Edit tour

Windows Analysis Report
OL50O9ho5M.dll

Overview

General Information

Sample name:	OL50O9ho5M.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	c747306c42543a4896728631f3c75c86c93d3fbc.dll.exe
Analysis ID:	1558474
MD5:	1c3fa910ec45c6f23efc30abac859c8c
SHA1:	c747306c42543a4896728631f3c75c86c93d3fbc
SHA256:	48f391aa7a7812ffd052874795df367490edcaf22c13c1a14841c297c693edc3
Tags:	dllexeuser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6336 cmdline: loaddll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5204 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 1880 cmdline: rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6316 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5988 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 5616 cmdline: rundll32.exe C:\Users\user\Desktop\OL50O9ho5M.dll,GetIDTs MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6012 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 936 cmdline: rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1656 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 4876 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 1656 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5588 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1216 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 5204 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 504 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6288 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OL50O9ho5M.dll	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x1203:$x1: cracked by ximo 0x1cb22:$x1: cracked by ximo

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x3b838:$x1: cracked by ximo 0x3baa8:$x1: cracked by ximo 0x3bb60:$x1: cracked by ximo 0x3bc86:$x1: cracked by ximo 0x3bd3e:$x1: cracked by ximo 0x3bdf6:$x1: cracked by ximo 0x3beae:$x1: cracked by ximo 0x3bf66:$x1: cracked by ximo 0x3dfa2:$x1: cracked by ximo 0x598c1:$x1: cracked by ximo

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDT

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OL50O9ho5M.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: OL50O9ho5M.dll

ReversingLabs: Detection: 89%

Machine Learning detection for sample

Source: OL50O9ho5M.dll

Joe Sandbox ML: detected

Source: OL50O9ho5M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_stricmp,PathIsDirectoryA,#823,strcpy,strcpy,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,strrchr,_stricmp,strcpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD strcpy,strcat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.143 12388	Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 107.163.56.241 ports 18530,0,1,3,5,8

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic	TCP traffic: 192.168.2.6:49703 -> 107.163.56.241:18530
Source: global traffic	TCP traffic: 192.168.2.6:49704 -> 107.163.43.143:12388
Source: global traffic	TCP traffic: 192.168.2.6:49709 -> 107.163.56.251:6658

Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000B74E send,closesocket,select,__WSAFDIsSet,memset,recv,strcpy,closesocket,InterlockedExchange,strstr,CreateThread,InterlockedExchange,

4_2_1000B74E

Source: rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/main
Source: rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/mainMozilla/4.0
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4589013369.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.143:12388/new_u.php
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.143:12388/new_u.php0
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.143:12388/new_u.phpE%
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.php
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.241:18530/
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnJeWnde
Source: rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%s
Source: rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%sfound~
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%sMozilla/4.0
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100052CF OpenClipboard,

4_2_100052CF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E8E SetClipboardData,

4_2_10004E8E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004F4C GetClipboardData,

4_2_10004F4C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004788 GetAsyncKeyState,

4_2_10004788

System Summary

Malicious sample detected (through community Yara rule)

Source: OL50O9ho5M.dll, type: SAMPLE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005F3C GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		4_2_10005F3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005FD3 NtQueryInformationFile,		4_2_10005FD3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100059A0 DeleteService,

4_2_100059A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004804 CreateProcessAsUserA,

4_2_10004804

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005238 ExitWindowsEx,

4_2_10005238

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100150F3	4_2_100150F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C15F	4_2_1000C15F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F200	4_2_1000F200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100122E4	4_2_100122E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003F541	4_2_1003F541
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E5EC	4_2_1001E5EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018642	4_2_10018642
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A67B	4_2_1001A67B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D748	4_2_1001D748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C850	4_2_1001C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015883	4_2_10015883
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015B40	4_2_10015B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DB5D	4_2_1001DB5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DD4D	4_2_1001DD4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BD60	4_2_1001BD60

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 10001000 appears 297 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1656

Source: OL50O9ho5M.dll

Binary or memory string: OriginalFilenamevbscript.dllN vs OL50O9ho5M.dll

Source: OL50O9ho5M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: OL50O9ho5M.dll, type: SAMPLE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winDLL@33/5@0/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72 sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005EBA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	4_2_10005EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005912 AdjustTokenPrivileges,	4_2_10005912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007DDE #823,#823,#823,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,	4_2_10007DDE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005821 GetDiskFreeSpaceExA,

4_2_10005821

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: strcpy,strcat,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlenA,RegSetValueExA,memset,wsprintfA,RegCreateKeyA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,memset,strcpy,RegOpenKeyExA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegCloseKey,

4_2_1000ABAC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000D3D5 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,DebugActiveProcess,GetLastError,Process32Next,CloseHandle,

4_2_1000D3D5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100114B0 CoCreateInstance,

4_2_100114B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005000 LockResource,

4_2_10005000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000AAC4 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\11261041

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5616
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\57d4207b-a852-47f5-a9f1-edaadf4d8383

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OL50O9ho5M.dll,GetIDTs

Source: OL50O9ho5M.dll

ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OL50O9ho5M.dll,GetIDTs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1656
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OL50O9ho5M.dll,GetIDTs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: initial sample

Static PE information: section where entry point is pointing to: .ynik1

Source: OL50O9ho5M.dll	Static PE information: section name: .ynik0
Source: OL50O9ho5M.dll	Static PE information: section name: .ynik1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003B01B push esp; mov dword ptr [esp], 801B5E30h	4_2_1003B021
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003B010 push dword ptr [esp+4Ch]; retn 0050h	4_2_1003B018
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004C01C push dword ptr [esp+10h]; retn 0024h	4_2_1004C038
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001040 push dword ptr [esp]; mov dword ptr [esp], ebx	4_2_10001064
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003C058 push dword ptr [esp+40h]; retn 0044h	4_2_1003C073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005B0C8 push dword ptr [esp+30h]; retn 003Ch	4_2_1005B0F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210E0 push eax; ret	4_2_1002110E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10064142 push dword ptr [esp+38h]; retn 003Ch	4_2_10064155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C15F push dword ptr [esp+34h]; retn 0038h	4_2_1003C95D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001190 push 6810867Ah; mov dword ptr [esp], 078FD060h	4_2_1000119E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005B1BA push edi; ret	4_2_1005B1DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C1C2 pushfd ; mov dword ptr [esp], ecx	4_2_1000C1D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005C20A push ebx; retf 0005h	4_2_1005C20B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003625C push 53DCB35Dh; mov dword ptr [esp], 0D616239h	4_2_10036276
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10039298 push dword ptr [esp+38h]; retn 003Ch	4_2_100392AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100342C3 push edx; mov dword ptr [esp], eax	4_2_100334C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100342C3 push 44A84A71h; mov dword ptr [esp], eax	4_2_10033C36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005D35A push ds; iretd	4_2_1005D36F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100343E4 push dword ptr [esp+28h]; retn 002Ch	4_2_10034403
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005F46C push dword ptr [esp+40h]; retn 0044h	4_2_1005F477
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10062513 push eax; mov dword ptr [esp], 00000000h	4_2_10062571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005E53D push eax; retf	4_2_1005E53E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003560B push eax; mov dword ptr [esp], 00000000h	4_2_10035669
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100366FE push 750DC817h; mov dword ptr [esp], esi	4_2_1003670C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003578B push dword ptr [esp+38h]; retn 003Ch	4_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100357AD push dword ptr [esp+38h]; retn 003Ch	4_2_100357C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100337F1 push dword ptr [esp+44h]; retn 0048h	4_2_10034CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100608AB push dword ptr [esp+30h]; retn 003Ch	4_2_100608C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100628C7 pushfd ; mov dword ptr [esp], esp	4_2_10063B2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100618DE pushfd ; mov dword ptr [esp], esp	4_2_10063B2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1005B9B1 pushad ; mov dword ptr [esp], esp	4_2_1005B9D6

Source: OL50O9ho5M.dll

Static PE information: section name: .ynik1 entropy: 7.872352510687291

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IDT

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IDT			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run IDT			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005BDF ClearEventLogA,

4_2_10005BDF

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-11854

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10034274 rdtsc

4_2_10034274

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_4-12094

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 8.5 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Source: C:\Windows\SysWOW64\rundll32.exe TID: 5160	Thread sleep time: -14400000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5160	Thread sleep time: -1800000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_stricmp,PathIsDirectoryA,#823,strcpy,strcpy,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,strrchr,_stricmp,strcpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD strcpy,strcat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007DDE #823,#823,#823,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,

4_2_10007DDE

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\SysWOW64\SspiCli.dlles\Applications\\VMwareHostOpen.
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4589013369.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rundll32.exe, 00000004.00000002.4589013369.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt?
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10034274 rdtsc

4_2_10034274

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004DF5 BlockInput,

4_2_10004DF5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006322 GetProcessHeap,HeapFree,_strnicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,CloseHandle,memset,strrchr,_strnicmp,CloseHandle,CloseHandle,lstrlenA,_strnicmp,OpenProcess,GetModuleFileNameExA,_strnicmp,GetCurrentProcess,DuplicateHandle,CloseHandle,CloseHandle,HeapFree,

4_2_10006322

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000558A SetUnhandledExceptionFilter,

4_2_1000558A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.143 12388	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E04 keybd_event,

4_2_10004E04

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E1F mouse_event,

4_2_10004E1F

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100048C9 SetSecurityDescriptorDacl,

4_2_100048C9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004925 AllocateAndInitializeSid,

4_2_10004925

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,memcpy,	4_2_1000960F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: strlen,memset,___crtGetLocaleInfoEx,lstrcpyA,	4_2_1000C295
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,	4_2_1000949C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetModuleFileNameA,GetModuleFileNameA,strrchr,strcat,strrchr,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ReleaseMutex,CloseHandle,GetTickCount,srand,rand,rand,Sleep,SetFileAttributesA,wsprintfA,strcpy,strcat,strcat,Sleep,memset,strcat,strcat,strcat,MoveFileA,Concurrency::details::platform::__CreateTimerQueueTimer,___crtGetLocaleInfoEx,rand,rand,rand,rand,rand,rand,rand,MoveFileExA,Sleep,memset,___crtGetTimeFormatEx,	4_2_1000D7E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,#823,memset,___crtGetTimeFormatEx,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,#823,MultiByteToWideChar,WideCharToMultiByte,#823,WideCharToMultiByte,#825,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,#825,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,strlen,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,wsprintfA,strlen,#825,strrchr,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	4_2_10009A63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,#823,memset,___crtGetTimeFormatEx,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,#823,MultiByteToWideChar,WideCharToMultiByte,#823,WideCharToMultiByte,#825,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,#825,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,strlen,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,wsprintfA,strlen,#825,strrchr,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	4_2_10009FAB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1001F343 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

4_2_1001F343

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004996 LookupAccountNameA,

4_2_10004996

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10008C6A memset,GetVersionExA,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,sprintf,

4_2_10008C6A

Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007225 WSAStartup,socket,socket,htons,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,WSACleanup,

4_2_10007225

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Service Execution	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	12 Windows Service	11 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	12 Windows Service	1 Software Packing	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	111 Process Injection	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OL50O9ho5M.dll	89%	ReversingLabs	Win32.Backdoor.Venik
OL50O9ho5M.dll	100%	Avira	TR/Downloader.Gen
OL50O9ho5M.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://107.163.43.143:12388/new_u.php	0%	Avira URL Cloud	safe
http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnJeWnde	0%	Avira URL Cloud	safe
http://%s.qzone.qq.com/mainMozilla/4.0	0%	Avira URL Cloud	safe
http://%s.qzone.qq.com/main	0%	Avira URL Cloud	safe
http://67.229.227.140:999/ver.asp?v=%sfound~	0%	Avira URL Cloud	safe
http://107.163.56.241:18530/	0%	Avira URL Cloud	safe
http://107.163.43.143:12388/new_u.phpE%	0%	Avira URL Cloud	safe
http://107.163.43.143:12388/new_u.php0	0%	Avira URL Cloud	safe
http://67.229.227.140:999/ver.asp?v=%s	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.php	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.163.43.143:12388/new_u.phpE%	rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.143:12388/new_u.php	rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4589013369.0000000002DA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.240:18963/main.php	rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://67.229.227.140:999/ver.asp?v=%sfound~	rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%sMozilla/4.0	rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://%s.qzone.qq.com/main	rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	false		high
http://%s.qzone.qq.com/mainMozilla/4.0	rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s	rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://107.163.56.241:18530/	rundll32.exe, rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.143:12388/new_u.php0	rundll32.exe, 00000004.00000002.4589013369.0000000002D5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://67.229.227.140:999/ver.asp?v=%s	rundll32.exe, 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnJeWnde	rundll32.exe, 00000004.00000002.4589013369.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.163.56.241	unknown	United States	20248	TAKE2US	true
107.163.43.143	unknown	United States	20248	TAKE2US	true
107.163.56.251	unknown	United States	20248	TAKE2US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558474
Start date and time:	2024-11-19 14:02:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OL50O9ho5M.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	c747306c42543a4896728631f3c75c86c93d3fbc.dll.exe
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@33/5@0/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 118
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: OL50O9ho5M.dll

Simulations

Behavior and APIs

Time	Type	Description
08:03:48	API Interceptor	23x Sleep call for process: rundll32.exe modified
08:03:48	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.163.56.251	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse
107.163.56.251	abc.dll	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TAKE2US	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
	INVOICES.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	sh4.elf	Get hash	malicious	Mirai	Browse	23.231.236.168
	armv6l.elf	Get hash	malicious	Unknown	Browse	23.231.236.146
TAKE2US	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
	INVOICES.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	sh4.elf	Get hash	malicious	Mirai	Browse	23.231.236.168
	armv6l.elf	Get hash	malicious	Unknown	Browse	23.231.236.146
TAKE2US	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
	INVOICES.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	sh4.elf	Get hash	malicious	Mirai	Browse	23.231.236.168
	armv6l.elf	Get hash	malicious	Unknown	Browse	23.231.236.146

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 13:04:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	163598
Entropy (8bit):	1.9850652909800435
Encrypted:	false
SSDEEP:	384:4FVuVm93N0Y5HDOKIMwSJaeQHMdbAsvrJ2ciZ0Hna07C0QymWX6OuwS:ycVm990Y5DOwb+yviYJNmWxI
MD5:	EDFB7783422611D30C9AED249C71C0B9
SHA1:	3971DF3D43963BCDCB88E8363C0204ECC8166492
SHA-256:	AA63F0AE5547CD711079A0B38319F5A0A773473CCF9DB95F33EDAA8F209F0FAA
SHA-512:	D9E57F4BA127273222B895706743A5F2242EF46392638F0943E5101843743F4FB332B87DFF8A7E70C9BEA66A1398B581B572E23CB3CF6048360E85ABCC091D64
Malicious:	false
Preview:	MDMP..a..... ........<g............t...............\|...........(Z..........T.......8...........T............B...=..........L(..........8..............................................................................eJ.............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC71.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6926491340236502
Encrypted:	false
SSDEEP:	192:R6l7wVeJJu6w1rgC6YCs6Rgmf8jJpr/89b6WsfX+m:R6lXJg6E6YB6Rgmf8jU61fX
MD5:	A77A82434ABB3D04EB4981B2D77FB279
SHA1:	F68E182591CC2095AA8BBD5CDD2816A976FC6903
SHA-256:	B14DC7FAF835DB16AD8F0B42E5DF74C9D2158C31D8B411BCB76E80FECDDB6E25
SHA-512:	058BC740434A4AB1F6243F4A457F31C17D5C5A6851BD7C45499C79152C2DEE0AF511DADD16ACD1BA72110EE7320DE2C74CD7F7814EFED9C8B300E06175CA9ACF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.481756532169161
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9ROWpW8VYDYm8M4JCdP7FU+q8vjPDSGScSvd:uIjflI7Dv7VvJNKCJ3vd
MD5:	D6554E5FC158DE2C486BCF0CBAF9C740
SHA1:	2E3D7C6469AE7591B17BE102EF7F7B2CE715E4A4
SHA-256:	1DBFDC423FB69712D2EDAB890E7C507AA607F0D413D848C85C1DFEFB4D2F6AB8
SHA-512:	6D02A3810EC58737CB519AC994746F4B216B72CE6267867DF735A42FFAD2BAA61DD0C580F0570C590F273FD08577D4E69740A72098393958AF682BCC0C1614C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594966" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469391988330842
Encrypted:	false
SSDEEP:	6144:PzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:bZHtYZWOKnMM6bFpHj4
MD5:	BA63BC8F372161F8BB2BBCCF3BCCAA77
SHA1:	34286F078F59EE67EA8387CF06E6A836E254F477
SHA-256:	53228C1DC0F35DB1E562165D2EC4F1321145F7C8EFECEE0A543EC4D352CC275D
SHA-512:	3FB823B8A064B9D55E5F97B75CA7DDB42736C190FF4242652DF01236B7177FF9E0598CC4C0B6492EA40B07D42E5B5761FF4FF807667A4D6F162FE20952504DE0
Malicious:	false
Preview:	regfH...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6."..:................................................................................................................................................................................................................................................................................................................................................4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1769472
Entropy (8bit):	4.576765914912663
Encrypted:	false
SSDEEP:	6144:VzZfpi6ceLPx9skLmb0fYZWSPDaJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:tZHtYZWSKnMM6bFpHj4
MD5:	69B3FABF865FFDF402A39F3FE1ADCA86
SHA1:	EAE3480A3D54E9683F5D5E428B230E62094634D5
SHA-256:	A384CE8DF3AD30205E581D8839B6922971BF89A7704CB46DFF88681399C0D1B3
SHA-512:	25C73A2E3BC02BE7A2790F3971A013AC9B0C9FF991CEE2508D29085ED0DF8AD0B2AB6626E622A5447FD7B5C3FEB0AB5C5FDE89DA5CD2665DC02F8CBED1888E89
Malicious:	false
Preview:	regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6."..:................................................................................................................................................................................................................................................................................................................................................4.HvLE........G..........._k.......@..M@f.....0...@......hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........]...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

Static File Info

General

File type:	MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.589317822516538
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.38% DOS Executable Borland Pascal 7.0x (2037/25) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Lumena CEL bitmap (63/63) 0.01%
File name:	OL50O9ho5M.dll
File size:	163'939 bytes
MD5:	1c3fa910ec45c6f23efc30abac859c8c
SHA1:	c747306c42543a4896728631f3c75c86c93d3fbc
SHA256:	48f391aa7a7812ffd052874795df367490edcaf22c13c1a14841c297c693edc3
SHA512:	8ab9bd8837a274102ccb6dddc6223ba4bdce8d13997228cd8d4e8ac8557c60d75f91ed00d080eea156dc1fcf78c844910da60da60ae7ce0df20fb4bd6741870d
SSDEEP:	3072:iGjK99QR809vb8AryfxFhurI6nhDrNT3WOcmPWTEcR283brWjNnnCPcQEFK:i8Ah0J8hfzQrTn1B3WOfWwcYuboNnnCz
TLSH:	32F302AAE7E2A4F8F04A0330AFA7D41EB530659645648F0FDFD2D06F7DC641012BAA95
File Content Preview:	MZ.............................................................................................................................................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10059398
Entrypoint Section:	.ynik1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	0
OS Version Minor:	0
File Version Major:	0
File Version Minor:	0
Subsystem Version Major:	0
Subsystem Version Minor:	0
Import Hash:	1cb44e3fd2b456c57ddbbc34a99f6c10

Entrypoint Preview

Instruction
pushad
pushfd
mov dword ptr [esp+20h], 802EECC8h
call 00007F096CDD9078h
lea esp, dword ptr [esp+04h]
jnc 00007F096CDE475Ah
push esp
lahf
push ecx
bswap ax
lea eax, dword ptr [ebx+ecx*4+00000330h]
lea esp, dword ptr [esp+08h]
jno 00007F096CDF77E9h
pushad
lea esp, dword ptr [esp+20h]
call 00007F096CDD8F35h
call 00007F096CDF7B32h
lea eax, dword ptr [esp+2349F599h]
aad 3Ch
push ebp
lea eax, dword ptr [ebx-13F5E1CCh]
aad 89h
add eax, AB85A7B6h
inc bp
mov ebp, esp
aam
sub esp, 10h
aaa
test dl, 0000007Bh
aam 37h
bsr eax, ebx
push esi
shl eax, cl
bt edi, 0Bh
push edi
bsr ax, ax
lea eax, dword ptr [ebx+44663835h]
add al, al
push ebx
pushad
bsf eax, eax
mov dword ptr [esp+1Ch], edx
cwde
shrd ax, dx, 00000006h
aam 61h
mov eax, dword ptr [ebp+08h]
clc
bt bx, 0005h
mov word ptr [esp+04h], 4A31h
stc
test eax, eax
pushfd
pushad
jmp 00007F096CDD8D3Eh
push ebx
adc dl, dl
push edi
call 00007F096CDF5482h
inc ecx
inc esp
push esi
inc ecx
push eax
dec ecx
xor esi, dword ptr [edx]
insb
insb
add byte ptr [ecx], cl
or dword ptr [eax+50BA3C07h], ebp
outsd
add al, 00h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5d434	0x3b	.ynik1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d870	0x140	.ynik1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x1000
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x65000	0xe4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5cfb0	0x3a4	.ynik1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20a8a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x40c5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x27000	0x7550	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ynik0	0x2f000	0x10d00	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.ynik1	0x40000	0x244c6	0x25000	9963f3e8b1d71de03c75b390e16b8dc6	False	0.9346033044763513	data	7.872352510687291	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x65000	0xe4	0x1000	84a7814e74f283c8adf0d735b619f0a6	False	0.058349609375	data	0.4912054035000766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0x63a	0x1000	9e28aa32bdb479c5b8115855e9aab4aa	False	0.14794921875	data	1.4512315773441635	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x660f0	0xe8	data	English	United States	0.5258620689655172
RT_DIALOG	0x6654c	0xee	data	English	United States	0.05042016806722689
RT_VERSION	0x661d8	0x374	data	English	United States	0.4343891402714932

