6604->6605 6606 6a6804 6614 4116fc 6606->6614 6611 6a6824 6621 69cde4 6611->6621 6613 6a6829 6615 411707 6614->6615 6627 40a134 6615->6627 6618 69cf1c 6659 69cf08 GetUserDefaultLCID 6618->6659 6620 69cf27 6620->6611 6620->6613 6660 4072b0 6621->6660 6623 69ce0c 6624 69ce24 FindWindowA ShowWindow GetModuleHandleW GetCurrentProcessId OpenProcess 6623->6624 6625 69ce81 WriteProcessMemory CloseHandle 6624->6625 6626 69cede 6624->6626 6625->6626 6626->6613 6628 40a143 6627->6628 6629 40a148 GetCurrentThreadId 6627->6629 6628->6629 6630 40a17e 6629->6630 6631 40a480 6630->6631 6632 40a1f1 6630->6632 6634 40a49c 6631->6634 6635 40a4ad 6631->6635 6646 40a0c8 6632->6646 6650 40a3e8 6634->6650 6636 40a4b6 GetCurrentThreadId 6635->6636 6640 40a4c3 6635->6640 6636->6640 6639 40a4a6 6639->6635 6641 406ff4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6640->6641 6642 40a553 FreeLibrary 6640->6642 6643 40a57b 6640->6643 6641->6640 6642->6640 6644 40a584 6643->6644 6645 40a58a ExitProcess 6643->6645 6644->6645 6647 40a110 CoInitialize 6646->6647 6648 40a0d8 6646->6648 6647->6618 6648->6647 6656 41003c GetSystemInfo 6648->6656 6651 40a44f 6650->6651 6653 40a3f2 GetStdHandle WriteFile 6650->6653 6651->6639 6657 40af50 6653->6657 6655 40a43f GetStdHandle WriteFile 6655->6639 6656->6648 6658 40af56 6657->6658 6658->6655 6659->6620 6661 4072c4 6660->6661 6662 4072e6 GetCommandLineW 6661->6662 6663 4072c8 GetModuleFileNameW 6661->6663 6664 4072e4 6662->6664 6663->6664 6664->6623

      Executed Functions

      Function 0040E238 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E26A
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E2F8,?,?), ref: 0040E273
        • Part of subcall function 0040E100: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
        • Part of subcall function 0040E100: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction ID: 28d3534d03da62792b10c904a4318156777dd031835c1a9ea2f19a665f1be834
      • Opcode Fuzzy Hash: 16cb0c4e4fbfa5e5d98885f674bb2d5413cf4467be4c491a3b6f3c2d48f8ddab
      • Instruction Fuzzy Hash: 08114570A042099BDB04EFA6C952AAEB3B8EF45304F5044BEF504B73C1DB789E15CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E100 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 222 40e100-40e140 call 40a834 call 40b24c FindFirstFileW 227 40e142-40e143 FindClose 222->227 228 40e148-40e15d call 40a750 222->228 227->228
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E15E,?,00000001), ref: 0040E133
      • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E15E,?,00000001), ref: 0040E143
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction ID: 56f2b90e81b5c8edb50ad5567bfaa682a622e3270deca986461dceb52667ff6f
      • Opcode Fuzzy Hash: 0e63bd4d041023050d1ae98b315eeaef858a5a6976daae17084ad643b1d62ed3
      • Instruction Fuzzy Hash: 9DF05E71900608AEC720FBB6CD5295EB7ACEB483147A109B6B404F66D1E7389E209958
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040DD24 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040DF49,?,?), ref: 0040DD5D
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDA6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49,?,?), ref: 0040DDC8
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040DDE6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040DE04
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040DE22
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040DE40
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040DF49), ref: 0040DE80
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001), ref: 0040DEAB
      • RegCloseKey.ADVAPI32(?,0040DF33,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040DF2C,?,80000001,Software\Embarcadero\Locales), ref: 0040DF26
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction ID: 1673f75d9ce236f1382a5bb3be95f5d58a4b5f9b2541baf46879199abf1317e9
      • Opcode Fuzzy Hash: 266393929cf081702a8b0088b2ecef8428fc4c295e3fcf0623ca22d1f8043783
      • Instruction Fuzzy Hash: 9E510275A40609BEEB10EAD5CC46FAE73BCDB08704F6044BBB605F61C1D678A944CA6D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D9F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000,00000000), ref: 0040DA0E
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA32
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B,?,?,00000000,00000000), ref: 0040DA41
      • IsValidLocale.KERNEL32(00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DA53
      • EnterCriticalSection.KERNEL32(006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAB0
      • LeaveCriticalSection.KERNEL32(006B8C14,006B8C14,00000000,00000002,006B8C14,006B8C14,00000000,0040DAF4,?,?,?,00000000,?,0040E3BC,00000000,0040E41B), ref: 0040DAD9
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-GB,en,en-US,
      • API String ID: 975949045-3021119265
      • Opcode ID: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction ID: d21c8168fba803f94385bdecea8a5f36267ba655c33cd6148cba17b487a9e3d3
      • Opcode Fuzzy Hash: 965810dd5d544881f2eed2eaee8988b72550631b30fa6e929024f93f8d86c48c
      • Instruction Fuzzy Hash: 7D2192A0B056145FD711B7FA8C4265A365ADB45708B91457BB000BB2C6CFBC8D45CBBE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A134 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 40a134-40a141 68 40a143 67->68 69 40a148-40a17c GetCurrentThreadId 67->69 68->69 70 40a180-40a1ac call 40a018 69->70 71 40a17e 69->71 74 40a1b5-40a1bc 70->74 75 40a1ae-40a1b0 70->75 71->70 77 40a1c6-40a1cc 74->77 78 40a1be-40a1c1 74->78 75->74 76 40a1b2 75->76 76->74 79 40a1d1-40a1d8 77->79 80 40a1ce 77->80 78->77 81 40a1e7-40a1eb 79->81 82 40a1da-40a1e1 79->82 80->79 83 40a480-40a49a 81->83 84 40a1f1-40a1f6 call 40a0c8 81->84 82->81 86 40a49c-40a4a8 call 40a360 call 40a3e8 83->86 87 40a4ad-40a4b4 83->87 86->87 88 40a4b6-40a4c1 GetCurrentThreadId 87->88 89 40a4d7-40a4db 87->89 88->89 92 40a4c3-40a4d2 call 40a038 call 40a3bc 88->92 93 40a4f5-40a4f9 89->93 94 40a4dd-40a4e1 89->94 92->89 98 40a505-40a509 93->98 99 40a4fb-40a4fe 93->99 94->93 97 40a4e3-40a4f3 94->97 97->93 103 40a528-40a531 call 40a060 98->103 104 40a50b-40a514 call 406ff4 98->104 99->98 102 40a500-40a502 99->102 102->98 113 40a533-40a536 103->113 114 40a538-40a53d 103->114 104->103 112 40a516-40a526 call 4088e4 call 406ff4 104->112 112->103 113->114 116 40a559-40a564 call 40a038 113->116 114->116 117 40a53f-40a54d call 40e65c 114->117 124 40a566 116->124 125 40a569-40a56d 116->125 117->116 127 40a54f-40a551 117->127 124->125 128 40a576-40a579 125->128 129 40a56f-40a571 call 40a3bc 125->129 127->116 130 40a553-40a554 FreeLibrary 127->130 132 40a592-40a5a3 128->132 133 40a57b-40a582 128->133 129->128 130->116 132->93 134 40a584 133->134 135 40a58a-40a58d ExitProcess 133->135 134->135
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 0040A16B
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: Q@
      • API String ID: 2882836952-827177241
      • Opcode ID: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction ID: 781f18a19abcf40cf44b1ee7d294638a41a04d59b97bcd06910df213058bb242
      • Opcode Fuzzy Hash: 37bb8f3b704e3e5d486492e601fb12163015b5473d417a3d7913f9d8900e7631
      • Instruction Fuzzy Hash: C8518EB46003059FDB24EF6AC88875B77E5AB19314F14857FE805AB292C77CD894CB1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E428 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID: MZP
      • API String ID: 1159719554-2889622443
      • Opcode ID: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction ID: 8b0ddcd5631d6391d412feb92a5e48b4c884d5e368d3e2e335997cb5982417f9
      • Opcode Fuzzy Hash: af8d62e184e3d986195f9bb03dfa1de6b6a3e103ab2337ef34a4a311875be198
      • Instruction Fuzzy Hash: BF118230A4061C9BDB10EB65C886BDE73B8DB04304F5144FEB508B32D1DB785F848EA9
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D1B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 152 40d1b4-40d1c2 153 40d1c4-40d1db GetModuleFileNameW call 40e428 152->153 154 40d1ef-40d1fa 152->154 156 40d1e0-40d1e7 153->156 156->154 157 40d1e9-40d1ec 156->157 157->154
      APIs
      • GetModuleFileNameW.KERNEL32(MZP,?,0000020A), ref: 0040D1D2
        • Part of subcall function 0040E428: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E464
        • Part of subcall function 0040E428: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040E4E2,?,MZP,006A7C24), ref: 0040E4B5
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID: MZP
      • API String ID: 4113206344-2889622443