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	rand, strchr, strncpy, sscanf, __CxxFrameHandler, wcscat, memcpy, malloc, free, _strnicmp, strcpy, srand, memcmp, _stricmp, strrchr, strcat, time, localtime, strftime, vsprintf, sprintf, strlen, memset, atoi, strcspn, strstr, _except_handler3, _CxxThrowException, tolower, toupper, strcmp, wcscpy, strncat, calloc, _mbsstr, _mbsnbcpy, _strcmpi, wcslen, _mbsicmp, __dllonexit, _onexit, ??1type_info@@UAE@XZ, _initterm, _adjust_fdiv, _memicmp
KERNEL32.dll	CreateToolhelp32Snapshot, UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, GetFileInformationByHandle, FileTimeToSystemTime, SetFileTime, GetFileAttributesA, LocalFileTimeToFileTime, GetCurrentDirectoryA, SystemTimeToFileTime, FormatMessageA, CreateProcessA, GetLocalTime, VirtualQuery, lstrcatA, DeviceIoControl, SetFileAttributesA, MoveFileA, LocalFree, Process32First, lstrcmpiA, DebugActiveProcess, Process32Next, ExpandEnvironmentStringsA, GetModuleHandleA, InterlockedIncrement, CopyFileA, InterlockedExchange, CreateMutexA, ReleaseMutex, SetLastError, WinExec, lstrcpyA, LoadLibraryA, GetProcAddress, CloseHandle, WriteFile, SetFilePointer, CreateFileA, GetModuleFileNameA, GetCurrentProcess, HeapFree, HeapAlloc, GetProcessHeap, WideCharToMultiByte, TerminateThread, WaitForSingleObject, CreateThread, GetCurrentProcessId, TerminateProcess, OpenProcess, GetTickCount, MoveFileExA, DeleteFileA, Sleep, lstrlenA, DuplicateHandle, FreeLibrary, FindClose, FindNextFileA, FindFirstFileA, ReadFile, GetFileSize, InterlockedDecrement, GetSystemInfo, WriteProcessMemory, CreateDirectoryA, ReadProcessMemory, VirtualQueryEx, GlobalFree, GlobalAlloc, GetVersionExA, GetSystemDefaultUILanguage, GlobalMemoryStatusEx, MultiByteToWideChar, GetLastError, GetSystemDirectoryA
USER32.dll	GetDesktopWindow, wsprintfA
ADVAPI32.dll	QueryServiceStatus, LookupPrivilegeValueA, RegQueryInfoKeyA, RegEnumValueA, CreateServiceA, RegCreateKeyA, OpenSCManagerA, OpenServiceA, ChangeServiceConfigA, StartServiceA, CloseServiceHandle, AdjustTokenPrivileges, RegOpenKeyA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, OpenProcessToken
WS2_32.dll	inet_addr, htonl, sendto, closesocket, WSACleanup, send, __WSAFDIsSet, recv, connect, setsockopt, WSAIoctl, WSAStartup, socket, htons, ntohs, bind, ioctlsocket, select, recvfrom, WSAGetLastError
SHLWAPI.dll	PathIsDirectoryA, PathFileExistsA, StrStrIA
ntdll.dll	NtQueryInformationFile, NtQuerySystemInformation
PSAPI.DLL	GetModuleFileNameExA
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitializeEx, CoInitialize, CoSetProxyBlanket, CoCreateInstance
OLEAUT32.dll	SafeArrayGetVartype, SafeArrayAccessData, SafeArrayUnaccessData, VariantChangeType, SysAllocStringByteLen, SafeArrayCreate, SafeArrayDestroy, SysFreeString, SysAllocString, VariantInit, SysStringLen, VariantClear
MSVCP60.dll	??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z, ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z, ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
NETAPI32.dll	Netbios
KERNEL32.dll	GetModuleFileNameW
KERNEL32.dll	GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

Exports

Name	Ordinal	Address
GetIDTs	1	0x1000fff3

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:03:49.648663044 CET	49703	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:03:49.648799896 CET	49704	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:03:50.639758110 CET	49704	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:03:50.655371904 CET	49703	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:03:52.655317068 CET	49703	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:03:52.655361891 CET	49704	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:03:56.655348063 CET	49704	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:03:56.655348063 CET	49703	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:04:04.655304909 CET	49704	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:04:04.655304909 CET	49703	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:04:11.683260918 CET	49709	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:04:12.686595917 CET	49709	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:04:14.702202082 CET	49709	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:04:18.717835903 CET	49709	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:04:26.733460903 CET	49709	6658	192.168.2.6	107.163.56.251

Target ID:	0
Start time:	08:03:45
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll"
Imagebase:	0x930000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:03:45
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:03:45
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:03:45
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\OL50O9ho5M.dll,GetIDTs
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:03:45
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",#1
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:03:46
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:03:46
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:03:46
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x880000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:03:48
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:03:49
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3300, Parent PID: 1656

General

Target ID:	12
Start time:	08:03:49
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:03:49
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x880000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:04:11
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 1656
Imagebase:	0x7c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	08:04:19
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:04:19
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3840, Parent PID: 504

General

Target ID:	21
Start time:	08:04:19
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:04:19
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x880000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:04:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\OL50O9ho5M.dll",GetIDTs
Imagebase:	0x870000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5588, Parent PID: 1656

General

Target ID:	24
Start time:	08:04:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3004, Parent PID: 5588

General

Target ID:	25
Start time:	08:04:27
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:04:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x880000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	34%
Total number of Nodes:	471
Total number of Limit Nodes:	35

Executed Functions

Function 1000E763 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 233
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,1000EBC9), ref: 1000E791
lstrcatA.KERNEL32(00000000,1002B324), ref: 1000E7A3
lstrcatA.KERNEL32(00000000,*.*), ref: 1000E7B5
FindFirstFileA.KERNEL32(00000000,?), ref: 1000E7C9
FindNextFileA.KERNEL32(000000FF,?), ref: 1000E7F3
lstrcpyA.KERNEL32(00000000,1000EBC9), ref: 1000E844
lstrcatA.KERNEL32(00000000,1002B32C), ref: 1000E856
lstrcatA.KERNEL32(00000000,?), ref: 1000E86A
_stricmp.MSVCRT(NPKI,?), ref: 1000E87C
PathIsDirectoryA.SHLWAPI(00000000), ref: 1000E8CD
#823.MFC42(00A00000), ref: 1000E906

Strings

107.163.56.240:18963/main.php, xrefs: 1000E9C8
*.*, xrefs: 1000E7A9
/image.php, xrefs: 1000EA75
11261041, xrefs: 1000E8A6
P, xrefs: 1000E975
NPKI, xrefs: 1000E877
%s\%s, xrefs: 1000E8B2

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: lstrcat$FileFindlstrcpy$#823DirectoryFirstNextPath_stricmp
String ID: %s\%s$*.*$/image.php$107.163.56.240:18963/main.php$11261041$NPKI$P
API String ID: 1962140201-2391391160
Opcode ID: 4191ad51dc7a00bd0b180e34f1b100dfef911db5cfcc4c64394e867d3a14d0f1
Instruction ID: e9bf6cd4dedaed927b0eaf67929be402f69bb455e24a285cd7e040aaa396d63b
Opcode Fuzzy Hash: 4191ad51dc7a00bd0b180e34f1b100dfef911db5cfcc4c64394e867d3a14d0f1
Instruction Fuzzy Hash: FB91B6B59002A8AFEB60CBA4CC84BDE77B9EB58341F0044E5E30DA6141DB75AF98CF51

Function 1000B74E Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10009806: strcpy.MSVCRT(00000000,?,?), ref: 10009834
Part of subcall function 10009806: strstr.MSVCRT ref: 10009894
Part of subcall function 10009806: strstr.MSVCRT ref: 100098C6
Part of subcall function 10009806: strcspn.MSVCRT ref: 100098DF
Part of subcall function 10009806: strstr.MSVCRT ref: 10009904
Part of subcall function 10009806: strcspn.MSVCRT ref: 1000991D
Part of subcall function 10009806: strncpy.MSVCRT ref: 10009935
Part of subcall function 10009806: strstr.MSVCRT ref: 1000997A
Part of subcall function 10009806: strcspn.MSVCRT ref: 10009993

Part of subcall function 10008C0D: setsockopt.WS2_32(?,0000FFFF,00000008,1000B7B1,00000004), ref: 10008C24

Part of subcall function 10008FF9: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?,?), ref: 10009030
Part of subcall function 10008FF9: ___crtGetTimeFormatEx.LIBCMTD ref: 10009071
Part of subcall function 10008FF9: strcpy.MSVCRT(1000B7C0,?), ref: 10009093
Part of subcall function 10008FF9: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
Part of subcall function 10008FF9: __aulldiv.LIBCMT ref: 100090F5
Part of subcall function 10008FF9: __aulldiv.LIBCMT ref: 10009103
Part of subcall function 10008FF9: strcpy.MSVCRT(1000B740,11261041,?,?,00000400,00000000), ref: 1000914A
Part of subcall function 10008FF9: GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,00000400,00000000), ref: 10009152

send.WS2_32(?,?,00000128,00000000), ref: 1000B7EE
closesocket.WS2_32(?), ref: 1000B800
select.WS2_32(?,00000001,00000000,00000000,0000000A), ref: 1000B870
InterlockedExchange.KERNEL32(1002D0D8,00000001), ref: 1000BA7B

Strings

zip, xrefs: 1000BA1A
SeShutdownPrivilege, xrefs: 1000B9F0
SeShutdownPrivilege, xrefs: 1000B9D0

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strstr$strcpystrcspn$__aulldiv$DefaultExchangeFormatGlobalInterlockedLanguageMemoryOpenStatusSystemTime___crtclosesocketselectsendsetsockoptstrncpy
String ID: SeShutdownPrivilege$SeShutdownPrivilege$zip
API String ID: 3707265992-1510773714
Opcode ID: 883d124a149fea0da6d1c971783e12f6cdfcf9b595bd987f96535555cf8fa210
Instruction ID: bc2b8e65d9cd970dcecdf055842deb68991a146944fc20332627f683b8953719
Opcode Fuzzy Hash: 883d124a149fea0da6d1c971783e12f6cdfcf9b595bd987f96535555cf8fa210
Instruction Fuzzy Hash: 02817DB1E41618ABFB24DF50DC85BD973B4EB15380F1082E9E60966294DBB19FC4CF52

Function 10011C72 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 140
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 10011C8E
CreateFileA.KERNEL32(1002A58C,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4
DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,10029F4C,00000018,%s\version.txt,00000000), ref: 10011CF0
GetLastError.KERNEL32(00000400,10029F64,00000000,00000000), ref: 10011D0C
FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10011D1A

Strings

%s\version.txt, xrefs: 10011CD6, 10011D75
\\.\PHYSICALDRIVE%d, xrefs: 10011C85

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ControlCreateDeviceErrorFileFormatLastMessagesprintf
String ID: %s\version.txt$\\.\PHYSICALDRIVE%d
API String ID: 1111953355-1258372184
Opcode ID: bc3325a2a15ca14b2f1bfaba61cdce2ccfa733690459bfdc7cd9b93be21af162
Instruction ID: d335abd8cf6994ab41d350178a70268ae329ca67796dcf9ba21b43bfc73fb89a
Opcode Fuzzy Hash: bc3325a2a15ca14b2f1bfaba61cdce2ccfa733690459bfdc7cd9b93be21af162
Instruction Fuzzy Hash: 7F51A6B5A00218ABEB24DB54CC41BDD7375EF85704F148294F609BB2C1DB72AA94CF45

Function 10006843 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 10006865
GetProcAddress.KERNEL32(?,GetExtendedUdpTable), ref: 1000687D
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 1000689A
malloc.MSVCRT ref: 100068CA
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 10006903

Strings

iphlpapi.dll, xrefs: 10006860
GetExtendedUdpTable, xrefs: 10006871
z, xrefs: 100068AF

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable$AddressLibraryLoadProcmalloc
String ID: GetExtendedUdpTable$iphlpapi.dll$z
API String ID: 2385667234-347336574
Opcode ID: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction ID: e72f5ed3c2909e77353821d2c1bd01ab583724ea6bb6368f571f4905b0ca2030
Opcode Fuzzy Hash: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction Fuzzy Hash: 3541E9F09002289BDB24DB50CD85BD8B7B9EB88304F20C5E9E70967295D7709EC6CF59

Function 1000960F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009674

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 10009631

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: a184dc7fe69407b34a15862516d8658f3ad9148a2d7378d433a5126b766875d9
Instruction ID: edbbad18566889c42df8cf001e4eb437ffe5273fdd268d158c28225184eb7580
Opcode Fuzzy Hash: a184dc7fe69407b34a15862516d8658f3ad9148a2d7378d433a5126b766875d9
Instruction Fuzzy Hash: F5311DF6D00208EBEB20DB94CC86BCD73B8EB44340F5185A4E70877285E775AB948B99

Function 10005EBA Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005EC6
OpenProcessToken.ADVAPI32(00000000,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005ECD
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,?,1000AFF2), ref: 10005F1F
CloseHandle.KERNEL32(?,?,?,1000AFF2), ref: 10005F29

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction ID: efa5140f03dfd4bc98f9291f5672f447fd415e0b54fcefeffd77d2d0beff28df
Opcode Fuzzy Hash: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction Fuzzy Hash: FB012D70A1020AABFB14CFE4CC85BBF77B8EB88741F208515FA05D6284D6799A42CB60

Function 10008A9A Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10008ACF
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 10008AE4
GetModuleFileNameA.KERNEL32(?,C:\Users\user\Desktop\OL50O9ho5M.dll,00000104), ref: 10008AFA
strcpy.MSVCRT(C:\Users\user\Desktop,C:\Users\user\Desktop\OL50O9ho5M.dll), ref: 10008B0A
strrchr.MSVCRT ref: 10008B19
wsprintfA.USER32 ref: 10008B39
wsprintfA.USER32 ref: 10008B51
wsprintfA.USER32 ref: 10008B69
#823.MFC42(00000084), ref: 10008B77
strcpy.MSVCRT(1002D040,?), ref: 10008BC2

Part of subcall function 10011A40: memset.MSVCRT ref: 10011A5B

Strings

C:\Users\user\Desktop\OL50O9ho5M.dll, xrefs: 10008AEF, 10008B00
C:\Windows\SysWOW64\rundll32.exe, xrefs: 10008ADD
M%s, xrefs: 10008B5F
M107.163.56.251:6658, xrefs: 10008B64
%s\version.txt, xrefs: 10008B47
%s\%s, xrefs: 10008B2F
C:\Users\user\Desktop, xrefs: 10008B05, 10008B14, 10008B2A, 10008B42
11261041, xrefs: 10008ACA
107.163.56.251:6658, xrefs: 10008B5A
C:\Users\user\Desktop\11261041, xrefs: 10008B34
11261041, xrefs: 10008AC0, 10008B25

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$FileModuleNamestrcpy$#823memsetstrrchr
String ID: %s\%s$%s\version.txt$107.163.56.251:6658$11261041$11261041$C:\Users\user\Desktop$C:\Users\user\Desktop\11261041$C:\Users\user\Desktop\OL50O9ho5M.dll$C:\Windows\SysWOW64\rundll32.exe$M%s$M107.163.56.251:6658
API String ID: 3714362057-1526643465
Opcode ID: b13076a9068e78ffa067dc1dbd687b129f0710ab852c7cd70c21f7dd3e8eebf0
Instruction ID: 79703c0d8955a89168bb019a272a90435c4122afe87ac73744c1e10340129ad2
Opcode Fuzzy Hash: b13076a9068e78ffa067dc1dbd687b129f0710ab852c7cd70c21f7dd3e8eebf0
Instruction Fuzzy Hash: E4316CB0C00619ABDB00DFD4ED45FDEBBB0EB08301FA04024FA1976296D7752A458BAA

Function 10009806 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT(00000000,?,?), ref: 10009834
strstr.MSVCRT ref: 10009894
strstr.MSVCRT ref: 100098C6
strcspn.MSVCRT ref: 100098DF
strstr.MSVCRT ref: 10009904
strcspn.MSVCRT ref: 1000991D
strncpy.MSVCRT ref: 10009935
strcpy.MSVCRT(00000000,?,?,?,?,?,?,?,?), ref: 1000994E
strcpy.MSVCRT(00000000,00000000,?,?,?,?), ref: 10009966
strstr.MSVCRT ref: 1000997A
strcspn.MSVCRT ref: 10009993
strncpy.MSVCRT ref: 100099AB
strcspn.MSVCRT ref: 100099C0
atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100099DD

Part of subcall function 1000949C: ___crtGetTimeFormatEx.LIBCMTD ref: 10009517
Part of subcall function 1000949C: memset.MSVCRT ref: 1000953C
Part of subcall function 1000949C: ___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

WSAStartup.WS2_32(00000202,?), ref: 100099F8
htons.WS2_32(00000000), ref: 10009A0C
socket.WS2_32(00000002,00000001,00000000), ref: 10009A2E
connect.WS2_32(?,00000002,00000010), ref: 10009A41
closesocket.WS2_32(?), ref: 10009A50

Strings

http://, xrefs: 10009888

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcspnstrstr$strcpy$___crtstrncpy$FormatInfoLocaleStartupTimeatoiclosesocketconnecthtonsmemsetsocket
String ID: http://
API String ID: 328426387-1121587658
Opcode ID: 95a10ac281a7790da465a19b795ef191dcc1d882c7580565bb57f079f1fd2488
Instruction ID: 328f30d5f0abd543537b81f1a207a30335c7fdbd19ea60133f8a33c6dacf31c1
Opcode Fuzzy Hash: 95a10ac281a7790da465a19b795ef191dcc1d882c7580565bb57f079f1fd2488
Instruction Fuzzy Hash: 4151CF71900218BFEF14DBA4DC89BDA77BCEF45304F1041A8F649A6144EB319B99CFA2

Function 10010164 Relevance: 22.6, APIs: 15, Instructions: 102
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000), ref: 10010190
CreateThread.KERNEL32(00000000,00000000,Function_0000EAE6,00000000,00000000,00000000), ref: 100101A5
Sleep.KERNEL32(00000BB8), ref: 100101B0
CreateThread.KERNEL32(00000000,00000000,Function_0000CB08,00000000,00000000,00000000), ref: 10010201
CreateThread.KERNEL32(00000000,00000000,Function_0000EF29,00000000,00000000,00000000), ref: 10010216
Sleep.KERNEL32(00000BB8), ref: 10010221
CreateThread.KERNEL32(00000000,00000000,Function_00007225,00000000,00000000,00000000), ref: 10010236
CreateThread.KERNEL32(00000000,00000000,1000C753,00000000,00000000,00000000), ref: 1001024B
Sleep.KERNEL32(000927C0), ref: 10010256
Sleep.KERNEL32(000927C0), ref: 1001026A
CreateThread.KERNEL32(00000000,00000000,Function_0000BA90,00000000,00000000,00000000), ref: 1001027F
Sleep.KERNEL32(0000EA60), ref: 1001028A
CreateThread.KERNEL32(00000000,00000000,Function_0000F9DF,00000000,00000000,00000000), ref: 1001029F
Sleep.KERNEL32(000000FF), ref: 100102A7
Sleep.KERNEL32(0036EE80), ref: 100102BB

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: fe99d369819e568409d064f6ff88eb2f40b499f22871b393e10eb6060bba2f2f
Instruction ID: 8c32bb4ff49dd5cd40ec0ac765642d3fca02da6b0bea5159af36dfb571acdfba
Opcode Fuzzy Hash: fe99d369819e568409d064f6ff88eb2f40b499f22871b393e10eb6060bba2f2f
Instruction Fuzzy Hash: 90314B31785354BBF760DBE08C4BF887A61AB19B42F304095F349BD1D0DAF065A28B5A

Function 10011E80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 10011E9A
memset.MSVCRT ref: 10011EB0
Netbios.NETAPI32(00000037), ref: 10011EDB
Netbios.NETAPI32(00000032), ref: 10011F55

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 1001205E
3, xrefs: 10011FA7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Netbiosmemset
String ID: %02X%02X%02X%02X%02X%02X$3
API String ID: 1915571530-847158874
Opcode ID: 108348c13d9d56da72a618bb474b3ce985a40137d112315f03961f0e628dd3c7
Instruction ID: 58f833b965dad1d6222c3d716a95af2f44d1da27d89d8ba7fed4a0a55445d775
Opcode Fuzzy Hash: 108348c13d9d56da72a618bb474b3ce985a40137d112315f03961f0e628dd3c7
Instruction Fuzzy Hash: 1A518F7592065A8BDB36CB14CC42BE9B3B8EF94300F0441F8A44CAA242EBB49BD4DF45

Function 1000FEA3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710), ref: 1000FEB2
#823.MFC42(00300000), ref: 1000FEDE
memset.MSVCRT ref: 1000FEFF
Sleep.KERNEL32(001B7740), ref: 1000FF29
GetTickCount.KERNEL32 ref: 1000FF54
wsprintfA.USER32 ref: 1000FF67
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000FFDD

Strings

c:\%d.log, xrefs: 1000FF5B
D, xrefs: 1000FFA0
aHR0cDovLzEwNy4xNjMuNDMuMTQzOjEyMzg4L25ld191LnBocA==, xrefs: 1000FEC3

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$#823CountCreateProcessTickmemsetwsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNDMuMTQzOjEyMzg4L25ld191LnBocA==$c:\%d.log
API String ID: 3077700110-319736537
Opcode ID: b995e69031f28fe382f47ebb6767d7ae28bd6aa8a033643b8c57a196a9f78c88
Instruction ID: 9a8368c33331de2fed5c815be190a99cb1b8f45d0554d9835d597f32963aff0c
Opcode Fuzzy Hash: b995e69031f28fe382f47ebb6767d7ae28bd6aa8a033643b8c57a196a9f78c88
Instruction Fuzzy Hash: 383130B6D00218ABEF14CB94DC45BEFB7B4EF49300F1045A9F609A7240DB756A94CF91

Function 1000C43A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 1000C463
#823.MFC42(00000084), ref: 1000C47A
strcpy.MSVCRT(1002D040,?), ref: 1000C4E3

Strings

http://107.163.56.241:18530/, xrefs: 1000C45E, 1000C5A6
http://, xrefs: 1000C459
%s/joy.asp?sid=%s, xrefs: 1000C5AB
%s|NULL|%s|%s, xrefs: 1000C582
11261041, xrefs: 1000C571