      • Opcode ID: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction ID: 7d7c94543843ebaf992f1e55d63de1191d90912a4012a3754dc0aeace693fc51
      • Opcode Fuzzy Hash: 978c0b5c89954063eae2db3a9cdd68c3344415c597817aed67219eeeca766a49
      • Instruction Fuzzy Hash: 84E06D71A003108BCB10DE98C8C5A4737D4AF08714F0009A6AC18DF387E774DD248BE5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040E304 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 158 40e304-40e346 call 40a834 * 2 call 40a750 165 40e400-40e41a call 40a7b0 158->165 166 40e34c-40e35c call 40ab78 158->166 172 40e363-40e368 166->172 173 40e35e-40e361 166->173 174 40e36a-40e373 172->174 175 40e38f-40e39e call 40e040 172->175 173->172 177 40e375-40e388 call 40b628 174->177 178 40e38a-40e38d 174->178 182 40e3a0-40e3ad call 40e16c 175->182 183 40e3af-40e3cc GetUserDefaultUILanguage call 40d9f0 call 40e16c 175->183 177->175 178->174 178->175 182->165 190 40e3f1-40e3f4 183->190 191 40e3ce-40e3d5 183->191 190->165 192 40e3f6-40e3fb call 40e238 190->192 191->190 193 40e3d7-40e3ec GetSystemDefaultUILanguage call 40d9f0 call 40e16c 191->193 192->165 193->190
      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3AF
      • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E41B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040E4A2,00000000,?,00000105), ref: 0040E3D7
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction ID: 9683e73c6c0abcf4b746f8888c172bfa536fcfe37ae3f08e60084418d48e7ebc
      • Opcode Fuzzy Hash: 04aec6c5949a91eff643dede79f21acb92a396ec5c13c58e0488c395b91d2853
      • Instruction Fuzzy Hash: 7C310170A10219DFDB10EBA6C881BAEB7B5EF44304F50497BE800B72D2D7789D95CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006A6804 Relevance: 2.3, APIs: 1, Instructions: 1013COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 6a6804-6a681b call 4116fc CoInitialize call 69cf1c 236 6a6820-6a6822 232->236 237 6a6829-6a6830 call 40a480 236->237 238 6a6824 call 69cde4 236->238 238->237
      APIs
      • CoInitialize.OLE32(00000000), ref: 006A6816
        • Part of subcall function 0069CDE4: FindWindowA.USER32(00000000,00000000), ref: 0069CE27
        • Part of subcall function 0069CDE4: ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
        • Part of subcall function 0069CDE4: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
        • Part of subcall function 0069CDE4: GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
        • Part of subcall function 0069CDE4: OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
        • Part of subcall function 0069CDE4: WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
        • Part of subcall function 0069CDE4: CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleWindow$CloseCurrentFindInitializeMemoryModuleOpenShowWrite
      • String ID:
      • API String ID: 866042729-0
      • Opcode ID: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction ID: 8ee61a971f8ed6d7737626084e6d53a6920c98cf0355f7440c56fb86b9d06e2e
      • Opcode Fuzzy Hash: 7eb3df2976f0cfe12b394d5a164de7289d7fa770bbc93783eb964f78e6e18b8b
      • Instruction Fuzzy Hash: 4DD0120050434106C94037FB190379A3A4E0F02368F08017BB954DB7D7DD8D991541FF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041003C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 242 41003c-41004c GetSystemInfo
      APIs
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: InfoSystem
      • String ID:
      • API String ID: 31276548-0
      • Opcode ID: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction ID: 40e128d564f27c1df9189ac710c0684b370c18922a3c8b57750d9bcb46e27ff2
      • Opcode Fuzzy Hash: 12cdb3361f82ec466d2ef655157c57c1621404ad48cf44c0378d53f736402022
      • Instruction Fuzzy Hash: B2A012104088000AC404A7194C4340F32805D41114FC40368749CB52C2E61985644BDF
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040570C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 243 40570c-40572a call 4056a0 VirtualAlloc 246 40577a-405785 243->246 247 40572c-405779 243->247
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405D23,FFFFFFDC,004059F6), ref: 00405723
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction ID: 3f211e621d06bbfd93bf5e4038dd372af13e1d8d3e47f4f6d791379e334aaa67