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823strcpystrstr
String ID: %s/joy.asp?sid=%s$%s|NULL|%s|%s$11261041$http://$http://107.163.56.241:18530/
API String ID: 2643025201-2501020009
Opcode ID: 6d633ec38c9d8e9940949365cafe772b4d8998551047c0030cb9dac499e2a3eb
Instruction ID: 28f2dd462ae80b524e96791580a868932ef5f839d1323318a2b18e46c4e59e9a
Opcode Fuzzy Hash: 6d633ec38c9d8e9940949365cafe772b4d8998551047c0030cb9dac499e2a3eb
Instruction Fuzzy Hash: D84169F5D00218AFEB20CF14DC81B9AB7B4EB85304F4045F9E70D67281EB756A888F59

Function 1000BDDD Relevance: 9.0, APIs: 6, Instructions: 49
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000BDF8

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(?,?,?,?,1000BE18,00000000,00000000,?), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BE26), ref: 1000535E

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BE47
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BE56
CloseHandle.KERNEL32(?), ref: 1000BE60
Sleep.KERNEL32(00002710), ref: 1000BE6B
CloseHandle.KERNEL32(?), ref: 1000BE7A

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
String ID:
API String ID: 3243752880-0
Opcode ID: 11d032d4de043726ec9fee55e07478fe2fb670f4dff3a0b86847c6df272ec8ec
Instruction ID: e824f486e2537cd13a86d57df264f215c657a490cf5d40ca5208cd8ad212e3ab
Opcode Fuzzy Hash: 11d032d4de043726ec9fee55e07478fe2fb670f4dff3a0b86847c6df272ec8ec
Instruction Fuzzy Hash: 0411AD74A44208FBFB14DFE0CC9AFEDB774EB44711F204594FB0A9A2D0CA705A918B95

Function 1002132A Relevance: 3.8, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10021358
_initterm.MSVCRT ref: 10021383
free.MSVCRT ref: 100213C0

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _inittermfreemalloc
String ID:
API String ID: 1678931842-0
Opcode ID: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction ID: a13e4d924212a13dcf2931888b3098d0df1cffd824a8125765e678fcc9b3a535
Opcode Fuzzy Hash: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction Fuzzy Hash: 4D114C366646B1EBF314DF61EC84AC937E6FB64359BB14019E804D65A0F731AD828B50

Function 10009751 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 100097B3

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10009773

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 483802873-1918919809
Opcode ID: 84c0669cc550e40399104d74fa1ba861a064ce3833b04884339a7ccfa833fd4b
Instruction ID: aa3042b00974eb3661dab9a980acd1570a60d3873d689b260169291dcc9804a7
Opcode Fuzzy Hash: 84c0669cc550e40399104d74fa1ba861a064ce3833b04884339a7ccfa833fd4b
Instruction Fuzzy Hash: 271121F9D00208EBEB20DB50CC46B8D73B4DB44380F2181A5F6087B285EA75BA948B99

Function 1003B01B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI ref: 1003B01B

Strings

Y, xrefs: 1003B01B

Memory Dump Source

Source File: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryPath
String ID: Y
API String ID: 1580926078-4136946213
Opcode ID: 39f3b350f36c30af0f16d9a9296c36101839a6fe7084b69f7ce6f7ba82d34d9f
Instruction ID: 9a724d352cd8e2d47108c6f17d29a5e7c1786ffd479bf121b4e0f90277632734
Opcode Fuzzy Hash: 39f3b350f36c30af0f16d9a9296c36101839a6fe7084b69f7ce6f7ba82d34d9f
Instruction Fuzzy Hash: DBD092B001D240FAC627AF588841A9EBAE6FB64311F514D0CB5D827A12E379A6A08653

Function 100024A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E910000,00000000), ref: 100024BE

Strings

TmV0TG9jYWxHcm91cEVudW0=, xrefs: 100024AA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEVudW0=
API String ID: 190572456-980335172
Opcode ID: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction ID: 94a68914744b6255420893e6e3bedd0a82bd00ad7f141df6458ff9631ea00634
Opcode Fuzzy Hash: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction Fuzzy Hash: 1EC080F540061C6FF200D7D8ACC5E41379CD3482997100011F60DC2211D53160414652

Function 100024D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E910000,00000000), ref: 100024EC

Strings

TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 100024D8

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
API String ID: 190572456-3430808999
Opcode ID: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction ID: 0e6cf0e7949062256b1582b677e2dc4b335822ba4defa2ba0336d22a514f21fc
Opcode Fuzzy Hash: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction Fuzzy Hash: 38C080F5C0061C6FF300D7D4ACC9D4137DCD3081997100011F70DC2211D73160414652

Function 1000255F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E910000,00000000), ref: 10002576

Strings

TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 10002562

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0QXBpQnVmZmVyRnJlZQ==
API String ID: 190572456-3244026974
Opcode ID: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction ID: ff91b108fad4cc851aac3f9e389e9e2a63f3c8257eb8f5e683f791925ec63412
Opcode Fuzzy Hash: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction Fuzzy Hash: 21C08CF680161CAFF200DBE4ACCAE823BACD3082A97110022F60EC3212E631B041C662

Function 1000172D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76210000,00000000), ref: 10001744

Strings

U2V0RXJyb3JNb2Rl, xrefs: 10001730

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: U2V0RXJyb3JNb2Rl
API String ID: 190572456-495186574
Opcode ID: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction ID: b616446aa3eae8f0e246bd7a0e97171c4ab2d65e5c8aa983a289ca1212d1c33e
Opcode Fuzzy Hash: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction Fuzzy Hash: A6C08CF980021CABF300DBE4ACC6E46379CF30C19D7A00423F60AC2612EB31B40287A3

Function 10001983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76210000,00000000), ref: 1000199A

Strings

R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB, xrefs: 10001986

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB
API String ID: 190572456-1897290307
Opcode ID: f13060bd758519102efb2ee6bd8b55775e9b77fb1577f636fed6153ae94dd5c7
Instruction ID: fb1c51fba3b08c3bb50bcaa14d55977d6c8f312ab35591fba092562ecd00360f
Opcode Fuzzy Hash: f13060bd758519102efb2ee6bd8b55775e9b77fb1577f636fed6153ae94dd5c7
Instruction Fuzzy Hash: F5C080F540055C6FF300D7D5ACC6E51379CE30C15D7144013F609C3611D52164414F53

Function 10002A67 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76210000,00000000), ref: 10002A7E

Strings

R2V0TW9kdWxlRmlsZU5hbWVB, xrefs: 10002A6A

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: R2V0TW9kdWxlRmlsZU5hbWVB
API String ID: 190572456-4201997209
Opcode ID: fb6f0e9a882d6ca9a96b3784ef2cb82e9dc351ec88510af669670d2a4bfc50e1
Instruction ID: bf6715a7db858389c4ee07c3b926fc3fe4f22cdfae096ba087ae0b1e8dfb1ead
Opcode Fuzzy Hash: fb6f0e9a882d6ca9a96b3784ef2cb82e9dc351ec88510af669670d2a4bfc50e1
Instruction Fuzzy Hash: FBC08CF6C0021CABF700DBE8AC86E5237DCF3081DD7540063FA0AC2312EA21A94186A2

Function 10003B1D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76300000,00000000), ref: 10003B34

Strings

R2V0TW9kdWxlQmFzZU5hbWVB, xrefs: 10003B20

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: R2V0TW9kdWxlQmFzZU5hbWVB
API String ID: 190572456-2033685547
Opcode ID: 64546e1618cc9f4b232523d9278c91555084e9ae326c0c227f87b3e761629707
Instruction ID: b6aa33134084703042048506265707271eb1c827b383da7e015325466daffe28
Opcode Fuzzy Hash: 64546e1618cc9f4b232523d9278c91555084e9ae326c0c227f87b3e761629707
Instruction Fuzzy Hash: 4DC040F540415C7FF600D7D9AC85E8537DCD7481D57514411F609C2615D761645187D2

Function 1000EAE6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0036EE80), ref: 1000EBD3

Strings

C:\Program Files, xrefs: 1000EAF9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: e90ec2bdc53d4f13813acb21c5be440ba0058f927878675fdd6bd82281d25e50
Instruction ID: b22460824f2e923f7540f96528f166d74f13a87eddc3d0ed46cb0f5c21ea5a5e
Opcode Fuzzy Hash: e90ec2bdc53d4f13813acb21c5be440ba0058f927878675fdd6bd82281d25e50
Instruction Fuzzy Hash: 45314DB4D04298DBEB10CFA4C9816DEBBB0FB08344F244459D806B7346D776AE46DB55

Function 100086C0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 100086CA
inet_addr.WS2_32(?), ref: 100086D7

Part of subcall function 10004733: gethostbyname.WS2_32(100086EF), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: inet_addr$gethostbyname
String ID:
API String ID: 2998999989-0
Opcode ID: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction ID: 7e645cfb302764e8d8533147197651d5e6009befd3d72f555b77b30a82d9c00f
Opcode Fuzzy Hash: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction Fuzzy Hash: 93F0D0B9A14208EFDB10DFA4C48898DBBB4FB48251F208595ED4997309D735EB51DF50

Function 10005A8D Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10005AB4

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction ID: 4cfd926ed5ee4b74160d84ed1ccf0fcb76e3c9c35cbabeff5299be230ac46b6e
Opcode Fuzzy Hash: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction Fuzzy Hash: 5CE0FEB6214109AB8B44CF8DD890DEB77EDAB8C654B158248BA1DD3254D634E8518BA4

Function 10005B51 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 10005B68

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction ID: 003bc1bca6d8c776606440d32dd4298a63b416cb58658e6586ac9de98fafa826
Opcode Fuzzy Hash: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction Fuzzy Hash: 20D092B221420DAB8B04CF88D880CDB37EDAB8C610B008108FA0DC3200C630E9518BA0

Function 10004D54 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction ID: 01f520d78d0293c333997eaa499525b6bf33e0a14dea869d1b4eebbdcbea7866
Opcode Fuzzy Hash: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction Fuzzy Hash: E4D092B221020DAB8B04CF88D884C9B77ADAB8C600B008108BA0DC3210C630E951CBA0

Function 10005784 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10005793

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction ID: ceb44158fe26a4df53ddd6796a7450bcc70568043160c05e16c1b80753528501
Opcode Fuzzy Hash: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction Fuzzy Hash: 64C04C7A11420CABCB04DFD8DC84CAB77EDAB8C610B14C508FA1D87200DA31F9118BA4

Function 10004CAD Relevance: 1.5, APIs: 1, Instructions: 11synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,?,1000BE18,00000000,00000000,?), ref: 10004CBC

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction ID: 7a9713bbb07ef6c8d943612d259fbcec43348370ec0d3c79817316860ce7ebf9
Opcode Fuzzy Hash: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction Fuzzy Hash: ABC04C7611424CABCB04DFD8DC84CAB37ADFB8C610B148548FA1D87200C730F9119BA4

Function 100015AD Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(04841050,?,100015AB), ref: 100015B6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction ID: aa9e6f373e50f86635e89be718cfcb74191758a12ce1f5a61408757a6cf1a103
Opcode Fuzzy Hash: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction Fuzzy Hash: C4B0927240432C9FE600DBE89CC9C1237ACB3086093A00452E90AC3A21D730A402CA96

Function 100015ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0301D0B0,?,100015EB), ref: 100015F6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction ID: 29f41251ce689b307b62650387fb13a5c84ed48d826cf923518eb1e266bdb45f
Opcode Fuzzy Hash: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction Fuzzy Hash: EAB0927240432D9BE700DBE89CCAC0137ACA7086087604412E909C3A21D630A4428B52

Function 1000164D Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0301A098,?,1000164B), ref: 10001656

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction ID: ba1e3f7c76a82d39c198cdf2c2322580641102d8f53e3edecd95e5ced58cbd87
Opcode Fuzzy Hash: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction Fuzzy Hash: B8B0927244432C9BE600DBE99CC8C0137ACE608A083604412E90A83A21D630A4428F92

Function 100016ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(03015070,?,100016EB), ref: 100016F6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction ID: ceafc5a161691708641d67a93fab1652c5b609e1f825db1f72d2572ab5d16a00
Opcode Fuzzy Hash: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction Fuzzy Hash: DDB0927240432C9BF600DBE89CC8D1677ACB6086083604822E909D3A21D630A4428B92

Function 10004733 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(100086EF), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction ID: ed7e62d2018f1f5fe489a5e2af283e66eb16d0056b782be615d6e68807e7cafe
Opcode Fuzzy Hash: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction Fuzzy Hash: 1EB0123140030C97CA005BE8D84CC95779CD6085047000400F50C83500C631F4004A90

Function 10005812 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(1000EBB8,?,1000EBB8,1002B358), ref: 10005819

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction ID: 70a1fadde607be084ccef56658dda61e356474f6f706b475b9c53b19a0d7fe5b
Opcode Fuzzy Hash: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction Fuzzy Hash: 0FB0123100030C97CA005BD8D848C8577DC970C6407408000F60C83101CA70F4004AD0

Function 10005ABC Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(10009085,?,10009085,?), ref: 10005AC3

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction ID: d309ecb02fbcf521f446e64dffd2c407881538d3ff2428412e6fd22df4654e57
Opcode Fuzzy Hash: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction Fuzzy Hash: A5B0123200430C97CA005BD8D848CC5379CD60C5007000051F50CC3100C730F4004A90

Function 10011A40 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10011A5B

Part of subcall function 10011C72: sprintf.MSVCRT ref: 10011C8E
Part of subcall function 10011C72: CreateFileA.KERNEL32(1002A58C,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4

Part of subcall function 10011E80: memset.MSVCRT ref: 10011E9A
Part of subcall function 10011E80: memset.MSVCRT ref: 10011EB0
Part of subcall function 10011E80: Netbios.NETAPI32(00000037), ref: 10011EDB

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CreateFileNetbiossprintf
String ID:
API String ID: 2265170204-0
Opcode ID: c2146fda8afad930eb0fbb96289ca3ab1943110991f6b43724a83040010b82d0
Instruction ID: dceb83b943926abd5faf33fd0d5094280e9a27f0c6a434b0c500408138b30427
Opcode Fuzzy Hash: c2146fda8afad930eb0fbb96289ca3ab1943110991f6b43724a83040010b82d0
Instruction Fuzzy Hash: 99E09A74A04208FBCB08DBD4ED52B9EB7B8DF00340F1000A9F9056B381DAB2EF009AD4

Non-executed Functions

Function 10007225 Relevance: 96.6, APIs: 46, Strings: 9, Instructions: 387networksleepCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000729A
socket.WS2_32(00000002,00000002,00000000), ref: 100072A6
socket.WS2_32(00000002,00000002,00000000), ref: 100072B8
htons.WS2_32(00000035), ref: 100072CF
inet_addr.WS2_32(127.0.0.1), ref: 100072E1
htons.WS2_32(00000035), ref: 100072F8
inet_addr.WS2_32(?), ref: 1000730C
bind.WS2_32(?,00000002,00000010), ref: 10007328
ioctlsocket.WS2_32(?,8004667E,00000001), ref: 1000734B
select.WS2_32(00000000,00000000,00000000,00000000,000003E8), ref: 1000741B
WSAGetLastError.WS2_32 ref: 10007430
Sleep.KERNEL32(000003E8), ref: 10007441
memset.MSVCRT ref: 10007464
recvfrom.WS2_32(?,00000000,00000200,00000000,?,00000010), ref: 1000748F
memset.MSVCRT ref: 100074C2

Part of subcall function 1000713B: memset.MSVCRT ref: 10007157
Part of subcall function 1000713B: memcpy.MSVCRT(?,?,?), ref: 10007171
Part of subcall function 1000713B: strlen.MSVCRT ref: 1000717D

wsprintfA.USER32 ref: 10007513
StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,00000000), ref: 10007528
StrStrIA.SHLWAPI(00000000,alyac), ref: 10007553
StrStrIA.SHLWAPI(00000000,ahnlab), ref: 10007569
StrStrIA.SHLWAPI(00000000,v3lite), ref: 1000757F
malloc.MSVCRT ref: 10007595
memcpy.MSVCRT(?,00000000,00000002), ref: 100075B4
memcpy.MSVCRT(00000000,00000000,00000000), ref: 100075D1
htons.WS2_32(00008180), ref: 100075DE
htons.WS2_32(00008182), ref: 10007602
memcpy.MSVCRT(?,?,00000002), ref: 1000761F
htons.WS2_32(00000001), ref: 10007629
memcpy.MSVCRT(?,?,00000002), ref: 10007646
htons.WS2_32(0000C00C), ref: 10007685
memcpy.MSVCRT(00000000,?,00000002), ref: 100076A2
htons.WS2_32(00000001), ref: 100076BB
memcpy.MSVCRT(00000000,?,00000002), ref: 100076DF
htons.WS2_32(00000001), ref: 100076F8
memcpy.MSVCRT(00000000,?,00000002), ref: 1000771C
htonl.WS2_32(0000007B), ref: 10007735
memcpy.MSVCRT(00000000,?,00000004), ref: 10007758
htons.WS2_32(00000004), ref: 10007771
memcpy.MSVCRT(00000000,?,00000002), ref: 10007795
inet_addr.WS2_32(1002D030), ref: 100077C4
inet_addr.WS2_32(127.0.0.1), ref: 100077D7
memcpy.MSVCRT(00000000,00000000,00000004), ref: 100077FA
memcpy.MSVCRT(00000000,00000000,00000000), ref: 1000783F
sendto.WS2_32(?,00000000,00000000,00000000,?,00000010), ref: 10007867
closesocket.WS2_32(?), ref: 10007898
closesocket.WS2_32(?), ref: 100078A5
WSACleanup.WS2_32 ref: 100078AB

Strings

8.8.8.8, xrefs: 10007261
v3lite, xrefs: 10007573
@, xrefs: 100073BE
127.0.0.1, xrefs: 100072DC
127.0.0.1, xrefs: 100077D2
alyac, xrefs: 10007547
%s|, xrefs: 10007507
ahnlab, xrefs: 1000755D
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007523

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$htons$inet_addr$memset$closesocketsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtostrlenwsprintf
String ID: %s|$127.0.0.1$127.0.0.1$8.8.8.8$@$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 3038323916-584143555
Opcode ID: 845f32fe3648e56a57e23b03ede1d36942d354f1ff75db94071abf654bfa1e24
Instruction ID: 3390842cec86af49ff68c52d0698ecfc573ce0de94bd3180ff3bf18654662f0a
Opcode Fuzzy Hash: 845f32fe3648e56a57e23b03ede1d36942d354f1ff75db94071abf654bfa1e24
Instruction Fuzzy Hash: B1025E75D04229ABEB64CB54CC89BE9B7B4FF48300F0045E9E60DA6295D7786B84CF91

Function 1000D7E3 Relevance: 94.9, APIs: 40, Strings: 14, Instructions: 414stringsleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005ECD

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D856
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D86A
strrchr.MSVCRT ref: 1000D879
strcat.MSVCRT(00000000,\ReadMe.txt), ref: 1000D891
strrchr.MSVCRT ref: 1000D8A2

Part of subcall function 10005EBA: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
Part of subcall function 10005EBA: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,?,1000AFF2), ref: 10005F1F
Part of subcall function 10005EBA: CloseHandle.KERNEL32(?,?,?,1000AFF2), ref: 10005F29

CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658), ref: 1000D8E2
GetLastError.KERNEL32 ref: 1000D8EE
ReleaseMutex.KERNEL32(?), ref: 1000D916
CloseHandle.KERNEL32(?), ref: 1000D923
ReleaseMutex.KERNEL32(?), ref: 1000D952
CloseHandle.KERNEL32(?), ref: 1000D95F
GetTickCount.KERNEL32 ref: 1000DA2C
srand.MSVCRT ref: 1000DA33
rand.MSVCRT ref: 1000DA3C
rand.MSVCRT ref: 1000DAAA
Sleep.KERNEL32(00000064), ref: 1000DAE5
SetFileAttributesA.KERNEL32(c:\,00000002), ref: 1000DAF4
wsprintfA.USER32 ref: 1000DB0D
strcpy.MSVCRT(00000000,c:\), ref: 1000DB24

Part of subcall function 1000D747: GetTickCount.KERNEL32 ref: 1000D75F
Part of subcall function 1000D747: srand.MSVCRT ref: 1000D766
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D76F
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D7BA

strcat.MSVCRT(00000000,1002B1A4), ref: 1000DB71
strcat.MSVCRT(00000000,00000000), ref: 1000DB87

Part of subcall function 10004DC0: CreateDirectoryA.KERNEL32(?,?), ref: 10004DCB

Sleep.KERNEL32(00000064), ref: 1000DBA2
memset.MSVCRT ref: 1000DBB3
strcat.MSVCRT(00000000,1002B1A8), ref: 1000DBD8
strcat.MSVCRT(00000000,00000000), ref: 1000DBEE
strcat.MSVCRT(00000000,.txt), ref: 1000DC02
MoveFileA.KERNEL32(00000000,00000000), ref: 1000DC18
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000DC41

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008F7B,?,10008F7B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

___crtGetLocaleInfoEx.LIBCMTD ref: 1000DC5C

Part of subcall function 1000556F: SetFilePointer.KERNEL32(?,?,?,?), ref: 10005582

Part of subcall function 10005434: CloseHandle.KERNEL32(10008FBA,?,10008FBA,000000FF), ref: 1000543B

Part of subcall function 10005558: GetModuleFileNameA.KERNEL32(?,?,?), ref: 10005567

rand.MSVCRT ref: 1000DC89
rand.MSVCRT ref: 1000DC9B
rand.MSVCRT ref: 1000DCAD
rand.MSVCRT ref: 1000DCBF
rand.MSVCRT ref: 1000DCD1
rand.MSVCRT ref: 1000DCE3
rand.MSVCRT ref: 1000DCF5
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000DD32

Part of subcall function 10005BF2: CopyFileA.KERNEL32(?,?,?), ref: 10005C01

Sleep.KERNEL32(00001388), ref: 1000DD55
memset.MSVCRT ref: 1000DD66

Part of subcall function 10005650: CreateProcessA.KERNEL32(?,00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,d,?,10009490,00000000,00000000,00000000,00000000), ref: 1000567B

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008F48,?,10008F48,00000000,?,?,?), ref: 1000530B

___crtGetTimeFormatEx.LIBCMTD ref: 1000DDD2

Part of subcall function 10004FB3: ShellExecuteA.SHELL32(?,?,?,?,?,?), ref: 10004FCE

Strings

%s\ReadMe.txt, xrefs: 1000DB01
c:\, xrefs: 1000DAD4, 1000DADA
.txt, xrefs: 1000DBF6
SeDebugPrivilege, xrefs: 1000D7F0
c:\wiseman.exe, xrefs: 1000DDC9
SeDebugPrivilege, xrefs: 1000D8CC
3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000DA1E
c:\windows\system32, xrefs: 1000DDC2
\ReadMe.txt, xrefs: 1000D885
%s\%c%c%c%c%c%c%c.exe, xrefs: 1000DD0E
M107.163.56.251:6658, xrefs: 1000D8D9
123, xrefs: 1000D995
c:\wiseman.exe, xrefs: 1000DDAF
launch, xrefs: 1000DD9B

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$File$strcat$Create$CloseHandle$ModuleMutexNameProcessSleep$CountMoveReleaseTickTimerToken___crtmemsetsrandstrrchr$AdjustAttributesConcurrency::details::platform::__CopyCurrentDirectoryErrorExecuteExistsFormatInfoLastLocaleLookupOpenPathPointerPrivilegePrivilegesQueueShellTimeValuestrcpywsprintf
String ID: %s\%c%c%c%c%c%c%c.exe$%s\ReadMe.txt$.txt$123$3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6$M107.163.56.251:6658$SeDebugPrivilege$SeDebugPrivilege$\ReadMe.txt$c:\$c:\windows\system32$c:\wiseman.exe$c:\wiseman.exe$launch
API String ID: 3236665404-1954381778
Opcode ID: f1886616c03443e8beaf1e0c5cb58e2eecd7b0f639ff4d1ddc1becfe50886d7e
Instruction ID: 776bac33ddc94f5274d59a1b91e45a553feb19f8752dccd960f44c07e6df57de
Opcode Fuzzy Hash: f1886616c03443e8beaf1e0c5cb58e2eecd7b0f639ff4d1ddc1becfe50886d7e
Instruction Fuzzy Hash: 1EF1F5B1D00218ABFB20DB60CC96FDA7735EB54301F4045E9F709A6181EBB66B94CF61

Function 1000ABAC Relevance: 65.0, APIs: 30, Strings: 7, Instructions: 244stringserviceCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,%SystemRoot%\System32\svchost.exe -k ,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000AC15
strcat.MSVCRT(00000000,00000000,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000AC28
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000AC57
CreateServiceA.ADVAPI32(00000000,00000000,00000000,000F01FF,00000010,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000AC9E
GetLastError.KERNEL32(?,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000ACB3
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF,?,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000ACD0

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 1000AE3B
ServiceDll, xrefs: 1000ADD8
3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6, xrefs: 1000ABCC
%SystemRoot%\System32\svchost.exe -k , xrefs: 1000AC09
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 1000AD6E
Description, xrefs: 1000AD42
SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000AD01

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: OpenService$CreateErrorLastManagerstrcatstrcpy
String ID: %SystemRoot%\System32\svchost.exe -k $3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6$Description$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
API String ID: 3669142371-1721553897
Opcode ID: 1f8fcce5805202369ecbc2d6ebb9948cb5bbdc204da0ab7f656c455dcbaa8e21
Instruction ID: fc4fc097f2df58436204c54070e46900803d4f9edc1039ca72ef93cdf2176969
Opcode Fuzzy Hash: 1f8fcce5805202369ecbc2d6ebb9948cb5bbdc204da0ab7f656c455dcbaa8e21
Instruction Fuzzy Hash: 51A11EB5900218BBEB25DF90DC89FEE7778EB48740F504598F609A6281D774AA85CFA0

Function 10009FAB Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 335timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000A00F
wsprintfA.USER32 ref: 1000A027
#823.MFC42(0007D000), ref: 1000A035
memset.MSVCRT ref: 1000A063

Part of subcall function 10004D54: InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 1000A0C6

Strings

http://blog.sina.com.cn/u/%s, xrefs: 1000A01B
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000A07D
title, xrefs: 1000A2BA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823FormatInternetOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$http://blog.sina.com.cn/u/%s$title
API String ID: 242236092-1204782975
Opcode ID: 91ae6ed975326bce20e69091e91205a4e0e06f7d3d57761dea2b19759f80d415
Instruction ID: e515f712fb1f60d133b8907fa9568e81727eaea72b4f5efa335cc261a660f667
Opcode Fuzzy Hash: 91ae6ed975326bce20e69091e91205a4e0e06f7d3d57761dea2b19759f80d415
Instruction Fuzzy Hash: F4E117B4D00268EFEB24CB58CC85BDEB7B0EB59300F1042D9EA09A7280DB756E85CF51

Function 10009A63 Relevance: 59.8, APIs: 31, Strings: 3, Instructions: 328timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10009AC7
wsprintfA.USER32 ref: 10009ADF
#823.MFC42(0007D000), ref: 10009AED
memset.MSVCRT ref: 10009B1B

Part of subcall function 10004D54: InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009B7E
GetLastError.KERNEL32 ref: 10009BA1

Strings

http://%s.qzone.qq.com/main, xrefs: 10009AD3
title, xrefs: 10009D7E
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)), xrefs: 10009B35

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823ErrorFormatInternetLastOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))$http://%s.qzone.qq.com/main$title
API String ID: 1752605775-1009673476
Opcode ID: db3ccfa44a45a5c36b95186d44c783c58b771b53365b9c04a79446a38c633307
Instruction ID: 75add62b751d2a89d33563ab18894b4b61e0b6b77b5213ad1a6e48b09e06675d
Opcode Fuzzy Hash: db3ccfa44a45a5c36b95186d44c783c58b771b53365b9c04a79446a38c633307
Instruction Fuzzy Hash: 6DE106B4D04268EFEB24CB64CC85BEEB7B4EB59300F1041D9E609A7280DB716E85CF91

Function 10006322 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 299memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100060BF: CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE

Part of subcall function 10005F3C: GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
Part of subcall function 10005F3C: HeapAlloc.KERNEL32(00000000), ref: 10005F56

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 100063BB

Strings

Close Files Handle....Success, xrefs: 1000672F
c:\am.log, xrefs: 10006748
Not found File: %s , xrefs: 10006796
c:\am.log, xrefs: 10006734
Not found File %s , xrefs: 100063C5
Handle: %d .... FileName: %s, xrefs: 100065A3
Process:%d Handle: %d ..%s.. FileName: %s, xrefs: 100066A1
c:\am.log, xrefs: 100066A6
Close Files Handle....Failure, xrefs: 10006743

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocCreateFileFree
String ID: Close Files Handle....Failure$Close Files Handle....Success$Handle: %d .... FileName: %s$Not found File %s $Not found File: %s $Process:%d Handle: %d ..%s.. FileName: %s$c:\am.log$c:\am.log$c:\am.log
API String ID: 372207633-2461064422
Opcode ID: 85811579fcd60c394609650b61b099ebd55fa6beacadd814ecc77056f13936d6
Instruction ID: 645c5e70bbac33feba3ad968f02ee579f9001a7514e99284e2577437101ece5e
Opcode Fuzzy Hash: 85811579fcd60c394609650b61b099ebd55fa6beacadd814ecc77056f13936d6
Instruction Fuzzy Hash: 63C141B4900228AFEB24CB54CC86FD9B3B5EB58344F2085D8F609A7245DB75AED5CF90

Function 1000949C Relevance: 52.6, APIs: 3, Strings: 27, Instructions: 95timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(100098B1,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009517

Part of subcall function 10004D73: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10004D8E

memset.MSVCRT ref: 1000953C
___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

Part of subcall function 10004D96: InternetReadFile.WININET(00001000,?,?,10009563), ref: 10004DA9

Part of subcall function 10004DB1: InternetCloseHandle.WININET(?), ref: 10004DB8

Strings

n, xrefs: 100095BC
i, xrefs: 100095DC
y, xrefs: 100095F0
e, xrefs: 100095F4
d, xrefs: 100095F8
, xrefs: 100095C8
t, xrefs: 100095C4
e, xrefs: 100095A4
, xrefs: 100095D4
b, xrefs: 100095CC
c, xrefs: 100095AC
l, xrefs: 100095E8
a, xrefs: 100095EC
n, xrefs: 100095B4
g, xrefs: 100095A0
, xrefs: 100095A8
!, xrefs: 100095FC
a, xrefs: 100095B0
s, xrefs: 100095E0
o, xrefs: 100095C0
e, xrefs: 100095D0
, xrefs: 100095B8
a, xrefs: 1000959C
d, xrefs: 100095D8
http, xrefs: 100094E1
p, xrefs: 100095E4
P, xrefs: 10009598

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$Open___crt$CloseFileFormatHandleInfoLocaleReadTimememset
String ID: $ $ $ $!$P$a$a$a$b$c$d$d$e$e$e$g$http$i$l$n$n$o$p$s$t$y
API String ID: 484075888-3281237192
Opcode ID: b93404e3348d2fcefa36f14984084087eace93262eda740c47d162beb0c842e4
Instruction ID: 2007758cba872cfcd8f6e98331750ef100b8103267b94e19ec89753a2b5b510a
Opcode Fuzzy Hash: b93404e3348d2fcefa36f14984084087eace93262eda740c47d162beb0c842e4
Instruction Fuzzy Hash: 10413174D043C8EAFB11C6A8CC097DEBEB55B15744F0440D9D5882A282D7FA5798CBB6

Function 1000F200 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 277sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 1000F281
GetTickCount.KERNEL32 ref: 1000F2A2
GetTickCount.KERNEL32 ref: 1000F2B5
GetTickCount.KERNEL32 ref: 1000F2C8
GetTickCount.KERNEL32 ref: 1000F2DB
GetTickCount.KERNEL32 ref: 1000F2EE
GetTickCount.KERNEL32 ref: 1000F301
GetTickCount.KERNEL32 ref: 1000F314
Sleep.KERNEL32(000003E8), ref: 1000F345
GetTickCount.KERNEL32 ref: 1000F373
GetTickCount.KERNEL32 ref: 1000F386
GetTickCount.KERNEL32 ref: 1000F399
GetTickCount.KERNEL32 ref: 1000F3AC
GetTickCount.KERNEL32 ref: 1000F3BF
DeleteFileA.KERNEL32(?), ref: 1000F44E
DeleteFileA.KERNEL32(?), ref: 1000F4C1
Sleep.KERNEL32(000493E0), ref: 1000F5B8

Strings

%c%c%c%c%c, xrefs: 1000F3D7
QVNEU3ZjLmV4ZQ==, xrefs: 1000F230
InstallPath, xrefs: 1000F524
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F529
C:\Users\user\Desktop, xrefs: 1000F327, 1000F3D2
%s\%c%c%c%c.%c%c%c, xrefs: 1000F32C
RootDir, xrefs: 1000F556
QVlSVFNydi5heWU=, xrefs: 1000F243
U09GVFdBUkVcRVNUc29mdFxBTFlhYw==, xrefs: 1000F55B

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$Sleep$DeleteFile
String ID: %c%c%c%c%c$%s\%c%c%c%c.%c%c%c$C:\Users\user\Desktop$InstallPath$QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$RootDir$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==$U09GVFdBUkVcRVNUc29mdFxBTFlhYw==
API String ID: 1805227871-1336997999
Opcode ID: 4faebca5d5ecfbac1970155ceb850f77aff3aa2d85c081c79c4d030d0b992594
Instruction ID: f3a127f1e748f5d64eaa99f11cd5709b593d3714899721134faa47f9b9462ef5
Opcode Fuzzy Hash: 4faebca5d5ecfbac1970155ceb850f77aff3aa2d85c081c79c4d030d0b992594
Instruction Fuzzy Hash: 9EA1E8F1D00218ABFB15DB60CC85FEE76B6EB88310F4481A8F709B6285DB786B45CB51

Function 1000D49E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000D4E0

Strings

.txt, xrefs: 1000D689

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: .txt
API String ID: 39653677-2195685702
Opcode ID: 3e2cf45cf9e2c8dc7f5f295285577211bad2d2468e73e2711cbaf83a5c66596a
Instruction ID: 5b18667884c36d6a3f711f5a1707348fb37b449e4a0ae77af5134ebfe355cfde
Opcode Fuzzy Hash: 3e2cf45cf9e2c8dc7f5f295285577211bad2d2468e73e2711cbaf83a5c66596a
Instruction Fuzzy Hash: 5A71C2B5C00218EBDB25DFA0DC85BEEB7B8FB18341F408599F91996144E735AB85CF60

Function 10007DDE Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

#823.MFC42(00000004), ref: 10007E36
#823.MFC42(00000000), ref: 10007E5A
#823.MFC42(00000000), ref: 10007E8B
strrchr.MSVCRT ref: 10007EA5
strncpy.MSVCRT ref: 10007EBF
strncpy.MSVCRT ref: 10007ED3
GetSystemInfo.KERNEL32(?), ref: 10007EE0
GetCurrentProcess.KERNEL32(00000020,?), ref: 10007EFE
OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 10007F16
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
CloseHandle.KERNEL32(?), ref: 10007F50
strlen.MSVCRT ref: 10007F5B
sscanf.MSVCRT ref: 10007F7C

Strings

%[^, xrefs: 10007F72
C:\Users\user\Desktop, xrefs: 10007EA0
SeDebugPrivilege, xrefs: 10007F0F
etc\hosts, xrefs: 10007F56, 10007F77

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
String ID: %[^$C:\Users\user\Desktop$SeDebugPrivilege$etc\hosts
API String ID: 1460262115-236331588
Opcode ID: 238f55b7c1f0d273d61c331c5cf4d42dfd875bed047e0ebc3a875199cc579f11
Instruction ID: 328226fcebd27085c81d03e9fdf447683c520cb5a300c2c2c943bb7813867aca
Opcode Fuzzy Hash: 238f55b7c1f0d273d61c331c5cf4d42dfd875bed047e0ebc3a875199cc579f11
Instruction Fuzzy Hash: ED4118B5900628AFE704DFD4DDC9F9A7BB4FB48304F244119EA04A7290E7B5B586CF91

Function 10008C6A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10008CA2
GetVersionExA.KERNEL32(0000009C,?,?,?), ref: 10008CBB
strcpy.MSVCRT(00000000,1002A5F8,?,?,?), ref: 10008CDD
strcpy.MSVCRT(00000000,2000,?,?,?), ref: 10008D0A
strcpy.MSVCRT(00000000,1002A604,?,?,?), ref: 10008D37
strcpy.MSVCRT(00000000,2003,?,?,?), ref: 10008D64
strcpy.MSVCRT(00000000,Vista,?,?,?), ref: 10008D91
strcpy.MSVCRT(00000000,2008,?,?,?), ref: 10008DBE
strcpy.MSVCRT(00000000,1002A620,?,?,?), ref: 10008DEB
sprintf.MSVCRT ref: 10008E0F

Strings

2000, xrefs: 10008CFE
Win %s SP%d, xrefs: 10008E06
Vista, xrefs: 10008D85
2003, xrefs: 10008D58
2008, xrefs: 10008DB2

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcpy$Versionmemsetsprintf
String ID: 2000$2003$2008$Vista$Win %s SP%d
API String ID: 313931894-2264339393
Opcode ID: c871da8b4224639a2c4a07db153a9c7c04906b4bc4e0741e778789702d27a4ab
Instruction ID: 77eacedbfa7f7fe8781faf61d33db6b13d9c70aa213e0c00e07d5b6916aea476
Opcode Fuzzy Hash: c871da8b4224639a2c4a07db153a9c7c04906b4bc4e0741e778789702d27a4ab
Instruction Fuzzy Hash: 5F414CB5C00259EBEF24CB50EC4ABCDB7B4FB25345F4085EAE28862185DB755BC88F91

Function 10018642 Relevance: 23.4, APIs: 9, Strings: 4, Instructions: 609COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C), ref: 100186C5

Strings

/../, xrefs: 1001897E
\../, xrefs: 1001894D
\..\, xrefs: 1001891F
/..\, xrefs: 100189AF

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 5a46f987c0c1aa465964ba157d4fa85d795bbb3a3ed16f8f4b35a9f93f1a49a4
Instruction ID: 0bc132efd9775e1565a2305e834756c2a103a07c2eefdff1b87c786ac94b895d
Opcode Fuzzy Hash: 5a46f987c0c1aa465964ba157d4fa85d795bbb3a3ed16f8f4b35a9f93f1a49a4
Instruction Fuzzy Hash: DF521C74E042199FDB29CF68C895BDDB7B1FF49304F2481A9E959AB342D731AA81CF40

Function 1000EBE4 Relevance: 22.7, APIs: 15, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000EC22

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c233336acfde807531b4bd4db05083c501453822c40ebddcd0e165b7078de451
Instruction ID: 647fecf74183b07584ce481334d83a5ea3882a0c3f454bc038b8e9baf575f6ef
Opcode Fuzzy Hash: c233336acfde807531b4bd4db05083c501453822c40ebddcd0e165b7078de451
Instruction Fuzzy Hash: D861AEB2C00298ABEB24CFA0DC85BEE77B8FB04341F108599F519A2154D7359F84CF90

Function 1000D3D5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000D3E9
Process32First.KERNEL32(00000000,00000128), ref: 1000D410
lstrcmpiA.KERNEL32(?,ASDsvc.exe), ref: 1000D42A
lstrcmpiA.KERNEL32(?,V3Lite.exe), ref: 1000D440
DebugActiveProcess.KERNEL32(?), ref: 1000D451
GetLastError.KERNEL32 ref: 1000D45B
Process32Next.KERNEL32(00000000,00000128), ref: 1000D486
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1000D494

Strings

V3Lite.exe, xrefs: 1000D434
ASDsvc.exe, xrefs: 1000D41E
Name:%s,Err:%d, xrefs: 1000D469
c:\11.txt, xrefs: 1000D46E

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32lstrcmpi$ActiveCloseCreateDebugErrorFirstHandleLastNextProcessSnapshotToolhelp32
String ID: ASDsvc.exe$Name:%s,Err:%d$V3Lite.exe$c:\11.txt
API String ID: 608465442-3371721576
Opcode ID: 9295798d164be7e98289859709079e1bbe0c89580f6e4d306c70841c2e645d84
Instruction ID: d349b60a221eb04e9f0ed390c33e8622460ef73d0662aae7336d8dbcc3cb0f20
Opcode Fuzzy Hash: 9295798d164be7e98289859709079e1bbe0c89580f6e4d306c70841c2e645d84
Instruction Fuzzy Hash: C0114F75D00218BFEB10EFE1CC85BEEB7B8FB48344F908899E215A2145D774AA85CF61

Function 10006DB7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,?,?), ref: 10006DFE
strcat.MSVCRT(00000000,\*.*,?,?), ref: 10006E12
FindFirstFileA.KERNEL32(00000000,?,?,?,?,?), ref: 10006E28
wsprintfA.USER32 ref: 10006E79
strlen.MSVCRT ref: 10006E86
FindNextFileA.KERNEL32(000000FF,?), ref: 10006F72
FindClose.KERNEL32(000000FF,?,?,?,?), ref: 10006F87

Strings

%s\%s, xrefs: 10006E6D
\*.*, xrefs: 10006E06

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNextstrcatstrcpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 29064205-3247893053
Opcode ID: 0c2b794e55abadf301de6ae3b3cedffd5ee4832f5baa4e9da8af4904572e0557
Instruction ID: 2440652bd15ff8e6eaa9a308958dcc277bfe13f4e468759e469709181464b455
Opcode Fuzzy Hash: 0c2b794e55abadf301de6ae3b3cedffd5ee4832f5baa4e9da8af4904572e0557
Instruction Fuzzy Hash: 9E51AAF6900258ABDB14CB94DC84BEE73B9EB58301F1045E9F609A7245DB35AB88CF54

Function 1000AAC4 Relevance: 16.6, APIs: 11, Instructions: 78servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,?,1000AF00,00000000), ref: 1000AAD3
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 1000AAF3
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AB1E
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000AB2C
GetLastError.KERNEL32 ref: 1000AB36
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB4C
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB56
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1000AB6B
Sleep.KERNEL32(00000064), ref: 1000AB7D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB8D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB97

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigErrorLastManagerQuerySleepStartStatus
String ID:
API String ID: 3874167810-0
Opcode ID: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction ID: f423053ba5e51ed5b3dfd7871e9b23df293113642488d2f777d942f78633b468
Opcode Fuzzy Hash: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction Fuzzy Hash: 56214A78A00218FBFB10DBE4CCC8F9D77BAEB09761F200345EA05A6186C7749A81DB24

Function 100069DD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,?), ref: 10006A24
strcat.MSVCRT(00000000,\*.*), ref: 10006A38
FindFirstFileA.KERNEL32(00000000,?), ref: 10006A4E
wsprintfA.USER32 ref: 10006A9F
strlen.MSVCRT ref: 10006AAC
FindNextFileA.KERNEL32(000000FF,?), ref: 10006B2B
FindClose.KERNEL32(000000FF), ref: 10006B40

Strings

\*.*, xrefs: 10006A2C
%s\%s, xrefs: 10006A93

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNextstrcatstrcpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 29064205-3247893053
Opcode ID: 17e01ef9ec8f7d1da953a85a48b32d4de0029fd6ed6eef401fdfea05b62a1c7d
Instruction ID: b1425089a467f23f8ccf7f8da9b04ec626d8d48fdd8cc5af3b7584fd2f615a50
Opcode Fuzzy Hash: 17e01ef9ec8f7d1da953a85a48b32d4de0029fd6ed6eef401fdfea05b62a1c7d
Instruction Fuzzy Hash: 0A41A9F6900118ABDB14CB94DC80BDE77B9EB58301F2485E9F60997245EB35AB88CF50

Function 10005F3C Relevance: 10.6, APIs: 7, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
HeapAlloc.KERNEL32(00000000), ref: 10005F56
NtQuerySystemInformation.NTDLL ref: 10005F79
GetProcessHeap.KERNEL32(00000000,00000000), ref: 10005F91
HeapFree.KERNEL32(00000000), ref: 10005F98

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreeInformationQuerySystem
String ID:
API String ID: 722747020-0
Opcode ID: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction ID: 6c64949c2fda0a623aee8140e43d1c032e6d4005dbe1664f83852c3263ea8444
Opcode Fuzzy Hash: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction Fuzzy Hash: 6B110675D04219FFEB00DBE4C948BAEB7B8FB58342F108968EA1693250D7799A81CB50