      • Opcode Fuzzy Hash: 84cc3c6052895ed3df727d1605cafc6392cb058961a7e032d30221bd52359256
      • Instruction Fuzzy Hash: 18F019F2A012114BDB149F78D945B427AD6E748354B11827EF909FB695D7B888418B84
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0040DB34 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 0040DB51
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040DB62
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?), ref: 0040DC62
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 0040DC74
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?), ref: 0040DC80
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?), ref: 0040DCC5
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction ID: 3a66766b1a2f5ebb02d859c4633afff12ee1ea1894cab7932bbfdd16adf4ed9c
      • Opcode Fuzzy Hash: fde6a549929fdfb4efd62ef9422efc01f2581efa47e080b023be07d5b1f9e4e1
      • Instruction Fuzzy Hash: 7B41C271E006189BDB10EBD8CC85ADEB3B5EF44300F5485BAD804F72C5E7B8AE49CA49
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00407974 Relevance: 19.7, APIs: 13, Instructions: 189COMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 00407A22
      • GetStdHandle.KERNEL32(000000F6), ref: 00407A2D
      • GetFileType.KERNEL32(00000000), ref: 00407A45
      • GetConsoleOutputCP.KERNEL32(00000000), ref: 00407A57
      • GetConsoleCP.KERNEL32(00000000), ref: 00407A68
      • GetFileType.KERNEL32(00000000), ref: 00407BB3
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: ConsoleFileHandleType$Output
      • String ID:
      • API String ID: 393880136-0
      • Opcode ID: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction ID: 30289f512e7bf1b7cb34ce6aac11ef24264cbf54aec5bb3a909e88f5c38db94a
      • Opcode Fuzzy Hash: 44e9647deb6a171a1977860f2805945fec1e6f6d904a38372cd09949da9ecd96
      • Instruction Fuzzy Hash: 10519670E0821196EB10AF65888876736A4EF45318F14867BE905BF2C6E77CFC418B6F
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00411748 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
      Download Yara Rule
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00411800
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID: T|j$t|j
      • API String ID: 3997070919-3083990741
      • Opcode ID: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction ID: d5dd79b9b552fdc03a2ab43394edbffd5d5b1b05cd2b1dd8b0c60eaa66e5cf02
      • Opcode Fuzzy Hash: 8eb399381c88b88fe8102bea9cb3a004123705ba076e2ccd719a7f94b62fadb7
      • Instruction Fuzzy Hash: 00A161B59002099FDB10DFA9D891BEEBBF5FF48310F10811AE615A73A0EB74A9C4CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0069CDE4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96injectionCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004072B0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,?,?,0069CE0C,00000000,00000000,0069CEFC), ref: 004072D4
      • FindWindowA.USER32(00000000,00000000), ref: 0069CE27
      • ShowWindow.USER32(00000000,00000000,00000000,0069CEFC), ref: 0069CE2D
      • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,00000000,0069CEFC), ref: 0069CE34
      • GetCurrentProcessId.KERNEL32(0069CEFC), ref: 0069CE66
      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,0069CEFC), ref: 0069CE73
      • WriteProcessMemory.KERNEL32(00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED0
      • CloseHandle.KERNEL32(00000000,00000000,?,000000E9,00000006,?,001FFFFF,00000000,00000000,0069CEFC), ref: 0069CED9
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Process$HandleModuleWindow$CloseCurrentFileFindMemoryNameOpenShowWrite
      • String ID: )hj
      • API String ID: 3984213049-3365850516
      • Opcode ID: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction ID: 1b617b1f081cfb87ec44673049fe2d1cca7a79426b3064f672e4726a263717ac
      • Opcode Fuzzy Hash: d19087d277e278def39d0c2ca8364abf4f6454b529e15fd0d4080b958850dbc2
      • Instruction Fuzzy Hash: 24312871E042499FDB00DFF9C882AEEBBF8EF49314F50416AE114F7281D634AA45CB65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004090E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004090F5
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090FB
      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 0040910E
      • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409117
      • GetLogicalProcessorInformation.KERNEL32(?,?,00000000,0040918E,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 00409142
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
      • String ID: @$GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 1184211438-79381301
      • Opcode ID: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction ID: 89cfa98a069330e8236ef271302e03ab3a445760a3001fe59fa097df563e4f53
      • Opcode Fuzzy Hash: 1fa85caa552773b96161bad57f2679a24e0f7f647790eef72659aef1140987d2
      • Instruction Fuzzy Hash: 7A114570E04609AEEB10EBA5D849A5EB7B9DB44304F5085BBF814BB2C2D67C9E408F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004062F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00406312
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00406318
      • GetStdHandle.KERNEL32(000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406337
      • WriteFile.KERNEL32(00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040633D
      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406354
      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00405460,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 0040635A
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: `T@
      • API String ID: 3320372497-530435058
      • Opcode ID: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction ID: 6d0ca2db81dbab3755941434efdbfc046d46aff50fd6c8f7007ffdffb872457a
      • Opcode Fuzzy Hash: 1efcdc10d2de979000967a800970a7f95947673ac5af36e0f17e0193741422a8
      • Instruction Fuzzy Hash: EF0186F12087103EE600B67B9D86F5B268CDB09768F10063A7618FA0D2C57C9C418B7A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405DAC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,?,?,00000000,00405A1E), ref: 00405E42
      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00405A1E), ref: 00405E5C
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction ID: c4469594b470b865f1642b59d964024665ff5604766939db138d5a73fbbf0ef9
      • Opcode Fuzzy Hash: 8ca063d37976929a2339e8dc311fdd8d858c9dc668276ac8002a623bf35be126
      • Instruction Fuzzy Hash: EF71C172605B008FEB15DB29C984727BBD4EB85314F18C27FE884AB3D2D6B88941CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405FA4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction ID: 81f4691e347223e406ef7b1e8a498026a848fa64952474416199e4cf9fbec979
      • Opcode Fuzzy Hash: 9a293c70259d80c1c5c0ee26e6b6f384607b1de7db59e2c5c6da9f4613f11009
      • Instruction Fuzzy Hash: BEC100A2710A004BDB14AA6DDC8536BB286DBC4325F19823FF615EB3D6DA7CCC458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409368 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004097F4: GetCurrentThreadId.KERNEL32 ref: 004097F7
      • GetTickCount.KERNEL32 ref: 0040939F
      • GetTickCount.KERNEL32 ref: 004093B7
      • GetCurrentThreadId.KERNEL32 ref: 004093E6
      • GetTickCount.KERNEL32 ref: 00409411
      • GetTickCount.KERNEL32 ref: 00409448
      • GetTickCount.KERNEL32 ref: 00409472
      • GetCurrentThreadId.KERNEL32 ref: 004094E2
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction ID: 7b880953a4aa2c8bbecb6bcd19a3254470beb066c8f2509cda68c75541b3e4c7
      • Opcode Fuzzy Hash: a8d895fd69be28776e115b549b89ab2ed8fec1923c473289a6b1148c9f2821d9
      • Instruction Fuzzy Hash: 70414B3120C7419ED721AE7CC48431BBBD1AB84354F14897EE8D9A73C3E7789C829B56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040A3E8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747,006A6814), ref: 0040A421
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C,006B8B9C,?,?,006A7C40,00411747), ref: 0040A427
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?,006B8B9C), ref: 0040A442
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,006A6814,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,006A6814,00000000,?,0040A4A6,?,?), ref: 0040A448
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: Error$Runtime error at 00000000
      • API String ID: 3320372497-2970929446
      • Opcode ID: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction ID: 4fc56a2188866e669887ee9220089279a8b6405ca6482420f7ade7e3a18fb3d6