Function 1000C295 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C2A3
memset.MSVCRT ref: 1000C2DF

Strings

D, xrefs: 1000C3AD

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memsetstrlen
String ID: D
API String ID: 841943882-2746444292
Opcode ID: 03dd45d43307d88f16dba1a822ec05fef40b4f6432f795be4a487a3515ec13f2
Instruction ID: 70a39fe481dff278c8575bfc23d1f7d357f9e9131af160f8a87800a3379d7cae
Opcode Fuzzy Hash: 03dd45d43307d88f16dba1a822ec05fef40b4f6432f795be4a487a3515ec13f2
Instruction Fuzzy Hash: 30415EB190031CABEB50CF50CC56BEB73B8EB45341F4045C8E60967281EBB66B89CF91

Function 1001F343 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,?,?,?,?,?,1001FCA6), ref: 1001F3BB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 1001F40D

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction ID: 48a290c9093e3f11dd492f44913f2ca40d6bf3ce9a607d2c265816181fa2b1c7
Opcode Fuzzy Hash: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction Fuzzy Hash: 4E5194759002099FDB14CFA8C494BDEBBB5BB48304F24C259E825AB391D775E945CFA0

Function 1001C850 Relevance: 5.3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

Code too clever, xrefs: 1001C8B4
no future, xrefs: 1001C93E
wild scan, xrefs: 1001CB1E
insufficient lookahead, xrefs: 1001C911

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Code too clever$insufficient lookahead$no future$wild scan
API String ID: 0-1205821253
Opcode ID: 89a094b0773264441cbc8dbcf5616face2a24c1b0ac88d5fc2b905388351d50c
Instruction ID: d9015aa7d8d94b09ed7a00697b2830aeb164335acef1b0c781adddddbcb6c9a3
Opcode Fuzzy Hash: 89a094b0773264441cbc8dbcf5616face2a24c1b0ac88d5fc2b905388351d50c
Instruction Fuzzy Hash: 7BD1FB74E0414A9FCB08CFA8C8949EEBBF2FF89348F1485A8D459AB345D735AA41CF45

Function 1003F541 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

>,>, xrefs: 1003F685
3=I=, xrefs: 1003F67B

Memory Dump Source

Source File: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: >,>$3=I=
API String ID: 0-852727702
Opcode ID: c2df98ebaa9ef41229f0339c7fea5416ea49f715fa2dc41f5e0b9a3311ca05b1
Instruction ID: 2b7769357c91240ad19e6e0bd2d9e0ecdd7fb94a3a4eccab0f3bc7dd9c722f6c
Opcode Fuzzy Hash: c2df98ebaa9ef41229f0339c7fea5416ea49f715fa2dc41f5e0b9a3311ca05b1
Instruction Fuzzy Hash: 6451063541E7D29FC7138F3488A5685BFB1AE1711839A45EFC0C08F863D326949BCB92

Function 1001DD4D Relevance: 1.8, Strings: 1, Instructions: 584COMMON

Download Yara Rule

Strings

K, xrefs: 1001DD67

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction ID: be64ce4ea56ae2ff729ee4095f2c16fd9afa4c64b7be4d3cfcffd6d849276ff5
Opcode Fuzzy Hash: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction Fuzzy Hash: FD325C71A00249AFCB04CF98DC95EEE7B75FF88300F088568F9199F281D675DA68CB95

Function 1001D748 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

K, xrefs: 1001D762

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction ID: 13cd30b145176b83a50ea1d93efe1898842d2fb191c5ff5e9592714297f69bd4
Opcode Fuzzy Hash: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction Fuzzy Hash: 16F15B71A00249AFCB04CF98DC95EEE7B75EF88300F08C568F9199F281D675DA64CBA5

Function 10004804 Relevance: 1.5, APIs: 1, Instructions: 27processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004833

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction ID: dada26caca61fb62188d8dac9e18892904bbd52ffffd674216947e8ac7d19412
Opcode Fuzzy Hash: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction Fuzzy Hash: 3FF048B2214109AF8B48CF8DDC90DEB77EEBB8C614B158208FA1DD3250D630E851CBA4

Function 10004925 Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004954

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateInitialize
String ID:
API String ID: 220217950-0
Opcode ID: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction ID: 90eb217eefec1c1fdc0b769d8b89dca4f8ae21869411f64d3a2a456763029fa7
Opcode Fuzzy Hash: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction Fuzzy Hash: 72F04EB2214149AF8B48CF9DDC90DEB77EDAF8C614B159248FA1DD3250D630E851CBA4

Function 10005FD3 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 10005FFD

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction ID: 577e262fd81ac71086ec76a3c5116955c632cb2abf2027a79d8cb05fcdf68b55
Opcode Fuzzy Hash: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction Fuzzy Hash: F0E01A75A00208BFDB04DF98C881EAFB7B8EB98300F008659FA159B344D670AA10CBD4

Function 100114B0 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000000,10024578,1000FC00,1002B698,00000017,?,?,1000FC00,10024578,00000000,00000017), ref: 100114CC

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 2c121b8928b9d59e68a6b9292ed8f43e56c1b22c93bcd46b0603aca405af78c0
Instruction ID: 51edb17921b4d80422a266156ca8c59b99b4a0e0400770ec4762b41d8b954582
Opcode Fuzzy Hash: 2c121b8928b9d59e68a6b9292ed8f43e56c1b22c93bcd46b0603aca405af78c0
Instruction Fuzzy Hash: 4FD067B6505508BB8B04CFC9ED44CAEB7ACEB49350B50854DBA0897200D635AA109BA5

Function 10004E1F Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

mouse_event.USER32(?,?,?,?,?), ref: 10004E36

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction ID: cd64bc9c04189baa85cc60a7def0010568bcfbf044096a859e3bd7374a512153
Opcode Fuzzy Hash: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction Fuzzy Hash: 0DD092B221020DAF8B04CF88D884CDB37ADAB8C610B008108BA0DC3200C630E8518BA5

Function 10004E04 Relevance: 1.5, APIs: 1, Instructions: 13keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(?,?,?,?), ref: 10004E17

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction ID: f831d9c8cafff6064600b4124d045f46117a7ffc6ffe7c2727ae22ba67f01528
Opcode Fuzzy Hash: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction Fuzzy Hash: 93D0127600428D7BCF00CFD89C54CEB7BAC5A4C600B048044FA5CC7201C531E410C771

Function 10005238 Relevance: 1.5, APIs: 1, Instructions: 9shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(00000006,1000B9E6), ref: 10005243

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction ID: 9a2dd19b8ecf135439890cac36e4a679dfc02a0ed1c5e43b286b51b805b47a2f
Opcode Fuzzy Hash: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction Fuzzy Hash: 52B0927611030CABCB04DFD8DC88CAA37ACAB8CA10B108004FA0D87240CA31F9408BA0

Function 100057EC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(?,?), ref: 100057F7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction ID: 3f99846e5fc03f1cd515f911f6ea334dcbd29f04822414012a5ac230d652ecea
Opcode Fuzzy Hash: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction Fuzzy Hash: A9B0927611030CABCB04DFD9DC84C9A37ECAB8CA10B108004FA0D87200CA31F9008BA0

Function 100058AC Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 100058B7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction ID: 1268fd6e3a6fee96902ddf7f8e53f7d66be35c16e869bb3695433d0dc63322dc
Opcode Fuzzy Hash: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction Fuzzy Hash: 9EB0927611020CABCB18DFDCD884C9A37ECAB8C610B008104FA0D87200CA31F9008BA0

Function 10005BDF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ClearEventLogA.ADVAPI32(?,?), ref: 10005BEA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClearEvent
String ID:
API String ID: 3812438431-0
Opcode ID: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction ID: 7434daefe77f6d47902705726ab8f34eda02ab0099602c090bfecb55a22fb0ef
Opcode Fuzzy Hash: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction Fuzzy Hash: B2B092B611420CABCB04DFD8D894C9A37ACFB4C614B008005FA0D87200CB31F9008BA0

Function 10004E8E Relevance: 1.5, APIs: 1, Instructions: 9clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 10004E99

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction ID: 00ad4f47f5e7d0ee9b57b808d9b7f0335e52eb5749179ceb83dcd797ee5f95d7
Opcode Fuzzy Hash: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction Fuzzy Hash: DFB092B612160CABEB04DFE8D888C9AB7ACAB4C610B008004FA1D87201CA32F940CBA0

Function 10005000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

LockResource.KERNEL32(?), ref: 10005007

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LockResource
String ID:
API String ID: 1236514755-0
Opcode ID: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction ID: 29e56bc91a9f9482983e27dc0ed5834eb45bd4535224dddbaac4bf5a93215658
Opcode Fuzzy Hash: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction Fuzzy Hash: EBB0123100030C97CA009BD8DC4CC95379C96089007100000F50C83500C634F4004690

Function 100052CF Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 100052D6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction ID: 7efb55d811d09cfa6076e2c53c0765dc55be4d0596901329b8c6f4113f5758ef
Opcode Fuzzy Hash: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction Fuzzy Hash: 75B0123140030C9BCB006BD8D848C8537DCA6085007404000F50C83500CB30F40046D4

Function 1000558A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 10005591

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction ID: 3446f4351d0fb0315f265c1257496f9b218a963c1e1e8a386bbfb0b0138b3b89
Opcode Fuzzy Hash: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction Fuzzy Hash: EEB0123100030C97DA005BD8D848C8577DC96086047008001F60CC3101CA30F8014690

Function 10004788 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(?), ref: 1000478F

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction ID: 941f2af9b74db5ebe652a3bc5d90ee6d32c6752af74bb884e1b1cde712639612
Opcode Fuzzy Hash: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction Fuzzy Hash: 80B0123100030C97CF005FE8D84CC85379CA6085007100500F50C83100C630F40046D0

Function 100059A0 Relevance: 1.5, APIs: 1, Instructions: 7serviceCOMMON

Download Yara Rule

APIs

DeleteService.ADVAPI32(?), ref: 100059A7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteService
String ID:
API String ID: 700001626-0
Opcode ID: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction ID: f211721f13ae4b958aaaf00c1e1ea3e1c88187a953ac96f05739ed6fd255fc66
Opcode Fuzzy Hash: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction Fuzzy Hash: 37B0123100030C97CA005BD8D848C8537DC96485407048010F50C83100CA70F40146A1

Function 10004DF5 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(?), ref: 10004DFC

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction ID: 3baf6831cd208484881523ebff87dae9b7360ad4edd65dec015b26fc2e4f2711
Opcode Fuzzy Hash: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction Fuzzy Hash: 86B0127100030CA7CB009BD8E84CC85379CB6086047000001F50C83100C730F84046D0

Function 10004F4C Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(?), ref: 10004F53

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction ID: 954e834f1d5633d9c78c7ea24322f83793bd12d053b1b78d752a87b4747b0001
Opcode Fuzzy Hash: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction Fuzzy Hash: 06B0123100030C97CB00DBD8D849C85379CA608544B040400F50D93500C670F40046D1

Function 1001DB5D Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

K, xrefs: 1001DB77

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction ID: 4821ffda97bad3917eb01a0464c429c8a6cf820fb574935c82d8a63edae2efce
Opcode Fuzzy Hash: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction Fuzzy Hash: 25715D31900249AFDB04CF98DC95FEE7B75FF88300F088568FA199B281D675D668CBA5

Function 1001BD60 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad d_code, xrefs: 1001BED4

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: bad d_code
API String ID: 0-2582332627
Opcode ID: c8bd8877b8d1bc01d706b7e019f3ca49619b42a83d32fb799e3ca473650ef1b3
Instruction ID: f004e477197f55c592226676e499189eaab92f13d288ee4c5209336154d995b4
Opcode Fuzzy Hash: c8bd8877b8d1bc01d706b7e019f3ca49619b42a83d32fb799e3ca473650ef1b3
Instruction Fuzzy Hash: 2171CF75E00549DBCB04CF99C895AEEBBB2FF8C304F148168E909AB345D735AA91CB94

Function 100150F3 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e37e1c3fc424cfd48ed848d354b748ce29888d947d5d40d541a0b14f58744a
Instruction ID: aca30e619449c57417395797cfd63932ca64eb5dadbef33155d0970fb4e0af80
Opcode Fuzzy Hash: 11e37e1c3fc424cfd48ed848d354b748ce29888d947d5d40d541a0b14f58744a
Instruction Fuzzy Hash: 5C628F74E0520ADFCB08CF98C5909EEBBB2FF88314F248259D815AB355D735AA91CF94

Function 100122E4 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfb74cb42b50ad866b0dcdba91c81340cef7ea0c4ae266c4f19575c9cc43b19
Instruction ID: a4c617def18458712bc02cf46e9916a0de50b92ea2995c80f66374b38c27eec4
Opcode Fuzzy Hash: 1cfb74cb42b50ad866b0dcdba91c81340cef7ea0c4ae266c4f19575c9cc43b19
Instruction Fuzzy Hash: 1D5254B8A04209DFCB08CF98C59099DBBB2FF8C314B25C599E819AB355D731EA51CF94

Function 10015B40 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction ID: 34f3d6fbe751ec779d85210cdb32b2997779c4aff4a46c926cb419fb41892b26
Opcode Fuzzy Hash: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction Fuzzy Hash: 06A15F74E05148EFCB08CF99C590A9DFBF2EF88304F28C1A9E859AB355D631AB51DB44

Function 1001E5EC Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction ID: 9283f13a6b71ff4d28867ba0371fcc3830cb864e567d112fffee3ea95ca30d3f
Opcode Fuzzy Hash: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction Fuzzy Hash: 8261F230614549ABDB08CF2DC8916A97BE2EF8D358F55C128E829CF250D739EA91CF80

Function 10015883 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction ID: 3e186bd40632953d342a1ca4b5c669cc8258e70e124af2b7e38ac243e047a4b5
Opcode Fuzzy Hash: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction Fuzzy Hash: 35610331610549AFDB08CF2DC891AA97BE2FF8D354F55C128E929CF350D639EA81CB40

Function 1001A67B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction ID: b646244c15df26bb11706b77c13e2002d061b3e9df5792a36ac078930f46edd7
Opcode Fuzzy Hash: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction Fuzzy Hash: FB51EF38A04149ABCB15CF58C4908EDB7F2FF8C354F25C199E9599B345C630AA92CB80

Function 10034274 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9118257b1291ceb9fbbe4342c5e073534e166340dff9db8e9c4435b32712888a
Instruction ID: bf9e36cf425079b835a98d5b179f2bea1268a226edd45a5e083b415a98a7da38
Opcode Fuzzy Hash: 9118257b1291ceb9fbbe4342c5e073534e166340dff9db8e9c4435b32712888a
Instruction Fuzzy Hash: 4F115938C04610CFD314EB2481951F9B7E1FF98B02F834529EA9827380D675951DCBC3

Function 1000C15F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0367895ad9fb0037e827a77a4b2abc05a1d0ce6d72e9f92cf01e4baf600d9e
Instruction ID: 94ba5cdfde1be3ce70ef2168a5c63dedb3fa7d1966c2913295e4843897d40ece
Opcode Fuzzy Hash: fd0367895ad9fb0037e827a77a4b2abc05a1d0ce6d72e9f92cf01e4baf600d9e
Instruction Fuzzy Hash: 9001C0A140C384FF9756B9754C91E4FBE92F7D0292F408A09798A22942A63C5458C96B

Function 1000DDEE Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 399COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000DE30
memset.MSVCRT ref: 1000DE46
memset.MSVCRT ref: 1000DE5C

Part of subcall function 10005B51: RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 10005B68

Strings

JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E29A
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E32C
[%s], xrefs: 1000E138
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E301
JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==, xrefs: 1000E2D6
REG_DWORD, xrefs: 1000E2CA
REG_MULTI_SZ, xrefs: 1000E2F5
JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E265
REG_EXPAND_SZ, xrefs: 1000E28E
REG_BINARY, xrefs: 1000E320
REG_SZ, xrefs: 1000E259
, xrefs: 1000E1BC

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$Open
String ID: $JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 276825008-1418283934
Opcode ID: b89e21c8826daf519748927800bc60cdad6d5b0439377bcc0ce52d357d9c1048
Instruction ID: a0ffed0e914dbc35d4acf00fe559dbe0d90bb68d0587fc3b56486e9a137238fc
Opcode Fuzzy Hash: b89e21c8826daf519748927800bc60cdad6d5b0439377bcc0ce52d357d9c1048
Instruction Fuzzy Hash: 8EE143B6D002589BEB14DF90DC85FDE77B8EB48340F404199F609B7284E775AE988FA1

Function 1000805F Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD
memcmp.MSVCRT(00000000,00000000,-00000002), ref: 1000834E

Strings

%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$Filestrcatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryProcessSleepsrandstrcpystrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 809949283-1917988604
Opcode ID: 333c40de44d30474e9c1cf6282125fa721251504f1f06e29aece9085f50e7bf6
Instruction ID: 1fc89b949b869141e7d21f023f72e52535fd7918e05709aa5f44e13cd79eb387
Opcode Fuzzy Hash: 333c40de44d30474e9c1cf6282125fa721251504f1f06e29aece9085f50e7bf6
Instruction Fuzzy Hash: 8B81A370900218FFEB14CBA8CC85FD9777AFB88304F1485A8E609A7255DB75AB85CF51

Function 1000793B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 308stringcomCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000797B
CoInitializeEx.OLE32(00000000,00000000), ref: 10007987
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,00000000,?,?,1002174C,000000FF), ref: 100079BE

Part of subcall function 10010360: #823.MFC42(0000000C), ref: 10010380

CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
wcscat.MSVCRT ref: 10007A97

Part of subcall function 100102D0: #823.MFC42(0000000C,?,00000030,00000000,00000000), ref: 100102F0

VariantInit.OLEAUT32(?), ref: 10007BAD
VariantInit.OLEAUT32(?), ref: 10007BB7
VariantInit.OLEAUT32(?), ref: 10007BC4
strcpy.MSVCRT(00000000,00000000,?), ref: 10007CA5
_stricmp.MSVCRT(?,svchost.exe), ref: 10007CCB
strcpy.MSVCRT(00000000,00000000,?), ref: 10007D31
StrStrIA.SHLWAPI(?,svchost.exe -k NetworkService), ref: 10007D57
VariantClear.OLEAUT32(?), ref: 10007D76
VariantClear.OLEAUT32(?), ref: 10007D80
CoUninitialize.OLE32 ref: 10007DC2

Strings

CommandLine, xrefs: 10007BFC
Name, xrefs: 10007BDB
SELECT * FROM , xrefs: 10007A6C
WQL, xrefs: 10007ADF
svchost.exe -k NetworkService, xrefs: 10007D4B
ProcessID, xrefs: 10007C20
svchost.exe, xrefs: 10007CBF

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$Init$#823ClearInitializestrcpy$BlanketCreateInstanceProxySecurityUninitialize_stricmpmemsetwcscat
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 2580003999-2685825574
Opcode ID: a3f05d51eee3a160271b50295acc5aeb10dd375e6e0d27472f94f25ff49816cf
Instruction ID: 189a79c95d12f2324ed77b7531e52b51722813dc0f720325a82f4d3d448fa42a
Opcode Fuzzy Hash: a3f05d51eee3a160271b50295acc5aeb10dd375e6e0d27472f94f25ff49816cf
Instruction Fuzzy Hash: D7D11879A01228ABDB24DB64CC89BDDB7F4FB48700F1081D9E119A7290DF75AB85CF90

Function 100080A0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 168filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD

Strings

%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$Filestrcatwsprintf$Create$CloseHandleWritestrchr$DeleteDirectoryMemoryProcessSleepmemcmpsrandstrcpystrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 691396304-1917988604
Opcode ID: 4020c037d5262e72b5114483934564467d3fb651bcb7bf740619452c7b2aa732
Instruction ID: 9b1f3f05a2db119796ee803a315ca48c205a346098eddc4b2f03f44ea683e2e5
Opcode Fuzzy Hash: 4020c037d5262e72b5114483934564467d3fb651bcb7bf740619452c7b2aa732
Instruction Fuzzy Hash: 9C51C370900218BFEB14CBA4CC89FD9777AFB88305F1484A8F309A6291DF796B498F51

Function 1000CD1A Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 337stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10010880: CoInitializeEx.OLE32(00000000,00000000,1000CD40,?,1000CD40), ref: 100108CD

Part of subcall function 10010940: strlen.MSVCRT ref: 10010968

strlen.MSVCRT ref: 1000CE07
SafeArrayCreate.OLEAUT32(00000008,00000001,00000001), ref: 1000CE6D
VariantInit.OLEAUT32(?), ref: 1000CE83
SafeArrayCreate.OLEAUT32(00000003,00000001,00000001), ref: 1000CEA4
VariantInit.OLEAUT32(?), ref: 1000CEBA

Part of subcall function 10010D30: VariantClear.OLEAUT32(100219AB), ref: 10010E5C
Part of subcall function 10010D30: LockFreeStack.LIBCMTD ref: 10010E69
Part of subcall function 10010D30: refcount_ptr.LIBCPMTD ref: 10010E75

Part of subcall function 10010650: Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 1001065A

Part of subcall function 100102D0: #823.MFC42(0000000C,?,00000030,00000000,00000000), ref: 100102F0

SafeArrayDestroy.OLEAUT32(?), ref: 1000CFE1
SafeArrayDestroy.OLEAUT32(?), ref: 1000CFEB
strlen.MSVCRT ref: 1000D012
strlen.MSVCRT ref: 1000D02C
SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 1000D0DA
VariantInit.OLEAUT32(?), ref: 1000D0FC

Strings

DNSServerSearchOrder, xrefs: 1000D122
Win32_NetworkAdapterConfiguration.Index=, xrefs: 1000CDCE
SetDNSServerSearchOrder, xrefs: 1000D040
Index, xrefs: 1000CD86
SetGateways, xrefs: 1000CE1B
IPEnabled=TRUE, xrefs: 1000CD47
SetGateways, xrefs: 1000CF84
DefaultIPGateway, xrefs: 1000CED4
GatewayCostMetric, xrefs: 1000CF29
SetDNSServerSearchOrder, xrefs: 1000D17D
Win32_NetworkAdapterConfiguration, xrefs: 1000CD4C

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ArraySafe$Variantstrlen$CreateInit$Destroy$#823ClearConcurrency::cancellation_token_source::~cancellation_token_sourceFreeInitializeLockStackrefcount_ptr
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetDNSServerSearchOrder$SetGateways$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2153433036-3869628212
Opcode ID: 5a67e2e846d6e9453b6741e65edd698b60cb2191acddcab2dfde6c40d9ac1b4a
Instruction ID: 095493ed6918a818fd7b04fe66b72ed65cac22a41f5eba2ca8daf5a0ec645a75
Opcode Fuzzy Hash: 5a67e2e846d6e9453b6741e65edd698b60cb2191acddcab2dfde6c40d9ac1b4a
Instruction Fuzzy Hash: CCE12974D00258EFDB14DBA4DD85BDDBBB4EF14300F1081A9F549AB291DBB4AA88CF61

Function 1000EF29 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 189stringsleepprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF71
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF83
strcat.MSVCRT(00000000,00000000), ref: 1000EF9E
strcat.MSVCRT(00000000,00000000), ref: 1000EFBB
#823.MFC42(00080000), ref: 1000EFDE
memset.MSVCRT ref: 1000F08F
Sleep.KERNEL32(000927C0), ref: 1000F0CC
strlen.MSVCRT ref: 1000F168
strcmp.MSVCRT ref: 1000F181
wsprintfA.USER32 ref: 1000F19E
WinExec.KERNEL32(cmd.exe /c ipconfig /flushdns,00000000), ref: 1000F1C2
Sleep.KERNEL32(000927C0), ref: 1000F1CF
#825.MFC42(?), ref: 1000F1EA

Strings

8.8.8.8, xrefs: 1000F1A7
127.0.0.1, xrefs: 1000F1AC
cmd.exe /c ipconfig /flushdns, xrefs: 1000F1BD
http://107.163.56.240:18963/main.php, xrefs: 1000F069
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000EFA6
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000EF89

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectorySleepSystemstrcat$#823#825Execmemsetstrcmpstrlenwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$cmd.exe /c ipconfig /flushdns$http://107.163.56.240:18963/main.php
API String ID: 3591502829-3520984710
Opcode ID: 767a5f6c9f3173eeea18358eed344dd90d98b8edb12014d620f775cbd4a38f09
Instruction ID: e77a40ba02dc273f76f3ae5bf01613a400a7303309ce75e3aa404be1a6193f87
Opcode Fuzzy Hash: 767a5f6c9f3173eeea18358eed344dd90d98b8edb12014d620f775cbd4a38f09
Instruction Fuzzy Hash: 1871A0B5D04218ABEB61CB68DCC5BD9B3B5EB58340F1041E8E60CA7281DB75BF858F91

Function 1000A948 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 104registryprocessstringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 1000A9C6
_CxxThrowException.MSVCRT(?,10024C88), ref: 1000A9EB
RegQueryValueExA.ADVAPI32(00000000,DLLPath,00000000,00000002,00000000,00000080), ref: 1000AA0A
_CxxThrowException.MSVCRT(1002E0FC,10024C88), ref: 1000AA2F
StrStrIA.SHLWAPI(00000000,mp3), ref: 1000AA40
lstrlenA.KERNEL32(1000B2F9,00000000), ref: 1000AA50
WinExec.KERNEL32(sc stop RemoteAccess,00000000), ref: 1000AA7A
WinExec.KERNEL32(sc config RemoteAccess start= auto,00000000), ref: 1000AA87
WinExec.KERNEL32(net start RemoteAccess,00000000), ref: 1000AA94
RegCloseKey.ADVAPI32(00000000), ref: 1000AAAD

Strings

sc config RemoteAccess start= auto, xrefs: 1000AA82
DLLPath, xrefs: 1000AA01
sc stop RemoteAccess, xrefs: 1000AA75
3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6, xrefs: 1000A968
DLLPath, xrefs: 1000AA5D
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==, xrefs: 1000A982
mp3, xrefs: 1000AA34
net start RemoteAccess, xrefs: 1000AA8F

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exec$ExceptionThrow$CloseOpenQueryValuelstrlen
String ID: 3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6$DLLPath$DLLPath$U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==$mp3$net start RemoteAccess$sc config RemoteAccess start= auto$sc stop RemoteAccess
API String ID: 3413174891-3716379865
Opcode ID: 1ccf4968982350a89f99e679dc39375cc5aac95e14b706f7336e7854ca2de96b
Instruction ID: 43c9b28ce93485f090b6302de8d1e2f99a1725c96703827c3c982aa9faeb6eb3
Opcode Fuzzy Hash: 1ccf4968982350a89f99e679dc39375cc5aac95e14b706f7336e7854ca2de96b
Instruction Fuzzy Hash: BA418FB5900218BFEB10DFD4DD89FEEBB78EB49740F504158F205B6281DB785A85CBA1

Function 1000622A Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 71COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,cmd.exe), ref: 1000623D
GetCurrentProcessId.KERNEL32 ref: 1000625B

Part of subcall function 10005CE2: strcpy.MSVCRT(00000000,00000000), ref: 10005D1A
Part of subcall function 10005CE2: CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95

Strings

C:\Windows\6C4DA6FB\svchsot.vir, xrefs: 1000629E
self, xrefs: 10006266
cmd.exe, xrefs: 10006247
C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 100062A3
C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 10006291
cmd.exe, xrefs: 10006234
%s.%d, xrefs: 100062F5

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateCurrentFileProcessstrcpy
String ID: %s.%d$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.vir$cmd.exe$cmd.exe$self
API String ID: 300836412-3617494418
Opcode ID: 5ede9ce9633f438ee9026851c8a9e3a9f459342c2878a90d05c91d23b2360b1a
Instruction ID: 11dda13007a575690e2789da7b2ac66cc1117108efdf45987319c1011c6ab237
Opcode Fuzzy Hash: 5ede9ce9633f438ee9026851c8a9e3a9f459342c2878a90d05c91d23b2360b1a
Instruction Fuzzy Hash: 9F21D275900214FBFB00EFF4DC8AF9A3769EF1A351F208054FB0996180DF7296A58BA1

Function 10008FF9 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 134stringregistrytimeCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?,?), ref: 10009030
___crtGetTimeFormatEx.LIBCMTD ref: 10009071

Part of subcall function 10005AF9: RegQueryValueExA.ADVAPI32(000000C8,?,00000004,00000000,?,?,?,10009076,?,ProcessorNameString,00000000,00000004,?,000000C8), ref: 10005B14

Part of subcall function 10005ABC: RegCloseKey.KERNEL32(10009085,?,10009085,?), ref: 10005AC3

strcpy.MSVCRT(1000B7C0,?), ref: 10009093
strcpy.MSVCRT(1000B7C0,Find CPU Error), ref: 100090A6
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
__aulldiv.LIBCMT ref: 100090F5
__aulldiv.LIBCMT ref: 10009103
strcpy.MSVCRT(1000B740,11261041,?,?,00000400,00000000), ref: 1000914A
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,00000400,00000000), ref: 10009152
strcpy.MSVCRT(1000B720,00000000,?,?,?,?,?,?,00000400,00000000), ref: 100091B5

Strings

@, xrefs: 100090C9
http://107.163.56.240:18963/main.php, xrefs: 100091BF
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10009009
ProcessorNameString, xrefs: 10009065
Find CPU Error, xrefs: 1000909D
%u MB, xrefs: 10009128
11261041, xrefs: 1000913C

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcpy$__aulldiv$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
String ID: %u MB$11261041$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.240:18963/main.php
API String ID: 1131083606-549727485
Opcode ID: e40bf955463e0a9efd56d7cea9ea3e81e912de425670feecad543ba30ee43c0b
Instruction ID: cefe20e9956c0aeb191ec147d5f548dd9efc5a21e1516fd84fccf84d5fb5ed44
Opcode Fuzzy Hash: e40bf955463e0a9efd56d7cea9ea3e81e912de425670feecad543ba30ee43c0b
Instruction Fuzzy Hash: B941D8F99012186BEB10DB54DC89FDA7379EF54340F4482A8F608A7285EB74AA84CB95

Function 10005CE2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 130stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,00000000), ref: 10005D1A
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005D32
strrchr.MSVCRT ref: 10005D41
CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 10005DBC
time.MSVCRT(00000000), ref: 10005DC4
localtime.MSVCRT(?), ref: 10005DDA
strftime.MSVCRT ref: 10005DF2
vsprintf.MSVCRT ref: 10005E48
sprintf.MSVCRT ref: 10005E75
strlen.MSVCRT ref: 10005E8B
WriteFile.KERNEL32(?,?,00000000,00000000), ref: 10005EA2
CloseHandle.KERNEL32(?), ref: 10005EAF

Strings

%s%s, xrefs: 10005E69
log.txt, xrefs: 10005D68

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerWritelocaltimesprintfstrcpystrftimestrlenstrrchrtimevsprintf
String ID: %s%s$log.txt
API String ID: 1265290787-1489102009
Opcode ID: 7042509185cd6d5bdf34c836e812c9386ba27d38793915702e36bf717e36d22f
Instruction ID: 4248ec1d1ae275c58dfadc2bb918cf7de6159c9ba061f12476aacb7595d00ccb
Opcode Fuzzy Hash: 7042509185cd6d5bdf34c836e812c9386ba27d38793915702e36bf717e36d22f
Instruction Fuzzy Hash: 29519375D00268EBEB25CB94CC8DBDA7778EB68301F0045D5E709A6280DBB55AC9CF91

Function 10009337 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll,?), ref: 10009348
LoadLibraryA.KERNEL32(wininet.dll), ref: 10009359
GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 10009391
GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 100093A6
#823.MFC42(00000050), ref: 100093B4
strcat.MSVCRT(00000000,1002A714), ref: 1000941F
strcat.MSVCRT(00000000,?), ref: 10009435
strcat.MSVCRT(00000000,1002A718), ref: 10009449
memset.MSVCRT ref: 10009459

Part of subcall function 10005650: CreateProcessA.KERNEL32(?,00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,d,?,10009490,00000000,00000000,00000000,00000000), ref: 1000567B

Strings

URLDownloadToCacheFileA, xrefs: 10009385
GetUrlCacheEntryInfoA, xrefs: 1000939D
wininet.dll, xrefs: 10009354
urlmon.dll, xrefs: 10009343

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$AddressLibraryLoadProc$#823CreateProcessmemset
String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
API String ID: 1308283570-2475139894
Opcode ID: 346510cfd1df1fa33f5688026e9b1c9270cc953942adda011561c60fa32797ce
Instruction ID: 81b372d6bc21d2fef04a9a1ddd25012b240df206b743b4629fc927ee19ea9d3e
Opcode Fuzzy Hash: 346510cfd1df1fa33f5688026e9b1c9270cc953942adda011561c60fa32797ce
Instruction Fuzzy Hash: 2031C7B5D042586FEB10CBA0DC85FEFBB74EB18701F5004A5F709A6280DB756A84CF55

Function 1000EE6E Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 1000EE78
_stricmp.MSVCRT(00000000,.dll), ref: 1000EE97
_stricmp.MSVCRT(?,.exe), ref: 1000EEAD
_stricmp.MSVCRT(?,.sys), ref: 1000EEC3
_stricmp.MSVCRT(?,.aye), ref: 1000EED9
strstr.MSVCRT ref: 1000EEEF
strstr.MSVCRT ref: 1000EF05

Strings

.exe, xrefs: 1000EEA4
.aye, xrefs: 1000EED0
AYLaunch.exe, xrefs: 1000EEFC
.dll, xrefs: 1000EE8E
V3Lite.exe, xrefs: 1000EEE6
.sys, xrefs: 1000EEBA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _stricmp$strstr$strrchr
String ID: .aye$.dll$.exe$.sys$AYLaunch.exe$V3Lite.exe
API String ID: 2699606083-2419393344
Opcode ID: 108e2feaac577766ba8ba0e8db0b53e6631e71e2c885bfe69a9752ddb39e2f87
Instruction ID: 764b0278f31ad324f17f2a98405825b361ba87bbbdd245c0fd597567a242e44b
Opcode Fuzzy Hash: 108e2feaac577766ba8ba0e8db0b53e6631e71e2c885bfe69a9752ddb39e2f87
Instruction Fuzzy Hash: 301182B4900249FBEB10CBA4ED49AAE37A8EF043C6F504164FD05A6205E733EF25C7A1

Function 1000C84D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 184sleepstringCOMMON

Download Yara Rule

APIs

#823.MFC42(00080000), ref: 1000C876
memset.MSVCRT ref: 1000C932
Sleep.KERNEL32(000927C0,1002AEDC), ref: 1000C981
strlen.MSVCRT ref: 1000CA1E
wsprintfA.USER32 ref: 1000CA40

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

strcmp.MSVCRT ref: 1000CAC2
Sleep.KERNEL32(000927C0), ref: 1000CAD1
#825.MFC42(?), ref: 1000CAF2

Strings

c:\1.txt, xrefs: 1000C96D
http://107.163.56.240:18963/main.php, xrefs: 1000C90C
iOffset, xrefs: 1000C968

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$FileSleepstrchrstrlen$#823#825CloseCreateHandleWritememsetstrcmpstrcpywsprintf
String ID: c:\1.txt$http://107.163.56.240:18963/main.php$iOffset
API String ID: 1155735134-992998774
Opcode ID: 79f6846e74105bab0bf2d2d033a4e16bec2dfb2923f88f5b3c671a70fbbec6dd
Instruction ID: 8867f4b33d76620a981d00934cbc48f6cd0217936a159ee403f4649d67838cfa
Opcode Fuzzy Hash: 79f6846e74105bab0bf2d2d033a4e16bec2dfb2923f88f5b3c671a70fbbec6dd
Instruction Fuzzy Hash: 5F61AE75D04218ABEF20CB64DC85BDAB3B5EB59340F1445E8E50CA7241DB35AF85CF91

Function 1000F9DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000), ref: 1000FA4E
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000FA9C
memset.MSVCRT ref: 1000FAE5
memset.MSVCRT ref: 1000FAFB
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 1000FB54
StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000FB6F
RegDeleteValueA.ADVAPI32(?,?), ref: 1000FB87
RegCloseKey.ADVAPI32(00000000), ref: 1000FB99
Sleep.KERNEL32(000493E0), ref: 1000FBA4

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000FA44
svchsot.exe, xrefs: 1000FB63

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$svchsot.exe
API String ID: 1121228644-2172464104
Opcode ID: 3040e98eb6b65eb0bd86ac7d6e6107abcfc88821ae1a1f6834de02b584e87de2
Instruction ID: e3778dee54b12c2848dccefca940d5047beb58c83f66ffac27abb0164a42fcf7
Opcode Fuzzy Hash: 3040e98eb6b65eb0bd86ac7d6e6107abcfc88821ae1a1f6834de02b584e87de2
Instruction Fuzzy Hash: EA416675A40168ABEB24CB54CD45FD973B8FB48740F1085D9E349A6180DBB4AEC8DFA4

Function 100084F9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 10007DDE: #823.MFC42(00000004), ref: 10007E36
Part of subcall function 10007DDE: #823.MFC42(00000000), ref: 10007E5A
Part of subcall function 10007DDE: #823.MFC42(00000000), ref: 10007E8B
Part of subcall function 10007DDE: strrchr.MSVCRT ref: 10007EA5
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007EBF
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007ED3
Part of subcall function 10007DDE: GetSystemInfo.KERNEL32(?), ref: 10007EE0
Part of subcall function 10007DDE: GetCurrentProcess.KERNEL32(00000020,?), ref: 10007EFE
Part of subcall function 10007DDE: OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
Part of subcall function 10007DDE: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 10007F16
Part of subcall function 10007DDE: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
Part of subcall function 10007DDE: CloseHandle.KERNEL32(?), ref: 10007F50
Part of subcall function 10007DDE: strlen.MSVCRT ref: 10007F5B
Part of subcall function 10007DDE: sscanf.MSVCRT ref: 10007F7C

wsprintfA.USER32 ref: 1000853B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 100085AF
wsprintfA.USER32 ref: 100085CE
CreateDirectoryA.KERNEL32(?,00000000), ref: 100085E0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

Part of subcall function 1000793B: memset.MSVCRT ref: 1000797B
Part of subcall function 1000793B: CoInitializeEx.OLE32(00000000,00000000), ref: 10007987
Part of subcall function 1000793B: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
Part of subcall function 1000793B: CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,00000000,?,?,1002174C,000000FF), ref: 100079BE
Part of subcall function 1000793B: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
Part of subcall function 1000793B: wcscat.MSVCRT ref: 10007A97

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000863A

Strings

Win32_process, xrefs: 10008606
c:\windows\system32\drivers\%s\%s, xrefs: 100085C2
c:\windows\system32\drivers\%s, xrefs: 100085A3
%s\%s, xrefs: 1000852F
ROOT\CIMv2, xrefs: 1000860B

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$#823CreateProcesswsprintf$CloseFileHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryInfoInstanceLookupPrivilegePrivilegesProxySecuritySystemValueWritememsetsscanfstrcpystrrchrwcscat
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 2147377520-1421401311
Opcode ID: f9374cd462d48ec497ddca854f23b6b852d4183653b7b461f0c9bbe7f06c37a4
Instruction ID: 0c0eef8aac9374081f6669d655c3be3116369b3939affcc587e91564fd5685db
Opcode Fuzzy Hash: f9374cd462d48ec497ddca854f23b6b852d4183653b7b461f0c9bbe7f06c37a4
Instruction Fuzzy Hash: 6F41B771900A6CAFEB20CBA8CC89FDA77B5FB84304F1005E4E609B6245DB766BD58F45

Function 1000BA90 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

#823.MFC42(00001218), ref: 1000BA9E
WSAStartup.WS2_32(00000202,?), ref: 1000BAC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(?,?,?,?,1000BE18,00000000,00000000,?), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BE26), ref: 1000535E

memset.MSVCRT ref: 1000BB06

Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A00F
Part of subcall function 10009FAB: wsprintfA.USER32 ref: 1000A027
Part of subcall function 10009FAB: #823.MFC42(0007D000), ref: 1000A035
Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A063

Sleep.KERNEL32(0002BF20), ref: 1000BB28
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BB4E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BB5D
CloseHandle.KERNEL32(?), ref: 1000BB67
Sleep.KERNEL32(0002BF20), ref: 1000BB72
CloseHandle.KERNEL32(?), ref: 1000BB84

Strings

0x5d65r455f, xrefs: 1000BAC7
5762479093, xrefs: 1000BB12

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$5762479093
API String ID: 1869492179-2446933972
Opcode ID: 94eacd19ac9e3f340b43cdaa37d3b92378c873ca01f9d8870225a9e7b7636ef4
Instruction ID: ee4fe3ff80eea35deae1171875856fc337cdd1930f9e5ee3871eb6d0d01d88b9
Opcode Fuzzy Hash: 94eacd19ac9e3f340b43cdaa37d3b92378c873ca01f9d8870225a9e7b7636ef4
Instruction Fuzzy Hash: 922184B5A40214BBF710DBE0CD8BFDD7774EB55741F2041A4FA09962C8DB706A508B96

Function 1000BC72 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

#823.MFC42(00001218), ref: 1000BC80
WSAStartup.WS2_32(00000202,?), ref: 1000BCA3

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(?,?,?,?,1000BE18,00000000,00000000,?), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BE26), ref: 1000535E

memset.MSVCRT ref: 1000BCE8

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: #823.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BD0A
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BD30
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BD3F
CloseHandle.KERNEL32(?), ref: 1000BD49
Sleep.KERNEL32(001B7740), ref: 1000BD54
CloseHandle.KERNEL32(?), ref: 1000BD66

Strings

2073372682, xrefs: 1000BCF4
0x5d65r455f, xrefs: 1000BCA9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$2073372682
API String ID: 1869492179-3710683282
Opcode ID: 2c12c9c86722548109ae9565ac238bd51e312ceeb0f883a19a6ee516163beeaf
Instruction ID: ec3ba378adc137da86a7fa9cbe3624fdafc09a65b00566f21923adef7c9e2253
Opcode Fuzzy Hash: 2c12c9c86722548109ae9565ac238bd51e312ceeb0f883a19a6ee516163beeaf
Instruction Fuzzy Hash: 93218475A40214BBFB10DFE0CC8AFDD7774EB54741F2041A5F6099A2D5EB706A508B92

Function 1000F8F9 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 64fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE30
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE46
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE5C

wsprintfA.USER32 ref: 1000F97A
DeleteFileA.KERNEL32(00000000), ref: 1000F98A
memset.MSVCRT ref: 1000F99E
wsprintfA.USER32 ref: 1000F9B9
DeleteFileA.KERNEL32(00000000), ref: 1000F9C9
DeleteFileA.KERNEL32(C:\1.vbs), ref: 1000F9D4

Strings

%s\V3Lite.exe, xrefs: 1000F9AD
InstallPath, xrefs: 1000F947
C:\1.vbs, xrefs: 1000F9CF
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F94C
%s\ASDSvc.exe, xrefs: 1000F96E

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$DeleteFile$wsprintf
String ID: %s\ASDSvc.exe$%s\V3Lite.exe$C:\1.vbs$InstallPath$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==
API String ID: 1479746147-790033058
Opcode ID: 6be13bac7d6b82b3690282dcaff2bc6d306049f5a176ea6c87080b7cd5a5ece8
Instruction ID: f215d92e77ce3a5c78d523243808b9991fe340b608679801f3eb1f41650c3736
Opcode Fuzzy Hash: 6be13bac7d6b82b3690282dcaff2bc6d306049f5a176ea6c87080b7cd5a5ece8
Instruction Fuzzy Hash: A911B9B5910614BBE710D7A4DD89FD67378EB24300F4001D5F749A6182DBF166D88F91

Function 1001918D Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 100195EB
%s%s, xrefs: 100195A9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s$%s%s%s
API String ID: 0-1506711308
Opcode ID: d26ac56720e6fa4133ffd2c29b5772131c616a4546ff30e4a30a15a7ace6716c
Instruction ID: 1b0eed813cd41f00183d0b197e2e5daecf5a10244d38070a600e8291b70de81b
Opcode Fuzzy Hash: d26ac56720e6fa4133ffd2c29b5772131c616a4546ff30e4a30a15a7ace6716c
Instruction Fuzzy Hash: DD0215B4904228DBDB26CF54C984BA9B7B9EB49305F1482D9E81DAB291D730EFC5CF50