      • Opcode Fuzzy Hash: c5aa992f6f7dfc12a03205796224e7c97fe8c100f64bdb5bc27363c9cea9ee13
      • Instruction Fuzzy Hash: 24F0A9A1A8834478EB10B3668C0EF6B22999740B14F50223FB310B90D2C7FC98C08E2E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405A28 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNEL32(00000000,FFFFFFDC,004059F6), ref: 00405ADF
      • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,004059F6), ref: 00405AF5
      • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,004059F6), ref: 00405B23
      • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,004059F6), ref: 00405B39
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction ID: ad550f8c0c7d09b6c462ac94dd9e24e91e455ab99917dd16c23bac2c9dd5ccf4
      • Opcode Fuzzy Hash: 5998ba1abce3483564a9b354ee16231430cb19a9bc648d1aee4af79a40058904
      • Instruction Fuzzy Hash: 33C1F6B2601B118FDB15CF29D884727BBA1EB85310F18827FE415AB3D5D7B8A881CF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D8D4 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040D8E5
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040D943
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040D9A0
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040D9D3
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040D951), ref: 0040D8A7
        • Part of subcall function 0040D890: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040D951), ref: 0040D8C4
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction ID: 5fcc8e5a48e46c6ce1fc6056201c55695d2f12a30709e1edab39e047bba2382d
      • Opcode Fuzzy Hash: 4bd62ab40d970e5d602660086afcfd9bed59fb746782edda89b7c1a732012506
      • Instruction Fuzzy Hash: DA314FB1E0011A9BDB10EBE9C885AAFB7B9FF04314F00457AE551F7291DB789A48CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409B62 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00409C36
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction ID: 85e2221f4e687e19dee718121c1a3824eb1d5c310de91a6583c76a6122328412
      • Opcode Fuzzy Hash: 1556afe1a2f217acfc51753d4112c108f940a2ab3b3c1cb9468fb4b760ca5ead
      • Instruction Fuzzy Hash: 34418D70A082419FE724DB14D984F67B7E5FB84324F14856AE449AB3A2C738EC81CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409A36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00409AA2
      • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009A38), ref: 00409ADF
      Strings
      Memory Dump Source
      • Source File: 00000018.00000002.1363193490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000018.00000002.1363160825.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363484477.00000000006A7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363517046.00000000006A8000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363544711.00000000006A9000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363572147.00000000006AC000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363599552.00000000006AE000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363631576.00000000006B0000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363659120.00000000006B1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363686053.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363719374.00000000006B6000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363751202.00000000006BB000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363774061.00000000006BF000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363808485.00000000006C1000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C2000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000018.00000002.1363838741.00000000006C4000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_24_2_400000_rundll32.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID: Q@
      • API String ID: 3192549508-827177241
      • Opcode ID: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction ID: c2068604784093e2f7711804bf7866461b0e9479efabc809ad64dbe8b969e22d
      • Opcode Fuzzy Hash: ced892eff656815d9e230e20af0b1b94dca1f413b85a84937c4b440479b295ba
      • Instruction Fuzzy Hash: FD3161B0604341AFDB10EB15D984F27BBFAEB84764F14856EF44897292C738FC40CA69
      Uniqueness

      Uniqueness Score: -1.00%