Function 1001EAC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 1001EAD1
GetFileSize.KERNEL32(?,00000000), ref: 1001EBA0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1001EBBD
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1001EBD3
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1001EBE3
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1001EBF9

Strings

(, xrefs: 1001EBA9
PE, xrefs: 1001EC5E

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID: ($PE
API String ID: 2979504256-3347799738
Opcode ID: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction ID: a2f518cc74f5bf6d3c6c6775fd81b0518a7a4a596ada43fd48c2c3d5df82ea48
Opcode Fuzzy Hash: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction Fuzzy Hash: 27810D71E00248ABEB08CFD4D895BAEB7B5FF88340F148129F515AB294D734E886CF94

Function 1000A780 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?,?,3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6), ref: 1000A7E8
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A80A
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8A2
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8DC

Strings

3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6, xrefs: 1000A7A1

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open$Create
String ID: 3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6
API String ID: 161609438-2950796024
Opcode ID: ef2fbcb27b8e80c65c7bfb52c27908ac59606afa5fb911c633e3f8b117de5e7f
Instruction ID: e3d78695a21ea1c89d74b4d509c2f3cee1bcccb682452cc6d6267459aaa28678
Opcode Fuzzy Hash: ef2fbcb27b8e80c65c7bfb52c27908ac59606afa5fb911c633e3f8b117de5e7f
Instruction Fuzzy Hash: 83512F75A04209EFEB14CF95CC85FEE77B8EB49780F208219FA15A7284D775E981CB60

Function 1000C668 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10006322: GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

CloseHandle.KERNEL32 ref: 1000C6D1
Sleep.KERNEL32(00001388), ref: 1000C6DC
MoveFileExA.KERNEL32(00000000,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000C6EF
CopyFileA.KERNEL32(00000000,?,00000000), ref: 1000C702
DeleteFileA.KERNEL32(00000000), ref: 1000C70F
Sleep.KERNEL32(000003E8), ref: 1000C71A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 1000C736

Strings

%s\data.db, xrefs: 1000C6A4
C:\Users\user\Desktop, xrefs: 1000C69F
hosts, xrefs: 1000C677

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleSleep$CopyDeleteHeapMoveProcessWritestrlen
String ID: %s\data.db$C:\Users\user\Desktop$hosts
API String ID: 3797919734-1156305087
Opcode ID: ca7c065bd05ec455db73442019e0761ecc36576fc6198c004b6018ae76b920b4
Instruction ID: ca9eced6d139d72cbf745a5d6e173cc3cf38a9b0f72baade56381096d8a5a544
Opcode Fuzzy Hash: ca7c065bd05ec455db73442019e0761ecc36576fc6198c004b6018ae76b920b4
Instruction Fuzzy Hash: 272180B6600218BBEB14DFA4DC85FCA3769FB58710F104694FB199B1C0DBB1AA95CB50

Function 1000BB90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

#823.MFC42(00001218), ref: 1000BB9E
WSAStartup.WS2_32(00000202,?), ref: 1000BBC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(?,?,?,?,1000BE18,00000000,00000000,?), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BE26), ref: 1000535E

CloseHandle.KERNEL32(?), ref: 1000BC66

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: #823.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BC0D
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BC33
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BC42
CloseHandle.KERNEL32(?), ref: 1000BC4C
Sleep.KERNEL32(0002BF20), ref: 1000BC57

Strings

0x555dasfas, xrefs: 1000BBC7
2963854030, xrefs: 1000BBF7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823CloseCreateHandleSleepmemset$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x555dasfas$2963854030
API String ID: 2513000192-3075894505
Opcode ID: f581159c8b920642b07fda03d5a069f6c1153244831cf3f84f3979bde83e58b0
Instruction ID: d84f95eccd45cc1831ea6bca91d576b8e54f65b4ebe8b4c65b06786423185a31
Opcode Fuzzy Hash: f581159c8b920642b07fda03d5a069f6c1153244831cf3f84f3979bde83e58b0
Instruction Fuzzy Hash: DB21B1B5A40214BBFB10DFE0CD8AFDD7775EB55341F2041A4FA099A284DB706A91CB52

Function 1000E56F Relevance: 16.7, APIs: 11, Instructions: 155COMMON

Download Yara Rule

APIs

#389.MFC42(00000000,00000001,00000000,00000000,00000000,00000000,1002B314,?), ref: 1000E5CF

Part of subcall function 10011260: #6059.MFC42(0000001A,00000018,00000004,?,?,?,1000E5F7,00000002,00001388,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 10011278

#3229.MFC42(?,?,00000000,00000000,00000003,00000001,00000000,00000002,00001388,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1000E615
#5204.MFC42(00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000,00000003,00000001,00000000,00000002,00001388), ref: 1000E639
#5808.MFC42(00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000,00000003), ref: 1000E656
#825.MFC42(?,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000), ref: 1000E66E
#1988.MFC42 ref: 1000E696
#690.MFC42 ref: 1000E6A9
#5356.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000), ref: 1000E6C4
#825.MFC42(?,00000000,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000), ref: 1000E707
#1988.MFC42 ref: 1000E72F
#690.MFC42 ref: 1000E74A

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #1988#690#825$#3229#389#5204#5356#5808#6059
String ID:
API String ID: 750444078-0
Opcode ID: 394e7e0e41f094beb362624b43e9f41afe01b2aa1aa5913779d0045c6411050d
Instruction ID: 8cbeb0501cddcc4fa9454f6396665e098d0c89f18aa46a5fb3ec1c99581ef467
Opcode Fuzzy Hash: 394e7e0e41f094beb362624b43e9f41afe01b2aa1aa5913779d0045c6411050d
Instruction Fuzzy Hash: 23510678E00289EBEB14CF94E996BDEBBB1EF14700F204118F5017B2D0DBB56A45CBA5

Function 10010940 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248comstringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10010968
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1001098D
CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,?), ref: 100109A8

Part of subcall function 10010360: #823.MFC42(0000000C), ref: 10010380

CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,ROOT\CIMV2,00000000,00000000,00000000,00000000,00000000), ref: 10010A3B

Strings

SELECT * FROM , xrefs: 10010AB4
WHERE , xrefs: 10010B06
WQL, xrefs: 10010B6B
ROOT\CIMV2, xrefs: 100109D1

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823BlanketCreateInitializeInstanceProxySecuritystrlen
String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
API String ID: 868409568-2582412207
Opcode ID: 0b1c493b6300b185faeef4bbcb785bd1bb5deb8c26a84d104b629a9d0e603fdb
Instruction ID: 7b10e002b46c1d1155e527ff94f94c019a2730ba165861cb6736b6db6a85f666
Opcode Fuzzy Hash: 0b1c493b6300b185faeef4bbcb785bd1bb5deb8c26a84d104b629a9d0e603fdb
Instruction Fuzzy Hash: 51A10874A00249EBDB04CFA4CD95BEEB7B4FF14314F208258F5516B2D2D7B4AA86CB91

Function 1000D232 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(%systemroot%\system32\csrss.exe,?,00000104), ref: 1000D24F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000208), ref: 1000D288
GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 1000D298
GetProcAddress.KERNEL32(00000000), ref: 1000D29F
GetCurrentProcess.KERNEL32(00000000,00000000,00000018,?), ref: 1000D2D6
wcscpy.MSVCRT ref: 1000D312

Strings

ntdll.dll, xrefs: 1000D293
%systemroot%\system32\csrss.exe, xrefs: 1000D24A
NtQueryInformationProcess, xrefs: 1000D28E

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressByteCharCurrentEnvironmentExpandHandleModuleMultiProcProcessStringsWidewcscpy
String ID: %systemroot%\system32\csrss.exe$NtQueryInformationProcess$ntdll.dll
API String ID: 703503636-1587409518
Opcode ID: 16e8cc6f885ab911403d2e92a43e5beb8dc420c2700c25a13747479c11583a96
Instruction ID: 75c8c6ca4eca9531070ab138d571ed85465adb1278dffc9cdccdb54ec997b6c6
Opcode Fuzzy Hash: 16e8cc6f885ab911403d2e92a43e5beb8dc420c2700c25a13747479c11583a96
Instruction Fuzzy Hash: 17212F71910218BFEB55CBA4CC89FDAB7B8EB48310F504199E609E6291DB705B45CF51

Function 10006F92 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006FAA
strlen.MSVCRT ref: 10006FC3
strlen.MSVCRT ref: 10006FDC
strlen.MSVCRT ref: 10006FF5
strrchr.MSVCRT ref: 1000700D
strcpy.MSVCRT(00000000,?), ref: 10007068
strrchr.MSVCRT ref: 10007079

Strings

123, xrefs: 1000701C

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPathstrcpy
String ID: 123
API String ID: 2937644721-2286445522
Opcode ID: c92ddcd043868cee58f50fe632568ab773f7e50683516b09362387f73bfe27a2
Instruction ID: b10010325145a17280ae543c62f60846424ed8c502da58d9684bb6765ff15b86
Opcode Fuzzy Hash: c92ddcd043868cee58f50fe632568ab773f7e50683516b09362387f73bfe27a2
Instruction Fuzzy Hash: 634173FAD00248BBEB14CBA4DC42BDE77B5EF58340F1445A4F9099B241E636EB84CB91

Function 10006B4B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006B59
strlen.MSVCRT ref: 10006B6E
strlen.MSVCRT ref: 10006B87
strlen.MSVCRT ref: 10006BA0
strrchr.MSVCRT ref: 10006BCC
strcpy.MSVCRT(00000000,?), ref: 10006C0F
strrchr.MSVCRT ref: 10006C20

Strings

123, xrefs: 10006BB2

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPathstrcpy
String ID: 123
API String ID: 2937644721-2286445522
Opcode ID: ad5764e3f5345bc081f251e2548d5f2685771607ef92c37fc11ccc4e69d700ab
Instruction ID: 79c25a0058445eb4a21c39191d2c2c99bec266b48e571f529a8f3a9425a03f32
Opcode Fuzzy Hash: ad5764e3f5345bc081f251e2548d5f2685771607ef92c37fc11ccc4e69d700ab
Instruction Fuzzy Hash: E531B8FAD00248BBEB10CBA4DC81ADE77B5EF58340F1445A4F9499B241E776EB848BD1

Function 100060BF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE
CloseHandle.KERNEL32(000000FF), ref: 1000610B

Strings

NUL, xrefs: 100060D9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: NUL
API String ID: 3498533004-1038343538
Opcode ID: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction ID: e9d1fb6442f0c914e32f04b904cbdd2044a8a5df72d57b902c957921bdc8d841
Opcode Fuzzy Hash: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction Fuzzy Hash: 7C313D7090022AEBEB10CBE4CC85BEEB7B6FF49344F344554EA117B286C730AA55DB91

Function 1000AF61 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005ECD

CreateMutexA.KERNEL32(00000000,00000001,Global\98012trt8-d8dfsf), ref: 1000AF86
GetLastError.KERNEL32 ref: 1000AF8F
ReleaseMutex.KERNEL32(?), ref: 1000AFC4
CloseHandle.KERNEL32(?), ref: 1000AFCE

Strings

c:\11.txt, xrefs: 1000AFAC
SeDebugPrivilege, xrefs: 1000AF69
ERROR_ALREADY_EXISTS, xrefs: 1000AFA7
Global\98012trt8-d8dfsf, xrefs: 1000AF7D

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MutexProcess$CloseCreateCurrentErrorHandleLastOpenReleaseToken
String ID: ERROR_ALREADY_EXISTS$Global\98012trt8-d8dfsf$SeDebugPrivilege$c:\11.txt
API String ID: 1194210303-4205529783
Opcode ID: 346587fcec51f6904d46a3faa18aa7be2c85284afea264f999be3552b0d5042c
Instruction ID: bda5bf97716bd855d7aa97815c2b0071a65dd76f9c377fc55d067d3e89c7e2b6
Opcode Fuzzy Hash: 346587fcec51f6904d46a3faa18aa7be2c85284afea264f999be3552b0d5042c
Instruction Fuzzy Hash: 8AF0FF74D01309FBEB10DBE0DC89F8D7BB5EB15342F504155F90562251DB755684CB51

Function 10007F89 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
strchr.MSVCRT ref: 10007FD3
strcat.MSVCRT(?,1002D030), ref: 10007FFD
strcat.MSVCRT(?, ), ref: 1000800E
strcat.MSVCRT(?,?), ref: 1000801E
strcat.MSVCRT(?,1002A4A0), ref: 1000802F
strchr.MSVCRT ref: 10008049

Strings

, xrefs: 10008005
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007FB0

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$strchr$strcpy
String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 1601127630-230412946
Opcode ID: 41f26c6accb2f07912a267ebda57fa8b55c3471a5e35b6ab80e4e018df100667
Instruction ID: 2bc11947cdbfdc4e0e0399083b1b6a46f6613d3c1d050bc1cbc246461a669991
Opcode Fuzzy Hash: 41f26c6accb2f07912a267ebda57fa8b55c3471a5e35b6ab80e4e018df100667
Instruction Fuzzy Hash: 91219379D00158ABDB11CFA8ED81BDD7774FB68302F5084A5EA0CA7244D6B5ABD48BA0

Function 1000F6C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F6DA
Process32First.KERNEL32(00000000,00000128), ref: 1000F701
Process32Next.KERNEL32(00000000,00000128), ref: 1000F716
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F733
wsprintfA.USER32 ref: 1000F77C
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F7F2

Strings

pid_%d, xrefs: 1000F770

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpiwsprintf
String ID: pid_%d
API String ID: 4001055788-1598735649
Opcode ID: 01377ba2cc78994f382303db5a12c6f18318cb4a9a29c4c9f853870c8b3069f6
Instruction ID: 59d176645be9f04bb26ee433655dbf4130f8e3c040d17e964c81358d2afa4e4c
Opcode Fuzzy Hash: 01377ba2cc78994f382303db5a12c6f18318cb4a9a29c4c9f853870c8b3069f6
Instruction Fuzzy Hash: 0E312AB5C05218EBEB60DFA4CC85BEDB7B4EF08340F1044EAE50DA6255E6746B84DF52

Function 1001E8B0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001E8B8

Part of subcall function 10020E70: _mbsicmp.MSVCRT ref: 10020E7B

Strings

.zoo, xrefs: 1001E938
.arc, xrefs: 1001E951
.tgz, xrefs: 1001E9B5
.gz, xrefs: 1001E99C
.zip, xrefs: 1001E91C
.lzh, xrefs: 1001E96A
.arj, xrefs: 1001E983

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbsicmpstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 374816253-51310709
Opcode ID: 317a8d3a52e6e2c7822bcc18a7a21d28f2ea753de992057b8ae1116e117e7d79
Instruction ID: 474fb3fc50715706ac2a2c072b819cddb3fbd2e7913964fa73169eb9b30377a6
Opcode Fuzzy Hash: 317a8d3a52e6e2c7822bcc18a7a21d28f2ea753de992057b8ae1116e117e7d79
Instruction Fuzzy Hash: 63314479D04289F7CF54CAE0AD81D9D73A6EB12385F604865F9049F201E632FF80BBA1

Function 1000FBB6 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1000FBDA

Part of subcall function 100114B0: CoCreateInstance.OLE32(00000000,10024578,1000FC00,1002B698,00000017,?,?,1000FC00,10024578,00000000,00000017), ref: 100114CC

Strings

HTTP, xrefs: 1000FDC8
kbstar, xrefs: 1000FE07

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: HTTP$kbstar
API String ID: 3519745914-2680672251
Opcode ID: 7b54d7a89ab3fc3904124e9d3827ec15e08948baa32502908f6dafc121aab748
Instruction ID: 9b087257b2d78664e1fb2868d3fa2a7417bdd63f7f02c79d2c8d96f0c736bea5
Opcode Fuzzy Hash: 7b54d7a89ab3fc3904124e9d3827ec15e08948baa32502908f6dafc121aab748
Instruction Fuzzy Hash: 98A11574D00648DFDB08DFA4C995BEDBBB1FF58344F20815CE412AB292EB34AA45DB91

Function 10008377 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

#823.MFC42(00000001), ref: 100083C5
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 10008408
#825.MFC42(?), ref: 1000845B
#823.MFC42(00000001), ref: 1000846D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 10008493
#825.MFC42(?), ref: 100084D5
CloseHandle.KERNEL32(00000000), ref: 100084EA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823#825$CloseHandleMemoryProcessQueryReadVirtual
String ID:
API String ID: 2613863258-0
Opcode ID: 6492e84c41996e9bd7dbf0e5955a202649cfc6ab2973edb0475e89cdcf6327ec
Instruction ID: 4ce35375b4bad31ba0a910ff1afeab1654858517ab5a746a47daf2776de4f8ea
Opcode Fuzzy Hash: 6492e84c41996e9bd7dbf0e5955a202649cfc6ab2973edb0475e89cdcf6327ec
Instruction Fuzzy Hash: 8B51E3B5E00219AFEB14CFD8D981AAEB7B5FF88340F208129E945A7354D774AA81CF50

Function 1001904F Relevance: 10.6, APIs: 7, Instructions: 94stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 10019062
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019073
memcpy.MSVCRT(?,?,?), ref: 100190FA
strcpy.MSVCRT(00000000,00000000), ref: 1001914D
strcat.MSVCRT(00000000,?), ref: 10019160
GetFileAttributesA.KERNEL32(00000000), ref: 1001916F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019183

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0a274246200bf0cba39160429ffae5af4f8994b8f4308c75b62148e0f159f8f4
Instruction ID: 9d745a1a41eb4a7a2a12bfbab4145b738384b9807def3fcce6aed419c037e121
Opcode Fuzzy Hash: 0a274246200bf0cba39160429ffae5af4f8994b8f4308c75b62148e0f159f8f4
Instruction Fuzzy Hash: C7413579D04118ABCB19CFA4D894AEDBBB5EF59310F208699E9599B240D770EFC0CF90

Function 1000A617 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A65F
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A671
strcat.MSVCRT(00000000,00000000), ref: 1000A68C
strcat.MSVCRT(00000000,00000000), ref: 1000A6A9

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008F48,?,10008F48,00000000,?,?,?), ref: 1000530B

Part of subcall function 1000A519: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000A694
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000A677

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryFileSystemstrcat$CreateExistsPath
String ID: XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==
API String ID: 2901936783-2249354660
Opcode ID: c339edc15dae48771cc0a89d1cdb89d2a9ac8e4f15f5388387db895ae4ea6257
Instruction ID: 12b72cb5e04ffb9a7e9ac27504f08d15284b6b879465d20345e618696946c61d
Opcode Fuzzy Hash: c339edc15dae48771cc0a89d1cdb89d2a9ac8e4f15f5388387db895ae4ea6257
Instruction Fuzzy Hash: 9021F8FAC04208BBFB10D7A0DC45BCE7378DB14380F1086A5FB0996145EEB5ABC88B91

Function 10006C88 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10006CC5
GetFileSize.KERNEL32(?,00000000), ref: 10006CEA
#823.MFC42(00000000), ref: 10006CF7
memset.MSVCRT ref: 10006D35
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?,?,00000000), ref: 10006D59
CloseHandle.KERNEL32(?,00000000), ref: 10006DA7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$#823CloseCreateHandleReadSizememset
String ID:
API String ID: 1555946038-0
Opcode ID: 29ab5b09576810875001245476114a1ad68bf45eb85c5cd0769b66aaa44e60a6
Instruction ID: 20d629e5142875753669a35d1e811c0194670abf32d4287b49ac12e2b780f710
Opcode Fuzzy Hash: 29ab5b09576810875001245476114a1ad68bf45eb85c5cd0769b66aaa44e60a6
Instruction Fuzzy Hash: DA316179A00294ABEB25CF54CC85BCAB375FB4C341F1085D5FA49A7284D6B4AAD4CF50

Function 1000600B Relevance: 10.6, APIs: 7, Instructions: 63memorythreadsynchronizationCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000008,00000214), ref: 1000601E
CreateThread.KERNEL32(00000000,00000000,Function_00005FD3,?,00000000,00000000), ref: 10006040
WaitForSingleObject.KERNEL32(?,00000064), ref: 1000604F
TerminateThread.KERNEL32(?,00000000), ref: 10006067
CloseHandle.KERNEL32(?), ref: 10006071
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 100060A0
HeapFree.KERNEL32(00000000,00000000,?), ref: 100060B3

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: HeapThread$AllocByteCharCloseCreateFreeHandleMultiObjectSingleTerminateWaitWide
String ID:
API String ID: 3981182571-0
Opcode ID: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction ID: 97dbfb0626745b3a13ce99f142d6799707a3ad8bdba7c53ac94dcc1e3c2afbb3
Opcode Fuzzy Hash: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction Fuzzy Hash: 3B21BAB4A40218BFFB04DBD4CC8AF6E7775EB48701F208558FB15AB2D0C671AA51CB54

Function 10021563 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10021576
#823.MFC42(00000002,?,?,SELECT * FROM ,?,?,100105BB,?,?,?,100112AB), ref: 10021580
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,SELECT * FROM ,?,?,100105BB,?,?), ref: 100215A2
GetLastError.KERNEL32(?,?,100105BB,?,?,?,100112AB), ref: 100215B2
GetLastError.KERNEL32(?,?,100105BB,?,?,?,100112AB), ref: 100215B8

Strings

SELECT * FROM , xrefs: 10021573

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$#823ByteCharMultiWidewcslen
String ID: SELECT * FROM
API String ID: 902154227-3303663155
Opcode ID: 704ba5e5b97089e1d608680abf766550f42eff493be7b71298ae31216dfaa0a6
Instruction ID: f102809e0f6523f15fafc923be23898a7ca290de0f5e000ccec9650aaf4368e9
Opcode Fuzzy Hash: 704ba5e5b97089e1d608680abf766550f42eff493be7b71298ae31216dfaa0a6
Instruction Fuzzy Hash: 4FF0286A20427ABD9210A6726C84DBBBACCDEE12F47E2467AF515D2041D815AC0181F0

Function 100214EE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,SELECT * FROM ,?,10010494,10010314,00000000), ref: 10021500
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,10010494,10010314,00000000), ref: 10021527
GetLastError.KERNEL32(?,00000001,?,10010494,10010314,00000000), ref: 10021537
GetLastError.KERNEL32(?,00000001,?,10010494,10010314,00000000), ref: 1002153D
SysAllocString.OLEAUT32 ref: 10021554

Strings

SELECT * FROM , xrefs: 100214F5

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID: SELECT * FROM
API String ID: 4196186757-3303663155
Opcode ID: fbeb1dc987d5565d8cd33f994c123183916c8323c806cd32ef7be09ecb3f6d43
Instruction ID: 1fe5ed956030cf47e0064620fe093005c6aabeb1075080af0839e4b43014f2e2
Opcode Fuzzy Hash: fbeb1dc987d5565d8cd33f994c123183916c8323c806cd32ef7be09ecb3f6d43
Instruction Fuzzy Hash: 7501F436500526F7E7209BA1DC85FDA3FA8EF613A1FB18031FD09D1090E730956286A1

Function 1001013C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97sleepCOMMON

Download Yara Rule

APIs

#823.MFC42(00080000), ref: 1000C876
memset.MSVCRT ref: 1000C932
Sleep.KERNEL32(000927C0,1002AEDC), ref: 1000C981

Strings

c:\1.txt, xrefs: 1000C96D
iOffset, xrefs: 1000C968

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823Sleepmemset
String ID: c:\1.txt$iOffset
API String ID: 2949079935-4225217792
Opcode ID: 86103506c7addac68b31150260902d2b03ea0215fe9d69f4dd18da4ef50cedf3
Instruction ID: 0d63e7e8d13cdce4e31ad5bf43aed05947f48fcc07a2962bf28d4430752a5e68
Opcode Fuzzy Hash: 86103506c7addac68b31150260902d2b03ea0215fe9d69f4dd18da4ef50cedf3
Instruction Fuzzy Hash: 7D31B679D04218AFDF15CB60DC45FDA77B5FB58340F5040A8E608A7241EB75AF988F91

Function 1000CB08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96sleepCOMMON

Download Yara Rule

APIs

#823.MFC42(00080000), ref: 1000CB24
memset.MSVCRT ref: 1000CBD2
Sleep.KERNEL32(000927C0), ref: 1000CC09
#825.MFC42(?), ref: 1000CD04

Strings

http://107.163.56.240:18963/main.php, xrefs: 1000CBAF

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823#825Sleepmemset
String ID: http://107.163.56.240:18963/main.php
API String ID: 2572778719-1318255662
Opcode ID: 1020f20caefb146d7e7abf932700f3437a05190bfa173a27e1e8f91eb68cd729
Instruction ID: 520fa099bf6636a67ec87b4395c9e562b58ac5855c3bd3a7724cd16d5891c8ea
Opcode Fuzzy Hash: 1020f20caefb146d7e7abf932700f3437a05190bfa173a27e1e8f91eb68cd729
Instruction Fuzzy Hash: C131D2B5D0024CABEB14CB94DC41FDEB7B5EB58301F1044E8E608A7280EBB56B84CF91

Function 10008F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008F48,?,10008F48,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008F76

Strings

%s\lang.ini, xrefs: 10008F28
C:\Users\user\Desktop, xrefs: 10008F23
http://, xrefs: 10008FBD
search, xrefs: 10008FD6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-4017829776
Opcode ID: 67d2f1b73f45f96fd97a9823b5415df8928becf4b93010400d0afbdc04a31f7c
Instruction ID: 60212f5056ad82ff0ae5ea45a156ac378cfaaf25f5a26cee64a353fcc168191f
Opcode Fuzzy Hash: 67d2f1b73f45f96fd97a9823b5415df8928becf4b93010400d0afbdc04a31f7c
Instruction Fuzzy Hash: 9D21C8759042097BEB60C674DC02FDB7369EB24380F5045B4BB88E6185EBB5FB848B95

Function 1000883B Relevance: 8.8, APIs: 7, Instructions: 67stringmemoryCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000885E
GlobalAlloc.KERNEL32(00000040,-00000001), ref: 1000887C
memset.MSVCRT ref: 10008892
strcpy.MSVCRT(00000000,00000000), ref: 100088A2
memset.MSVCRT ref: 100088D6
strcpy.MSVCRT(00000000,00000001), ref: 100088E9
GlobalFree.KERNEL32(00000000), ref: 100088F5

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Globalmemsetstrcpy$AllocFreestrlen
String ID:
API String ID: 1071719858-0
Opcode ID: f2656b163775532b35066ee2ca9ac8d7ff4e36fc82a8a207b985926f0241f2ae
Instruction ID: 371cdc15c4be44a3cd0437dc71fa5aaac8cd8a0fdcd6f9490a1cbaeabdbd2086
Opcode Fuzzy Hash: f2656b163775532b35066ee2ca9ac8d7ff4e36fc82a8a207b985926f0241f2ae
Instruction Fuzzy Hash: A3219DB9D00208FBEB04CFD4D885B9DBBB4FF44304F50C158EA046B345D671AB948B95

Function 1000D747 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1000D75F
srand.MSVCRT ref: 1000D766
rand.MSVCRT ref: 1000D76F
rand.MSVCRT ref: 1000D7BA

Strings

3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000D754

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$CountTicksrand
String ID: 3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6
API String ID: 3923125369-3761970555
Opcode ID: 39cfaf2472d07494ca3fecfcd14674d073b1fbb7506bc99ad551c6c9032b2baa
Instruction ID: c47e3bfe719f9485747eb6087ceb58e843113811c8e03733fffe917483192d7e
Opcode Fuzzy Hash: 39cfaf2472d07494ca3fecfcd14674d073b1fbb7506bc99ad551c6c9032b2baa
Instruction Fuzzy Hash: 6611B830805108EFDB00EFA8D894A9EBBB6FF44320F30419AED09E7345D331AA51DBA0

Function 1000C5F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37sleepstringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 1000C5F9
memset.MSVCRT ref: 1000C613
Sleep.KERNEL32(0000EA60), ref: 1000C63A
#825.MFC42(?), ref: 1000C652

Strings

found~!, xrefs: 1000C5F0

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #825Sleepmemsetstrstr
String ID: found~!
API String ID: 1104890065-3563639675
Opcode ID: ebbe5ee820536727c5e8e68492e8c1f72386ea798bf5ebbaafc4a37b6eee2fe6
Instruction ID: 4c88d3d67d77efa205b83bf9e0aa2da9bfc5f90372c2bd6754cbe67f8c581231
Opcode Fuzzy Hash: ebbe5ee820536727c5e8e68492e8c1f72386ea798bf5ebbaafc4a37b6eee2fe6
Instruction Fuzzy Hash: DDF044B6E00108EBEB14CB94DD86F9EB378EB98201F104594FA09A7241EA71AF559F51

Function 1001ED1E Relevance: 7.7, APIs: 5, Instructions: 155fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001ED93
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001EDF5
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 1001EE7C
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1001EEAC
CloseHandle.KERNEL32(00000000), ref: 1001EEC8

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Create$CloseHandleMappingPointerView
String ID:
API String ID: 1737989552-0
Opcode ID: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction ID: 743c727af9f4ebea276fef19f0abd475d21ef0e9be5fc3ab0a1b21c44a59574f
Opcode Fuzzy Hash: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction Fuzzy Hash: 0561C874A0024ADFEB14CF54C545BAEB7F1FB48715F208659E8156B382C771DE81CBA1

Function 1001EF73 Relevance: 7.6, APIs: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

#825.MFC42(?,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFB3
#823.MFC42(000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFD4
memcpy.MSVCRT(00000000,?,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F000
memcpy.MSVCRT(1002B358,00004000,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F092
WriteFile.KERNEL32(00000000,00004000,000000FF,000000FF,00000000,?,1001FADC,?,000000FF,?,00004000), ref: 1001F0CC

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$#823#825FileWrite
String ID:
API String ID: 3892973715-0
Opcode ID: 81676e25db4ca176598addc8d6eb2e0d5bc52b60f970ed8fdece396b28bf26c4
Instruction ID: 4bd6022a4a2ec37f9ae3b9a4e2ff67f1137577e8ba2bc2d6a42e4c9f344f74e1
Opcode Fuzzy Hash: 81676e25db4ca176598addc8d6eb2e0d5bc52b60f970ed8fdece396b28bf26c4
Instruction Fuzzy Hash: 4651BAB8E00109DFCB44CF98D491AAEBBB6FF98314F508559E9099B346D771E981CF90

Function 1000A519 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556
memset.MSVCRT ref: 1000A597
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 1000A5BB
CloseHandle.KERNEL32(?), ref: 1000A607

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleReadmemset
String ID:
API String ID: 1934991721-0
Opcode ID: 53c30f47d3f06a85bc5b86c4806c1c754cd7806d5cf83ba501eeee414bb54378
Instruction ID: 6a49061c0ed4d4591c571688064297fdf5beefa6cff065268dfcbfb052794fb4
Opcode Fuzzy Hash: 53c30f47d3f06a85bc5b86c4806c1c754cd7806d5cf83ba501eeee414bb54378
Instruction Fuzzy Hash: F2216275A00255ABEB21CB54CC81FDA7374FB4C382F1045A5FB49A7284D6B0AAC48F54

Function 1000F63B Relevance: 7.5, APIs: 5, Instructions: 43processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F64F
Process32First.KERNEL32(00000000,00000128), ref: 1000F672
Process32Next.KERNEL32(00000000,00000128), ref: 1000F687
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F6A0
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F6B9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction ID: 6a087116852af621f6414e876448160d89c161c3e2a286ec7096f0195759277d
Opcode Fuzzy Hash: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction Fuzzy Hash: AA014CB5D00208EBEB10EFE0CC85BEDB7B8EB08384F50848CA509A7254D7756B84DF50

Function 10008E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008F48,?,10008F48,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008E96

Strings

%s\lang.ini, xrefs: 10008E48
C:\Users\user\Desktop, xrefs: 10008E43
http://, xrefs: 10008EDD

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-989879249
Opcode ID: 4f542b5a43a9585d0fb728f4534e6faf036623f88c63656500b7082f11c228cc
Instruction ID: 524591cf8a4eee935b205e257a8c60c4d1d170a2f2a088a70314005468ca3b98
Opcode Fuzzy Hash: 4f542b5a43a9585d0fb728f4534e6faf036623f88c63656500b7082f11c228cc
Instruction Fuzzy Hash: CD21DAB5D04248B7EB20C664DC41FCB7368DB54790F1045A4FB89A61C5EBB1BBC48F95

Function 1000F85D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000,?,?,1000AFF2,SeDebugPrivilege,00000001), ref: 10005ECD

Part of subcall function 100055B0: OpenProcess.KERNEL32(?,?,?), ref: 100055BF

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000F8A3

Strings

SeDebugPrivilege, xrefs: 1000F865

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$OpenTimer$Concurrency::details::platform::__CreateCurrentQueueToken
String ID: SeDebugPrivilege
API String ID: 3835064167-2896544425
Opcode ID: 578df1c30f08b9dc197588dfc948558b9100933ad0a838eb6e3386d9d17cc1b4
Instruction ID: f5f6dc1e6b7425e5c68d5428da987bad7758b534205214ecf94fd92551b3d835
Opcode Fuzzy Hash: 578df1c30f08b9dc197588dfc948558b9100933ad0a838eb6e3386d9d17cc1b4
Instruction Fuzzy Hash: B511A5B5E40305BBFB10DBA49C47FDE7774EB04741F104568FB04BA2C5EA7166508765

Function 1000E4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100), ref: 1000E4DB
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 1000E525
DeviceIoControl.KERNEL32(000000FF,00222000,00000000,00000400,00000000,00000000,?,00000000), ref: 1000E55F

Strings

\\.\moon, xrefs: 1000E4E7

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharControlCreateDeviceFileMultiWide
String ID: \\.\moon
API String ID: 1446495253-2167628891
Opcode ID: a4003923fcda2f578e899d20a9108578d07dec37fd52267a5a9c5c445162750c
Instruction ID: 051acbbcbb89b28befc8c21d9118dfbb7f3be26f5f9bc64a1c0d179abed0de4f
Opcode Fuzzy Hash: a4003923fcda2f578e899d20a9108578d07dec37fd52267a5a9c5c445162750c
Instruction Fuzzy Hash: 211124B4550228BAE720DB54CC85FD57778EB44710F1086A5F708B72D0E6B02A868F98

Function 10009296 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringtimeCOMMON

Download Yara Rule

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 100092DB

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008F7B,?,10008F7B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

strlen.MSVCRT ref: 10009303

Strings

%s\lang.ini, xrefs: 100092A4
C:\Users\user\Desktop, xrefs: 1000929F

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3442345488-2560215372
Opcode ID: a1c392ffaca451cc1ff692d885b7ef51f8b439a4a35c8f9f8a38270c44fa1f52
Instruction ID: 5c2cb0c0f0112b76a52748a175c0b0866aa9ac7b40e06f3532cdc33e9dc0b8a8
Opcode Fuzzy Hash: a1c392ffaca451cc1ff692d885b7ef51f8b439a4a35c8f9f8a38270c44fa1f52
Instruction Fuzzy Hash: C40148F9D0021867EB20DB64DC46FCA7378DB14740F4086A4BA88671C5EAB5BBC48FD5

Function 10016729 Relevance: 6.1, APIs: 4, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100167A3
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 100167D0
#823.MFC42(00000020), ref: 100167E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001684C

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pointer$#823Create
String ID:
API String ID: 3407337251-0
Opcode ID: b5510a289ba3cffc0c3acafa1324056d77e0b01de9b6f64820195aa23675ec53
Instruction ID: f591f9a745d53ad3dfe22ef2f77011fbbab233b3b6c88462e3b6b178e94e5e56
Opcode Fuzzy Hash: b5510a289ba3cffc0c3acafa1324056d77e0b01de9b6f64820195aa23675ec53
Instruction Fuzzy Hash: C4510B74E0424AEFDB11CF54C895B9EBBB1FB09304F108699EC216B381C7B5DA85CB91

Function 100088FF Relevance: 6.1, APIs: 4, Instructions: 92timeCOMMON

Download Yara Rule

APIs

#823.MFC42(?), ref: 10008909
memcpy.MSVCRT(?,?,?), ref: 10008926
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000899A
#825.MFC42(?), ref: 100089DA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$#823#825Concurrency::details::platform::__CreateQueuememcpy
String ID:
API String ID: 3300021417-0
Opcode ID: 9dc1afe3be16091d59b55d033826dc9f65877bf42079c645d6b17c6d24818035
Instruction ID: 48faa35ba49733c278f9528cd1fa272fbef8b4e165372624ad9d635f7decea62
Opcode Fuzzy Hash: 9dc1afe3be16091d59b55d033826dc9f65877bf42079c645d6b17c6d24818035
Instruction Fuzzy Hash: D8318EB4D00249FBDF04DFA8C891BAEB774FF44304F248598E945AB385D671AB40CB91

Function 100184CC Relevance: 6.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100184FF
strlen.MSVCRT ref: 1001850E
strcat.MSVCRT(?,1002B9C0), ref: 10018544
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1001855C

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: 89cb127a1215cba18aa6f9ac0dacec56d72d583a2d55468d3a1836c925004839
Instruction ID: f188ec4e713c2c71f7eb5b723c63b65f8f8fcafcc26953f087e5bf2a928976aa
Opcode Fuzzy Hash: 89cb127a1215cba18aa6f9ac0dacec56d72d583a2d55468d3a1836c925004839
Instruction Fuzzy Hash: C7317175D0064A9BDB00CB94C881BAE7BB6EF44300F144569E515AB281D330EBD1CB91

Function 1000C063 Relevance: 6.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C06D

Part of subcall function 1000BEF7: malloc.MSVCRT ref: 1000BF0F

strlen.MSVCRT ref: 1000C0A2
toupper.MSVCRT ref: 1000C0F0
tolower.MSVCRT ref: 1000C129

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$malloctolowertoupper
String ID:
API String ID: 1610385915-0
Opcode ID: 0cc83470ffc6f637b79aa227ac69da79fa06304a2bfbddb7e8a8602a3ae10d50
Instruction ID: 7a5db7ae6677982574b2aec189b42e08800268808c8d6061b8b5cfc946dd9c0f
Opcode Fuzzy Hash: 0cc83470ffc6f637b79aa227ac69da79fa06304a2bfbddb7e8a8602a3ae10d50
Instruction Fuzzy Hash: 45317C75D0428CEBDB04CFA8C8D0AAEBBB5EF42245F2441D9D841AB306C635AB90DB45

Function 10011150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(10010E30,?), ref: 10011190
SafeArrayAccessData.OLEAUT32(10010E30,00000000), ref: 100111AD
SafeArrayUnaccessData.OLEAUT32(10010E30), ref: 10011217
refcount_ptr.LIBCPMTD ref: 10011227

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccessVartyperefcount_ptr
String ID:
API String ID: 643252218-0
Opcode ID: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
Instruction ID: 2d86a0b6451a645c637edffcb08906b081acf8c9fc1e69a33f2e972db292452b
Opcode Fuzzy Hash: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
Instruction Fuzzy Hash: 7231ED75D00109EFCB08CF94C995BEEBBB5FF48310F208159E525AB281DB35AA45CBA1

Function 1000BD79 Relevance: 6.0, APIs: 4, Instructions: 33sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BDAC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BDBB
CloseHandle.KERNEL32(?), ref: 1000BDC5
Sleep.KERNEL32(00000064), ref: 1000BDCD

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleSleepThreadWait
String ID:
API String ID: 422747524-0
Opcode ID: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction ID: b9f77b51fdc0ce5c79c26bcc87bcad786e5d67b6ada7f4622830d9e7383a6a42
Opcode Fuzzy Hash: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction Fuzzy Hash: A8F03074A40208BBF704DFE4CD8AF9D7B75EB54711F208154FB059A2C4D7715A518B61

Function 100067AC Relevance: 6.0, APIs: 4, Instructions: 32filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
strlen.MSVCRT ref: 100067DB
WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
CloseHandle.KERNEL32(?), ref: 100067F6

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleWritestrlen
String ID:
API String ID: 1350020999-0
Opcode ID: 0a1d6ee50146cc1690db20bf1c370e88ce1d81e411ac174430f22ee8632b9691
Instruction ID: 9091ae99ca244d77819b183989e1c27e630e4a4cabccf0d25adc0486f95204c4
Opcode Fuzzy Hash: 0a1d6ee50146cc1690db20bf1c370e88ce1d81e411ac174430f22ee8632b9691
Instruction Fuzzy Hash: C5F082B9640208BBE710DBE4DCC6F9A777CAB48700F108144FF09A7280DA70A944CBA4

Function 100061D7 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 100061E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 100061FF
CloseHandle.KERNEL32(00000000), ref: 1000620D

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandleOpenTerminate
String ID:
API String ID: 2026632969-0
Opcode ID: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction ID: c3b055f7a518f1452caa67d907e4e45609d189d3ebd99e836d77498bd3e4c8c9
Opcode Fuzzy Hash: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction Fuzzy Hash: 6AF05875A44218FBE710DBE4DD88B5E7BA8EB0C381F308958FA05D7240D6309A819B50

Function 1000D353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D39D
sprintf.MSVCRT ref: 1000D3B6

Part of subcall function 10004775: WinExec.KERNEL32(?,?), ref: 10004780

Strings

cmd /c ping 127.0.0.1 -n 3&del "%s", xrefs: 1000D3AA

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExecFileModuleNamesprintf
String ID: cmd /c ping 127.0.0.1 -n 3&del "%s"
API String ID: 2282574455-535577241
Opcode ID: cd4c8ed191231bf0686fe6eee6e6eea8811d3eeca482f20c36b9df9eb8c53bce
Instruction ID: 4c3116803300035bcbd1676adb6b892ccd2850cdd67f2c9595bb7bb93f3c9608
Opcode Fuzzy Hash: cd4c8ed191231bf0686fe6eee6e6eea8811d3eeca482f20c36b9df9eb8c53bce
Instruction Fuzzy Hash: 1DF0C272910218BBEB11C7A8CCA5BD6F7BCAB54300F4001E5E70CA6181EFB52B9C8F91

Function 1000F7FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 1000F809
GetLocalTime.KERNEL32(?), ref: 1000F842

Strings

-, xrefs: 1000F81B

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LocalTime
String ID: -
API String ID: 481472006-2547889144
Opcode ID: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction ID: 54c5f6dbd1dfb4096c870d722f7c1ff444cf4a43efea41441fbe41cbc9c571be
Opcode Fuzzy Hash: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction Fuzzy Hash: 47F04471D0120AEBEB14DFA4C6856FDB7B4EF40740F20C1ADD801AB648DA34AB09FB52

Function 1000CCA0 Relevance: 5.0, APIs: 4, Instructions: 25stringsleepCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000CCA5
strcmp.MSVCRT ref: 1000CCBB
wsprintfA.USER32 ref: 1000CCD5

Part of subcall function 100084F9: wsprintfA.USER32 ref: 1000853B
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085AF
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085CE
Part of subcall function 100084F9: CreateDirectoryA.KERNEL32(?,00000000), ref: 100085E0

Sleep.KERNEL32(000927C0), ref: 1000CCE9

Memory Dump Source

Source File: 00000004.00000002.4590304772.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4590278781.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590338951.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590359464.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590381948.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590408728.0000000010040000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590444086.000000001005C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590461770.000000001005E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590475393.000000001005F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590489407.0000000010060000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590505076.0000000010062000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590521135.0000000010063000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4590536311.0000000010065000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateDirectorySleepstrcmpstrlen
String ID:
API String ID: 1687963529-0
Opcode ID: 7b1965998932a123ea82642c2ef38be633acced2b8c6a045a05ac49829ad5489
Instruction ID: 6d1882572240d669c4fa5638fbf13e643bf3ab0aeb1a4a41bca8a5994fd9dbbd
Opcode Fuzzy Hash: 7b1965998932a123ea82642c2ef38be633acced2b8c6a045a05ac49829ad5489
Instruction Fuzzy Hash: 5EE092B5D00155ABF740DBD4ECC6EAF7264FB14281B540428F604C3119DB30BD198761

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OL50O9ho5M.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE905.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC71.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA1.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
OL50O9ho5M.dll

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre