Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gmqIbj35WF.dll

Overview

General Information

Sample name:gmqIbj35WF.dll
renamed because original name is a hash value
Original sample name:a50c68d387e4365eadec166d8aa577d3274b6e7d.dll
Analysis ID:1558479
MD5:ed4dced3ec044d7f108f09f205f07218
SHA1:a50c68d387e4365eadec166d8aa577d3274b6e7d
SHA256:cdbb0d62b194c098e6a59b2dbe15de7837c1705e2de72abc076497536dbb2476
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4008 cmdline: loaddll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4208 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 2060 cmdline: rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 6588 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 6612 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 5316 cmdline: rundll32.exe C:\Users\user\Desktop\gmqIbj35WF.dll,Scheduler MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 5900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 5768 cmdline: rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 5324 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 6920 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 2196 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 4584 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2056 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 6612 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 1144 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5000 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x44519:$x1: cracked by ximo
  • 0x445ce:$x1: cracked by ximo
  • 0x44683:$x1: cracked by ximo
  • 0x44738:$x1: cracked by ximo
  • 0x447ed:$x1: cracked by ximo
  • 0x448a2:$x1: cracked by ximo
  • 0x44957:$x1: cracked by ximo
  • 0x44a0c:$x1: cracked by ximo
  • 0x44ac1:$x1: cracked by ximo
  • 0x44b76:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHR

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: gmqIbj35WF.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: gmqIbj35WF.dllReversingLabs: Detection: 97%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: gmqIbj35WF.dllJoe Sandbox ML: detected
Source: gmqIbj35WF.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E763 lstrcpy,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6CB72DD0,_mbscpy,_mbscpy,strchr,strchr,strchr,_mbscpy,atoi,CreateDirectoryA,Sleep,FindClose,3_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D49E strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,strrchr,_strcmpi,_mbscpy,FindClose,FindNextFileA,FindClose,3_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100058AC FindFirstFileA,3_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100069DD _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,3_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000EBE4 strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,3_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006DB7 _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,3_2_10006DB7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100057EC GetLogicalDriveStringsA,3_2_100057EC
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.241 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.240 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.43.161 12388Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.241 ports 18530,0,1,3,5,8
Source: global trafficTCP traffic: 107.163.56.240 ports 18963,1,3,6,8,9
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.4:49742 -> 107.163.56.241:18530
Source: global trafficTCP traffic: 192.168.2.4:49743 -> 107.163.43.161:12388
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 107.163.56.251:6658
Source: global trafficTCP traffic: 192.168.2.4:49748 -> 107.163.56.240:18963
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: global trafficTCP traffic: 192.168.2.4:49749 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007225 WSAStartup,socket,socket,htons,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,WSACleanup,3_2_10007225
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://%s.qzone.qq.com/main
Source: rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://%s.qzone.qq.com/mainMozilla/4.0
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.43.161:12388/2112.html
Source: rundll32.exe, 00000003.00000002.3053174241.00000000005FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.43.161:12388/2112.html0
Source: rundll32.exe, 00000003.00000002.3053848370.000000000453D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.43.161:1388/2112.html
Source: rundll32.exe, 00000003.00000002.3054395701.000000000529D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.php
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.php-g
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.php?
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpAg
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpF
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpYg
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpg
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpig-
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpq
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963/main.phpt
Source: rundll32.exe, 00000003.00000002.3054395701.000000000529D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.240:18963main.php
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.163.56.241:18530/
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.241:18530//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mteYmJe0nta
Source: rundll32.exe, 00000003.00000002.3054347371.000000000521D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56I
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://67.229.227.140:999/ver.asp?v=%s
Source: rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://67.229.227.140:999/ver.asp?v=%sfound~
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%sMozilla/4.0
Source: rundll32.exe, 00000003.00000002.3054681983.00000000056DD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3053174241.000000000065D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3053174241.000000000069A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/57624790937g
Source: rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093Gg
Source: rundll32.exe, 00000003.00000002.3053174241.000000000069A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093JZ
Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100052CF OpenClipboard,3_2_100052CF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004E8E SetClipboardData,3_2_10004E8E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004F4C GetClipboardData,3_2_10004F4C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004788 GetAsyncKeyState,3_2_10004788

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005F3C GetProcessHeap,RtlAllocateHeap,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_10005F3C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005FD3 NtQueryInformationFile,3_2_10005FD3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011C72: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy,3_2_10011C72
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100059A0 DeleteService,3_2_100059A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004804 CreateProcessAsUserA,3_2_10004804
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005238 ExitWindowsEx,3_2_10005238
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100150F33_2_100150F3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000F2003_2_1000F200
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100122E43_2_100122E4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001E5EC3_2_1001E5EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100186423_2_10018642
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001A67B3_2_1001A67B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001D7483_2_1001D748
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001C8503_2_1001C850
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100158833_2_10015883
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10015B403_2_10015B40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DB5D3_2_1001DB5D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001DD4D3_2_1001DD4D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001BD603_2_1001BD60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 296 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1792
Source: gmqIbj35WF.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal100.troj.evad.winDLL@33/6@1/6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011C72 sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy,3_2_10011C72
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005EBA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,3_2_10005EBA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005912 AdjustTokenPrivileges,3_2_10005912
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007DDE 6CB72DD0,6CB72DD0,6CB72DD0,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,3_2_10007DDE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005821 GetDiskFreeSpaceExA,3_2_10005821
Source: C:\Windows\SysWOW64\rundll32.exeCode function: _mbscpy,_mbscat,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,memset,wsprintfA,RegCreateKeyA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,memset,_mbscpy,RegOpenKeyExA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegCloseKey,3_2_1000ABAC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100055E1 CreateToolhelp32Snapshot,3_2_100055E1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100114B0 CoCreateInstance,3_2_100114B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005000 LockResource,3_2_10005000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000AAC4 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,3_2_1000AAC4
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\11221450Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\ee4a0835-d61e-4c06-aa0e-627c434e184eJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gmqIbj35WF.dll,Scheduler
Source: gmqIbj35WF.dllReversingLabs: Detection: 97%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gmqIbj35WF.dll,Scheduler
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1792
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gmqIbj35WF.dll,SchedulerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",SchedulerJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,3_2_10006843
Source: initial sampleStatic PE information: section where entry point is pointing to: ds
Source: gmqIbj35WF.dllStatic PE information: section name: .fdss
Source: gmqIbj35WF.dllStatic PE information: section name: .fds
Source: gmqIbj35WF.dllStatic PE information: section name: .fs
Source: gmqIbj35WF.dllStatic PE information: section name: ds
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000FEA3 push dword ptr [esp+3Ch]; retn 0040h3_2_10035AF1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001000 push dword ptr [esp+14h]; retn 0018h3_2_10036C9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001000 push eax; mov dword ptr [esp], 63000AC9h3_2_10036D03
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001010 pushfd ; mov dword ptr [esp], edx3_2_10001011
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003407B push dword ptr [esp+50h]; retn 0054h3_2_10034085
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100210E0 push eax; ret 3_2_1002110E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100010F9 push 4E1E2108h; mov dword ptr [esp], edx3_2_10001131
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100010F9 pushad ; mov dword ptr [esp], F651B473h3_2_10001136
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100010F9 push edx; mov dword ptr [esp], 1815BBB4h3_2_100342D5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D143 pushad ; mov dword ptr [esp], esi3_2_1000D15B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001199 pushfd ; mov dword ptr [esp], edx3_2_1000119A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003442B pushfd ; mov dword ptr [esp], ecx3_2_10034436
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003442B push 1392E45Eh; mov dword ptr [esp], ecx3_2_1003443E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003448E push dword ptr [esp+24h]; retn 0028h3_2_100344A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E56F push dword ptr [esp+2Ch]; retn 0030h3_2_1003882F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003463D push dword ptr [esp+34h]; retn 0038h3_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C792 push dword ptr [esp+48h]; retn 004Ch3_2_10033600
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C7A8 push dword ptr [esp+48h]; retn 004Ch3_2_10033600
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B7BC pushfd ; mov dword ptr [esp], ebp3_2_10034F78
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B7CC push dword ptr [esp+34h]; retn 0038h3_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003383A pushfd ; mov dword ptr [esp], esi3_2_1003384B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B8EA push 8C58C68Fh; mov dword ptr [esp], eax3_2_10033F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B8EA pushfd ; mov dword ptr [esp], eax3_2_100348EE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10039A98 pushfd ; mov dword ptr [esp], 12F3A3B1h3_2_1003CFBC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033AD2 pushfd ; mov dword ptr [esp], ecx3_2_10033ADD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033AD2 push 8C58C68Fh; mov dword ptr [esp], eax3_2_10033F47
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E6EA pushfd ; mov dword ptr [esp], E0DA7D61h3_2_10034B0F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10034D73 pushfd ; mov dword ptr [esp], eax3_2_1000B84B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10034DF3 push dword ptr [esp+34h]; retn 0038h3_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10035EA4 push dword ptr [esp+48h]; retn 004Ch3_2_1003BC28
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10034EB4 push A20C73A1h; mov dword ptr [esp], edx3_2_10034EF9
Source: gmqIbj35WF.dllStatic PE information: section name: .fds entropy: 7.938861044095765

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy, \\.\PHYSICALDRIVE%d3_2_10011C72

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy, \\.\PHYSICALDRIVE%d3_2_10011C72
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHRJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000AAC4 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,3_2_1000AAC4
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHRJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHRJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005BDF ClearEventLogA,3_2_10005BDF
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000F2003_2_1000F200
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-10615
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-10298
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000F2003_2_1000F200
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6664Thread sleep time: -14400000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1612Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1612Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1612Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 744Thread sleep time: -3300000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3052Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4192Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2504Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6664Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3052Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 744Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5608Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000E763 lstrcpy,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6CB72DD0,_mbscpy,_mbscpy,strchr,strchr,strchr,_mbscpy,atoi,CreateDirectoryA,Sleep,FindClose,3_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000D49E strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,strrchr,_strcmpi,_mbscpy,FindClose,FindNextFileA,FindClose,3_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100058AC FindFirstFileA,3_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100069DD _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,3_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000EBE4 strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,3_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006DB7 _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,3_2_10006DB7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100057EC GetLogicalDriveStringsA,3_2_100057EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007DDE 6CB72DD0,6CB72DD0,6CB72DD0,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,3_2_10007DDE
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 60000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.21.drBinary or memory string: VMware
Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.21.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.21.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.3053174241.000000000065D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3053174241.0000000000629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000003.00000002.3052955693.00000000000FB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo@
Source: Amcache.hve.21.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.21.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.21.drBinary or memory string: vmci.sys
Source: Amcache.hve.21.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.21.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.drBinary or memory string: VMware20,1
Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000003.00000002.3053174241.00000000005FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ons\\VMwareHostO
Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.21.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.21.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004DF5 BlockInput,3_2_10004DF5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,3_2_10006843
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006322 GetProcessHeap,HeapFree,_strnicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,CloseHandle,memset,strrchr,_strnicmp,CloseHandle,CloseHandle,lstrlen,_strnicmp,OpenProcess,GetModuleFileNameExA,_strnicmp,GetCurrentProcess,DuplicateHandle,CloseHandle,CloseHandle,HeapFree,3_2_10006322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000558A SetUnhandledExceptionFilter,3_2_1000558A

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.241 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.251 6658Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.240 18963Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.43.161 12388Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004E04 keybd_event,3_2_10004E04
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004E1F mouse_event,3_2_10004E1F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100048C9 SetSecurityDescriptorDacl,3_2_100048C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004925 AllocateAndInitializeSid,3_2_10004925
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,memcpy,3_2_1000960F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,wsprintfA,6CB72DD0,memset,___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,6CB72DD0,MultiByteToWideChar,WideCharToMultiByte,6CB72DD0,WideCharToMultiByte,strlen,6CAEC7F0,6CAEC7F0,wsprintfA,strlen,strrchr,6CAEC7F0,6CAEC7F0,6CAEC7F0,6CAEC7F0,3_2_10009FAB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: strlen,memset,___crtGetLocaleInfoEx,lstrcpy,3_2_1000C295
Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,3_2_1000949C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,GetModuleFileNameA,strrchr,_mbscat,strrchr,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ReleaseMutex,CloseHandle,GetTickCount,srand,rand,rand,Sleep,SetFileAttributesA,wsprintfA,_mbscpy,_mbscat,_mbscat,Sleep,memset,_mbscat,_mbscat,_mbscat,MoveFileA,Concurrency::details::platform::__CreateTimerQueueTimer,___crtGetLocaleInfoEx,rand,rand,rand,rand,rand,rand,rand,MoveFileExA,Sleep,memset,___crtGetTimeFormatEx,3_2_1000D7E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: memset,wsprintfA,6CB72DD0,memset,___crtGetTimeFormatEx,GetLastError,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,6CB72DD0,MultiByteToWideChar,WideCharToMultiByte,6CB72DD0,WideCharToMultiByte,strlen,6CAEC7F0,6CAEC7F0,wsprintfA,strlen,strrchr,6CAEC7F0,6CAEC7F0,3_2_10009A63
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001F343 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,3_2_1001F343
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004996 LookupAccountNameA,3_2_10004996
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008C6A memset,GetVersionExA,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,3_2_10008C6A
Source: Amcache.hve.21.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.21.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.21.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007225 WSAStartup,socket,socket,htons,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,WSACleanup,3_2_10007225

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		11
Input Capture		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts12
Service Execution		1
Valid Accounts		1
Valid Accounts		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol11
Input Capture		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt12
Windows Service		11
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron11
Registry Run Keys / Startup Folder		12
Windows Service		1
Software Packing		NTDS25
System Information Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd1
Bootkit		111
Process Injection		1
DLL Side-Loading		LSA Secrets141
Security Software Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
Registry Run Keys / Startup Folder		1
Masquerading		Cached Domain Credentials31
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Valid Accounts		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
Virtualization/Sandbox Evasion		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Access Token Manipulation		/etc/passwd and /etc/shadow1
Remote System Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
Process Injection		Network Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Bootkit		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
Rundll32		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
Indicator Removal		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558479 Sample: gmqIbj35WF.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 63 blogx.sina.com.cn 2->63 65 blog.sina.com.cn 2->65 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 3 other signatures 2->89 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 rundll32.exe 1 14 10->16         started        20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        24 conhost.exe 10->24         started        26 cmd.exe 12->26         started        28 cmd.exe 14->28         started        dnsIp6 57 107.163.43.161, 12388 TAKE2US United States 16->57 59 107.163.56.240, 18963 TAKE2US United States 16->59 61 3 other IPs or domains 16->61 69 System process connects to network (likely due to code injection or exploit) 16->69 71 Found evasive API chain (may stop execution after checking mutex) 16->71 73 Contains functionality to infect the boot sector 16->73 79 2 other signatures 16->79 30 WerFault.exe 22 16 16->30         started        75 Uses ping.exe to sleep 20->75 77 Uses ping.exe to check the status of other devices and networks 20->77 32 rundll32.exe 20->32         started        34 cmd.exe 22->34         started        37 conhost.exe 26->37         started        39 PING.EXE 1 26->39         started        41 conhost.exe 28->41         started        43 PING.EXE 1 28->43         started        signatures7 process8 signatures9 45 cmd.exe 1 32->45         started        81 Uses ping.exe to sleep 34->81 48 conhost.exe 34->48         started        50 PING.EXE 1 34->50         started        process10 signatures11 91 Uses ping.exe to sleep 45->91 52 PING.EXE 1 45->52         started        55 conhost.exe 45->55         started        process12 dnsIp13 67 127.0.0.1 unknown unknown 52->67

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gmqIbj35WF.dll97%ReversingLabsWin32.Backdoor.Venik
gmqIbj35WF.dll100%AviraTR/Patched.Ren.Gen
gmqIbj35WF.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.163.56.240:18963/main.phpAg0%Avira URL Cloudsafe
http://107.163.56.240:18963main.php0%Avira URL Cloudsafe
http://107.163.43.161:12388/2112.html0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.php?0%Avira URL Cloudsafe
http://107.163.56.241:18530//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mteYmJe0nta0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpq0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpYg0%Avira URL Cloudsafe
http://107.163.56I0%Avira URL Cloudsafe
http://107.163.56.241:18530/0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpg0%Avira URL Cloudsafe
http://107.163.43.161:1388/2112.html0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.php0%Avira URL Cloudsafe
http://67.229.227.140:999/ver.asp?v=%sfound~0%Avira URL Cloudsafe
http://%s.qzone.qq.com/mainMozilla/4.00%Avira URL Cloudsafe
http://107.163.43.161:12388/2112.html00%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpt0%Avira URL Cloudsafe
http://%s.qzone.qq.com/main0%Avira URL Cloudsafe
http://67.229.227.140:999/ver.asp?v=%s0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpig-0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.php-g0%Avira URL Cloudsafe
http://107.163.56.240:18963/main.phpF0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    blog.sina.com.cn
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://107.163.56.240:18963main.phprundll32.exe, 00000003.00000002.3054395701.000000000529D000.00000004.00000010.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://107.163.56.241:18530//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mteYmJe0ntarundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://107.163.56.240:18963/main.phpAgrundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://107.163.56Irundll32.exe, 00000003.00000002.3054347371.000000000521D000.00000004.00000010.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://107.163.56.240:18963/main.phpqrundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://107.163.43.161:12388/2112.htmlrundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://upx.sf.netAmcache.hve.21.drfalse
        		high
        http://blog.sina.com.cn/u/%srundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000003.00000002.3054681983.00000000056DD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3053174241.000000000065D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3053174241.000000000069A000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://107.163.56.240:18963/main.phpYgrundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://107.163.56.241:18530/rundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://blog.sina.com.cn/u/57624790937grundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://blog.sina.com.cn/u/5762479093JZrundll32.exe, 00000003.00000002.3053174241.000000000069A000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://107.163.56.240:18963/main.phpgrundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.240:18963/main.php?rundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.240:18963/main.phprundll32.exe, 00000003.00000002.3054395701.000000000529D000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://blog.sina.com.cn/u/5762479093Ggrundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://107.163.43.161:1388/2112.htmlrundll32.exe, 00000003.00000002.3053848370.000000000453D000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.163.56.240:18963/main.phptrundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://67.229.227.140:999/ver.asp?v=%sfound~rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.163.43.161:12388/2112.html0rundll32.exe, 00000003.00000002.3053174241.00000000005FA000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://blog.sina.com.cn/u/%sMozilla/4.0rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://%s.qzone.qq.com/mainrundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://%s.qzone.qq.com/mainMozilla/4.0rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.163.56.240:18963/main.php-grundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.163.56.240:18963/main.phpig-rundll32.exe, 00000003.00000002.3053174241.0000000000682000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://67.229.227.140:999/ver.asp?v=%srundll32.exe, rundll32.exe, 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.163.56.240:18963/main.phpFrundll32.exe, 00000003.00000002.3053174241.0000000000643000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    202.108.0.52
                    		blogx.sina.com.cnChina
                    		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                    107.163.43.161
                    		unknownUnited States
                    		20248TAKE2UStrue
                    107.163.56.241
                    		unknownUnited States
                    		20248TAKE2UStrue
                    107.163.56.251
                    		unknownUnited States
                    		20248TAKE2UStrue
                    107.163.56.240
                    		unknownUnited States
                    		20248TAKE2UStrue

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1558479
                    Start date and time:2024-11-19 14:10:26 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:27
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:gmqIbj35WF.dll
                    renamed because original name is a hash value
                    Original Sample Name:a50c68d387e4365eadec166d8aa577d3274b6e7d.dll
                    Detection:MAL
                    Classification:mal100.troj.evad.winDLL@33/6@1/6
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 50
                    • Number of non-executed functions: 101
                    Cookbook Comments:
                    • Found application associated with file extension: .dll
                    • Override analysis time to 240s for rundll32

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.42.73.29
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: gmqIbj35WF.dll

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    08:11:24API Interceptor144x Sleep call for process: rundll32.exe modified
                    08:11:25API Interceptor1x Sleep call for process: loaddll32.exe modified
                    08:13:34API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                    • blog.sina.com.cn/u/5655029807
                    k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                    • blog.sina.com.cn/u/5655029807
                    5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                    • blog.sina.com.cn/u/5655029807
                    107.163.43.161Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                      107.163.56.241Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                        OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                          107.163.56.251Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                            OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                              02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                abc.dllGet hashmaliciousUnknownBrowse
                                  107.163.56.240Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    blogx.sina.com.cn81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    http://zeuso.ccGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    abc.dllGet hashmaliciousUnknownBrowse
                                    • 123.126.45.92

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TAKE2USBcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 107.163.43.253
                                    yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                    • 107.163.215.236
                                    DHL_doc.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253
                                    wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.249
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 107.163.25.123
                                    INVOICES.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253
                                    CHINA169-BJChinaUnicomBeijingProvinceNetworkCN81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    owari.mips.elfGet hashmaliciousUnknownBrowse
                                    • 111.193.177.206
                                    owari.x86.elfGet hashmaliciousUnknownBrowse
                                    • 60.194.199.155
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    hmips.elfGet hashmaliciousMiraiBrowse
                                    • 111.196.123.227
                                    botx.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 123.112.202.42
                                    botx.ppc.elfGet hashmaliciousMiraiBrowse
                                    • 113.45.119.194
                                    botx.arm.elfGet hashmaliciousMiraiBrowse
                                    • 211.145.29.8
                                    xd.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 114.117.36.234
                                    TAKE2USBcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 107.163.43.253
                                    yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                    • 107.163.215.236
                                    DHL_doc.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253
                                    wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.249
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 107.163.25.123
                                    INVOICES.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253
                                    TAKE2USBcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 107.163.43.253
                                    yakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                    • 107.163.215.236
                                    DHL_doc.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253
                                    wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.249
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 107.163.25.123
                                    INVOICES.exeGet hashmaliciousFormBookBrowse
                                    • 107.163.130.253

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\1.txt

                                    Download File
                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                    File Type:ISO-8859 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):29
                                    Entropy (8bit):4.0993603054724
                                    Encrypted:false
                                    SSDEEP:3:yFXwvY9M4Dg:yFOY9M4M
                                    MD5:E4A6FCB5F37E1B45DE276D8E138FB27F
                                    SHA1:F2DFB9EBE5C62A9F8D9E49CBB19B71343F4BFEF8
                                    SHA-256:240941BC0A170F815AB06899101B29C006725A11E1934A4D4F58FF18531823E4
                                    SHA-512:8223B13B05A019A49823B12CBB5E7C9E692F87403C0F7D9DD6F67C8A30C14E288BFB9CA0CE4CDB4EF0A86942A8863D68F38555B68495D1957E29167D399EFE9C
                                    Malicious:false
                                    Preview:..2024-11-21 12:37..iOffset..

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_33482b87b0d8e03f47394b2e9a0604dbf93164_7522e4b5_2208ac2a-d88f-4d73-9ece-05ce096de3b4\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.117820302088372
                                    Encrypted:false
                                    SSDEEP:192:zPNiikOl60BU/wjeTPaZWO3sJzuiFMZ24IO84ci:b0i1lBBU/wjeYRAzuiFMY4IO84ci
                                    MD5:A7F3948FF9592AF51A27006580C11230
                                    SHA1:9F6D8E3D405BD95593BF4D27F62AB92399FE7DC5
                                    SHA-256:7B7C4EC728AC5CA5843774AB464AF3F6C1B2A96B356A4CF204D3DE2688269C32
                                    SHA-512:95088E926AE488D105005E819F1AD5478BA695A2BFD2DE489F58E175C335D0A0B9731910BB4E18C60513BDFB1AADB34003E5B89440A40247A0F8C3F3F3466800
                                    Malicious:false
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.5.5.1.7.7.7.2.4.5.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.5.5.1.8.4.7.5.5.8.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.0.8.a.c.2.a.-.d.8.8.f.-.4.d.7.3.-.9.e.c.e.-.0.5.c.e.0.9.6.d.e.3.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.1.5.2.6.c.8.-.e.2.4.a.-.4.8.7.0.-.a.8.8.4.-.f.3.7.1.0.e.7.9.1.d.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.c.4.-.0.0.0.1.-.0.0.1.4.-.b.f.0.2.-.d.a.8.7.8.4.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D73.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:11:58 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):230888
                                    Entropy (8bit):1.8013981161333934
                                    Encrypted:false
                                    SSDEEP:768:MIBnXG5BOEGXTN7L6q5fJM47ZFy0xSP6Kxksp1K:BnGfi56q9Jz7Dy00P6KxZnK
                                    MD5:E795D800A26BF1FC4C3583FBE67FCD08
                                    SHA1:3E51660090B5FB2EBEE23F4CFFCADB6D5FE49D27
                                    SHA-256:4B1C350A4874A9732E508D2958100FF978DC2FDAEFA397A86223BAF11DB54620
                                    SHA-512:1A5131B93937B28BE2115950142325B81314704B8EE71BCDC0D19BC8D41CBB815DE8627D84C9AA46A628DE0A814DDAFEB407AE996D2F248BBC7007B3F71B1AC4
                                    Malicious:false
                                    Preview:MDMP..a..... .........<g.........................................o..........T.......8...........T............E...@...........)...........+..............................................................................eJ...... ,......GenuineIntel............T...........z.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F2A.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8404
                                    Entropy (8bit):3.6963315483838732
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJ0I6Ree6YWl65sgmf8f/prP89bhvsfV6Lm:R6lXJz6x6YM65sgmf8fShUfVP
                                    MD5:DE7589530DC382C553D1113AA102CDD3
                                    SHA1:93462288B8DBFD8BFF47BB4D8C201F70771B5FE4
                                    SHA-256:DBDCF3AAFD0394808444647ECD095F73225B2EBBEFDA3C53278B8496401267BC
                                    SHA-512:3B2EC7940F28778498FB5965694C5BB8B4D15EFC7E0DD238ACAE5E7C98799B6CDAFFE79CD803820DC7BCFF77FAB0D8540287E209FC1229DA865FEC467D64EFAA
                                    Malicious:false
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.1.6.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F79.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4791
                                    Entropy (8bit):4.48009975507007
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsMJg77aI9fsWpW8VYtYm8M4JCdPHFZ+q8vjPmGScSpd:uIjfKI7xF7VJJ4K6J3pd
                                    MD5:109FCE6FC55027056A873D944B4FF684
                                    SHA1:3B90BEB1B19C0180ECA88849EE5D6DABFBD3F45E
                                    SHA-256:2EE92C5D8802FBF87E4B35827766F36BF9B68C2421B6C4F41E65A26BE9E296E9
                                    SHA-512:EBADA222604DCEC38688C4A55366200A382789F785259AA6465591048A5DAD6A6FFB8AF672C85DF2A16C91B30535E918373F23AB2208E7CDECF68278F1A648DB
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594974" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.4662428787576
                                    Encrypted:false
                                    SSDEEP:6144:rIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:sXD94+WlLZMM6YFHT+G
                                    MD5:C04223A93CAE5B90D6F531DCE93AD114
                                    SHA1:8B0A346A2124288328CA6A7486E2DAFA0F296A17
                                    SHA-256:26736E16C2EA1E000D457140491F00BA390EC6977AA4AD1FD5712A2AB8DB17CA
                                    SHA-512:B0CCAE72234E628BD4CFC7C53E06565C384840F15FDFDD83D1DCBC0B990D917973F4EA16148169C9A96D9B9613425DE83309F09AEF85A6B91406B5AE51B9CD80
                                    Malicious:false
                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.F...:..............................................................................................................................................................................................................................................................................................................................................,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.917108520214314
                                    TrID:
                                    • Win32 Dynamic Link Library (generic) (1002004/3) 97.04%
                                    • Win32 EXE Yoda's Crypter (26571/9) 2.57%
                                    • Generic Win/DOS Executable (2004/3) 0.19%
                                    • DOS Executable Generic (2002/1) 0.19%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:gmqIbj35WF.dll
                                    File size:138'814 bytes
                                    MD5:ed4dced3ec044d7f108f09f205f07218
                                    SHA1:a50c68d387e4365eadec166d8aa577d3274b6e7d
                                    SHA256:cdbb0d62b194c098e6a59b2dbe15de7837c1705e2de72abc076497536dbb2476
                                    SHA512:12c93fb50c20562582e7422932d4e8baa64053ec40b4e38e05124c778dd7b5d82b89460b98119aad00d13937034ec8d15e72a47025394d24e3518e74e28b2964
                                    SSDEEP:1536:1RNinzmWJgrDquOUAyPkXgeJI6g8LHe07Uee41pUcQRyXAHJ3HyNa8s64PpW2xb:zNYOrFAyugeJOym41pLLQN+a8O8Cb
                                    TLSH:48D312DB3592603EC0DAFF7BC88A945D25B76EC0208AFF48F3A0654B1E708B81567D52
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.\.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                    File Icon

                                    Icon Hash:7ae282899bbab082

                                    Static PE Info

                                    General

                                    Entrypoint:0x1004b000
                                    Entrypoint Section:ds
                                    Digitally signed:false
                                    Imagebase:0x10000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                    DLL Characteristics:
                                    Time Stamp:0x56515A58 [Sun Nov 22 06:02:00 2015 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:c14bd7810997176bf9a0fc63aaecc73e

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    push FFFFFFFFh
                                    push 000A2C2Ah
                                    push 000D9038h
                                    mov eax, dword ptr fs:[00000000h]
                                    push eax
                                    mov dword ptr fs:[00000000h], esp
                                    pop eax
                                    mov dword ptr fs:[00000000h], eax
                                    pop eax
                                    pop eax
                                    pop eax
                                    pop eax
                                    mov ebp, eax
                                    mov eax, 100490B0h
                                    jmp eax
                                    nop
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    sub eax, dword ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ C ] VS98 (6.0) build 8168
                                    • [C++] VS98 (6.0) build 8168
                                    • [RES] VS98 (6.0) cvtres build 1720
                                    • [LNK] VS98 (6.0) imp/exp build 8168

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x4a3280x40.fs
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4a0000x328.fs
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a3680xc.fs
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .fdss0x10000x270000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .fds0x280000x220000x21400643e5aa7b1e175061d5c8b6ff92fc4efFalse0.9865410596804511data7.938861044095765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .fs0x4a0000x10000x400ca92c4a5a58d8f944fc303cb98ef5feaFalse0.470703125data3.9294239228795704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    ds0x4b0000x2080x2007805f27e1b3a7702fd08c1b531386f51False0.115234375data0.697818995102615IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Imports

                                    DLLImport
                                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
                                    ADVAPI32.dllRegOpenKeyA
                                    MFC42.DLL
                                    MSVCP60.dll??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
                                    MSVCRT.dllrand
                                    NETAPI32.dllNetbios
                                    ntdll.dllNtQueryInformationFile
                                    ole32.dllCoInitialize
                                    OLEAUT32.dllVariantClear
                                    PSAPI.DLLGetModuleFileNameExA
                                    SHLWAPI.dllStrStrIA
                                    USER32.dllwsprintfA
                                    WS2_32.dllWSAGetLastError

                                    Exports

                                    NameOrdinalAddress
                                    Scheduler10x1000fff3

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 19, 2024 14:11:26.392688036 CET4974218530192.168.2.4107.163.56.241
                                    Nov 19, 2024 14:11:26.393480062 CET4974312388192.168.2.4107.163.43.161
                                    Nov 19, 2024 14:11:27.399334908 CET4974218530192.168.2.4107.163.56.241
                                    Nov 19, 2024 14:11:27.399336100 CET4974312388192.168.2.4107.163.43.161
                                    Nov 19, 2024 14:11:29.399532080 CET4974312388192.168.2.4107.163.43.161
                                    Nov 19, 2024 14:11:29.399533033 CET4974218530192.168.2.4107.163.56.241
                                    Nov 19, 2024 14:11:33.399352074 CET4974218530192.168.2.4107.163.56.241
                                    Nov 19, 2024 14:11:33.403333902 CET4974312388192.168.2.4107.163.43.161
                                    Nov 19, 2024 14:11:41.399689913 CET4974218530192.168.2.4107.163.56.241
                                    Nov 19, 2024 14:11:41.399712086 CET4974312388192.168.2.4107.163.43.161
                                    Nov 19, 2024 14:11:48.455889940 CET497466658192.168.2.4107.163.56.251
                                    Nov 19, 2024 14:11:49.461800098 CET497466658192.168.2.4107.163.56.251
                                    Nov 19, 2024 14:11:51.461848974 CET497466658192.168.2.4107.163.56.251
                                    Nov 19, 2024 14:11:51.473030090 CET4974818963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:51.473028898 CET4974718963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:52.477490902 CET4974818963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:52.477497101 CET4974718963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:54.477488995 CET4974818963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:54.477490902 CET4974718963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:55.207529068 CET4974980192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:11:55.461858034 CET497466658192.168.2.4107.163.56.251
                                    Nov 19, 2024 14:11:55.491430044 CET4975018963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:55.609386921 CET4975118963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:55.610660076 CET4975280192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:11:56.493084908 CET4975018963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:56.602709055 CET4975280192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:11:56.602710009 CET4975118963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:58.493527889 CET4975018963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:58.602443933 CET4975118963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:11:58.603355885 CET4975280192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:12:02.508898973 CET4975018963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:12:02.618175030 CET4975118963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:12:02.618175030 CET4975280192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:12:03.461910963 CET497466658192.168.2.4107.163.56.251
                                    Nov 19, 2024 14:12:10.508793116 CET4975018963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:12:10.633821964 CET4975280192.168.2.4202.108.0.52
                                    Nov 19, 2024 14:12:10.633822918 CET4975118963192.168.2.4107.163.56.240
                                    Nov 19, 2024 14:13:35.928205967 CET4977618963192.168.2.4107.163.56.240

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 19, 2024 14:11:54.705636024 CET5087853192.168.2.41.1.1.1
                                    Nov 19, 2024 14:11:55.186119080 CET53508781.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 19, 2024 14:11:54.705636024 CET192.168.2.41.1.1.10xe439Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 19, 2024 14:11:55.186119080 CET1.1.1.1192.168.2.40xe439No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:11:55.186119080 CET1.1.1.1192.168.2.40xe439No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll"
                                    Imagebase:0x140000
                                    File size:126'464 bytes
                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\gmqIbj35WF.dll,Scheduler
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",#1
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:08:11:22
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x50000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:08:11:25
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:08:11:26
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:08:11:26
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:08:11:26
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x50000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:08:11:55
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:08:11:56
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:08:11:56
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:08:11:56
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x50000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:08:11:57
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1792
                                    Imagebase:0x5b0000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:08:12:03
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\gmqIbj35WF.dll",Scheduler
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:08:12:04
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:08:12:04
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:08:12:04
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x50000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21%
                                      Total number of Nodes:544
                                      Total number of Limit Nodes:17
                                      execution_graph 10065 1000f200 10067 1000f23a 10065->10067 10068 1000f289 7 API calls 10067->10068 10069 1000f269 10067->10069 10089 100089fe 10067->10089 10100 10004cea 10068->10100 10069->10068 10070 100089fe 5 API calls 10069->10070 10073 1000f27c Sleep 10069->10073 10070->10069 10073->10067 10074 10004cea wvsprintfA 10076 1000f3e8 10074->10076 10075 1000f470 10077 1000f4ba DeleteFileA 10075->10077 10084 1000f48f 10075->10084 10076->10075 10079 1000f438 10076->10079 10078 1000f533 10077->10078 10103 1000ddee memset memset memset 10078->10103 10082 1000f444 DeleteFileA 10079->10082 10081 1000f541 10083 1000ddee 20 API calls 10081->10083 10082->10084 10086 1000f573 10083->10086 10086->10084 10087 1000ebe4 15 API calls 10086->10087 10150 1000ebe4 10086->10150 10088 1000f5b0 Sleep 10087->10088 10088->10086 10168 100055e1 CreateToolhelp32Snapshot 10089->10168 10091 10008a17 10092 10008a84 10091->10092 10169 10005c20 Process32First 10091->10169 10092->10067 10094 10008a5a 10172 10005434 CloseHandle 10094->10172 10097 10008a81 10097->10092 10098 10008a3a 10098->10094 10170 10004c05 lstrcmpiA 10098->10170 10171 10005c35 Process32Next 10098->10171 10173 10004cd3 wvsprintfA 10100->10173 10102 10004d07 6 API calls 10102->10074 10174 10005b51 RegOpenKeyExA 10103->10174 10105 1000de86 10107 1000e170 10105->10107 10108 1000debc 10105->10108 10125 1000e0bd 10105->10125 10143 1000de8d 10105->10143 10110 1000e17d memset memset memset 10107->10110 10107->10143 10113 1000e252 10108->10113 10114 1000e086 10108->10114 10115 1000e036 10108->10115 10116 1000e287 10108->10116 10117 1000df8a 10108->10117 10118 1000df3c 10108->10118 10119 1000deee 10108->10119 10108->10143 10181 10005a62 RegEnumValueA 10110->10181 10111 1000e0ca memset 10180 10005a37 RegEnumKeyExA 10111->10180 10134 10004cea wvsprintfA 10113->10134 10179 10005af9 RegQueryValueExA 10114->10179 10178 10005af9 RegQueryValueExA 10115->10178 10131 10004cea wvsprintfA 10116->10131 10177 10005af9 RegQueryValueExA 10117->10177 10176 10005af9 RegQueryValueExA 10118->10176 10175 10005af9 RegQueryValueExA 10119->10175 10122 1000e214 10122->10113 10122->10116 10132 1000e27f 10122->10132 10140 1000e320 10122->10140 10141 1000e2f5 10122->10141 10142 1000e2bc 10122->10142 10122->10143 10125->10111 10135 10004cea wvsprintfA 10125->10135 10125->10143 10128 1000df16 10133 1000df1d _mbscpy 10128->10133 10128->10143 10129 1000e05e 10137 10004cea wvsprintfA 10129->10137 10129->10143 10130 1000df64 10136 1000df6b _mbscpy 10130->10136 10130->10143 10131->10132 10182 10004c18 lstrcat 10132->10182 10133->10143 10134->10132 10138 1000e149 _mbscat 10135->10138 10136->10143 10137->10143 10138->10125 10149 10004cea wvsprintfA 10140->10149 10148 10004cea wvsprintfA 10141->10148 10147 10004cea wvsprintfA 10142->10147 10183 1000e37f 10143->10183 10144 1000dfe2 strncat strncat 10146 1000dfb2 10144->10146 10145 1000e017 _mbscpy 10145->10143 10146->10143 10146->10144 10146->10145 10147->10132 10148->10132 10149->10132 10151 1000ec1e strlen 10150->10151 10152 1000ec19 10150->10152 10151->10152 10153 1000ec36 10151->10153 10152->10086 10153->10152 10154 1000ec44 _mbscpy 10153->10154 10155 1000ec69 _mbscat 10154->10155 10156 1000ec7d _mbscat FindFirstFileA 10154->10156 10155->10156 10157 1000ecb4 FindClose 10156->10157 10158 1000ecc6 10156->10158 10157->10152 10159 1000ee41 FindClose 10158->10159 10160 1000ece1 _mbscpy 10158->10160 10166 1000ee20 FindNextFileA 10158->10166 10167 1000edd9 FindClose 10158->10167 10159->10152 10161 1000ed06 _mbscat 10160->10161 10162 1000ed1a _mbscat 10160->10162 10161->10162 10162->10158 10163 1000ed4e strcmp 10162->10163 10164 1000ed66 strcmp 10163->10164 10165 1000ed7e FindNextFileA 10163->10165 10164->10158 10164->10165 10165->10158 10166->10158 10167->10152 10168->10091 10169->10098 10170->10098 10171->10098 10172->10097 10173->10102 10174->10105 10175->10128 10176->10130 10177->10146 10178->10129 10179->10143 10180->10125 10181->10122 10182->10143 10188 10005abc RegCloseKey 10183->10188 10185 1000e388 10189 10005abc RegCloseKey 10185->10189 10187 1000e37d 10187->10081 10188->10185 10189->10187 10190 10002583 10193 1000258d 10190->10193 10192 1000258b 10196 10001000 10193->10196 10195 1000259a GetProcAddress 10195->10192 10197 10036c63 10196->10197 10197->10195 10198 10001723 10201 1000172d 10198->10201 10200 1000172b 10202 10001000 10201->10202 10203 1000173a GetProcAddress 10202->10203 10203->10200 10204 100015a3 10207 100015ad LoadLibraryA 10204->10207 10206 100015ab 10207->10206 10220 10005784 GetShortPathNameA 10221 10009806 _mbscpy 10222 10009888 strstr 10221->10222 10223 100099ec WSAStartup htons 10221->10223 10224 100098a5 10222->10224 10225 10009958 _mbscpy 10222->10225 10238 100086c0 inet_addr inet_addr 10223->10238 10242 1000949c 10224->10242 10228 1000996e strstr 10225->10228 10228->10223 10231 10009987 strcspn strncpy strcspn atoi 10228->10231 10231->10223 10232 10009a5b 10233 10009a4c closesocket 10233->10232 10234 10009940 _mbscpy 10237 1000993e 10234->10237 10235 100098d3 strcspn strstr 10236 10009911 strcspn strncpy 10235->10236 10235->10237 10236->10237 10237->10228 10239 100086e6 10238->10239 10241 100086ef socket connect 10238->10241 10255 10004733 gethostbyname 10239->10255 10241->10232 10241->10233 10243 100094a9 10242->10243 10256 10004d54 InternetOpenA 10243->10256 10245 100094eb 10253 1000958b strstr 10245->10253 10257 10004d73 InternetOpenUrlA 10245->10257 10247 1000951c 10248 1000952e memset 10247->10248 10249 10009572 10247->10249 10258 10004d96 InternetReadFile 10248->10258 10260 10004db1 InternetCloseHandle 10249->10260 10252 10009563 10259 10004db1 InternetCloseHandle 10252->10259 10253->10234 10253->10235 10255->10241 10256->10245 10257->10247 10258->10252 10259->10249 10260->10253 10267 10005a8d RegCreateKeyExA 10274 1000fff3 10311 10008a9a 10274->10311 10276 10010002 CreateMutexA GetLastError 10277 10010043 wsprintfA 10276->10277 10278 1001003a 10276->10278 10280 10010085 10277->10280 10278->10277 10279 100100a5 10278->10279 10281 10005eba GetCurrentProcess OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 10279->10281 10282 100100a0 10280->10282 10283 1001008b Sleep DeleteFileA 10280->10283 10284 100100b1 10281->10284 10283->10282 10285 100100b9 PathIsDirectoryA 10284->10285 10286 10010146 6 API calls 10285->10286 10287 100100ce 10285->10287 10288 10008c6a 10 API calls 10286->10288 10323 1000eae6 10286->10323 10329 1000c5dd 10286->10329 10331 1000bddd WSAStartup 10286->10331 10289 10006843 8 API calls 10287->10289 10290 100101ea 10288->10290 10291 100100d5 10289->10291 10292 100101f2 CreateThread 10290->10292 10293 10010207 CreateThread Sleep CreateThread CreateThread Sleep 10290->10293 10294 100100e7 10291->10294 10295 100100fb CreateDirectoryA 10291->10295 10292->10293 10377 1000cb08 6CB72DD0 10292->10377 10298 10006800 RegOpenKeyExA 10293->10298 10338 10007225 9 API calls 10293->10338 10360 1000ef29 GetSystemDirectoryA GetSystemDirectoryA 10293->10360 10299 1000622a 29 API calls 10294->10299 10296 10010123 10295->10296 10297 1001010e Sleep DeleteFileA 10295->10297 10301 10006800 RegOpenKeyExA 10296->10301 10297->10296 10302 10010261 10298->10302 10300 100100f8 10299->10300 10300->10295 10305 10010128 10301->10305 10303 10010285 Sleep CreateThread Sleep 10302->10303 10304 10010265 Sleep CreateThread 10302->10304 10306 100102ad 10303->10306 10313 1000f9df 10303->10313 10304->10303 10392 1000ba90 6CB72DD0 WSAStartup 10304->10392 10307 10010141 10305->10307 10308 1001012c CreateThread 10305->10308 10306->10282 10309 100102b6 Sleep 10306->10309 10310 1000c43a 43 API calls 10307->10310 10308->10307 10390 1000fea3 Sleep 10308->10390 10309->10306 10310->10286 10312 1003f530 10311->10312 10318 1000f9ec 10313->10318 10314 1000fa36 RegOpenKeyExA 10316 1000fb92 RegCloseKey Sleep 10314->10316 10317 1000fa5c RegQueryInfoKeyA 10314->10317 10315 1000fbaf 10316->10318 10317->10316 10317->10318 10318->10314 10318->10315 10318->10316 10319 1000fad7 memset memset RegEnumValueA 10318->10319 10320 1000fb63 StrStrIA 10319->10320 10321 1000fab6 10319->10321 10320->10321 10322 1000fb79 RegDeleteValueA 10320->10322 10321->10318 10322->10321 10326 1000eaec 10323->10326 10324 1000ebde 10325 1000ebce Sleep 10325->10326 10326->10324 10326->10325 10328 1000e763 114 API calls 10326->10328 10402 10005812 GetDriveTypeA 10326->10402 10328->10326 10330 1000c5ec 10329->10330 10403 10004cad CreateMutexA 10331->10403 10333 1000be18 10404 1000535b GetLastError 10333->10404 10335 1000be26 10336 1000be73 CloseHandle 10335->10336 10337 1000be36 CreateThread WaitForSingleObject CloseHandle Sleep 10335->10337 10337->10335 10340 10007357 10338->10340 10339 10007891 closesocket closesocket WSACleanup 10340->10339 10341 100073f3 select 10340->10341 10344 100074b2 10340->10344 10345 100074b7 memset 10340->10345 10342 10007430 WSAGetLastError Sleep 10341->10342 10343 1000744c memset recvfrom 10341->10343 10342->10340 10343->10340 10344->10339 10405 1000713b memset memcpy strlen 10345->10405 10347 100074e4 wsprintfA StrStrIA 10348 10007593 malloc memcpy memcpy htons 10347->10348 10349 10007547 StrStrIA 10347->10349 10350 10007589 10348->10350 10352 1000760f 13 API calls 10348->10352 10349->10350 10351 1000755d StrStrIA 10349->10351 10350->10348 10350->10352 10354 100075fd htons 10350->10354 10351->10350 10353 10007573 StrStrIA 10351->10353 10355 100077d2 inet_addr 10352->10355 10356 100077bf inet_addr 10352->10356 10353->10348 10353->10350 10354->10352 10357 100077e3 memcpy memcpy sendto 10355->10357 10356->10357 10358 1000787c 10357->10358 10358->10340 10359 1000788a 10358->10359 10359->10339 10361 10001000 10360->10361 10362 1000ef93 _mbscat 10361->10362 10363 10001000 10362->10363 10364 1000efb0 _mbscat 6CB72DD0 10363->10364 10371 1000eff5 10364->10371 10365 1000f1da 10367 10004cea wvsprintfA 10367->10371 10368 1000f082 memset 10422 1000960f 10368->10422 10370 1000f0c5 Sleep 10370->10371 10371->10365 10371->10367 10371->10368 10371->10370 10372 1000f161 strlen 10371->10372 10407 10008e20 10371->10407 10373 1000f175 strcmp 10372->10373 10374 1000f1a7 10372->10374 10373->10374 10375 1000f18d wsprintfA 10373->10375 10376 1000f1c8 Sleep 10374->10376 10375->10374 10376->10371 10385 1000cb3b 10377->10385 10378 1000ccf4 10379 10008e20 6 API calls 10379->10385 10380 10004cea wvsprintfA 10380->10385 10381 1000cbc8 memset 10382 1000960f 7 API calls 10381->10382 10382->10385 10383 1000cc02 Sleep 10383->10385 10384 1000cc9b strlen 10386 1000ccb2 strcmp 10384->10386 10387 1000cce3 Sleep 10384->10387 10385->10378 10385->10379 10385->10380 10385->10381 10385->10383 10385->10384 10386->10387 10388 1000ccc7 wsprintfA 10386->10388 10387->10385 10458 100084f9 10388->10458 10391 10035acc 10390->10391 10615 10004cad CreateMutexA 10392->10615 10394 1000bad5 10616 1000535b GetLastError 10394->10616 10396 1000bb7d CloseHandle 10397 1000bafb memset 10617 10009fab memset wsprintfA 6CB72DD0 memset 10397->10617 10399 1000bae3 10399->10396 10399->10397 10400 1000bb30 CreateThread WaitForSingleObject CloseHandle Sleep 10399->10400 10401 1000bb23 Sleep 10399->10401 10400->10399 10401->10399 10402->10326 10403->10333 10404->10335 10406 10007188 10405->10406 10406->10347 10408 10004cea wvsprintfA 10407->10408 10409 10008e59 10408->10409 10445 10005304 PathFileExistsA 10409->10445 10411 10008e68 10412 10008e76 10411->10412 10413 10008e6f 10411->10413 10446 1000584f CreateFileA 10412->10446 10413->10371 10415 10008e9b 10421 10008ead 10415->10421 10447 10005876 ReadFile 10415->10447 10417 10008ecb 10448 10005434 CloseHandle 10417->10448 10419 10008eda 10449 10005326 StrStrIA 10419->10449 10421->10413 10423 1000963b 10422->10423 10450 10004d54 InternetOpenA 10423->10450 10425 10009644 10426 10009656 10425->10426 10451 10004d73 InternetOpenUrlA 10425->10451 10426->10371 10428 10009679 10429 10009685 10428->10429 10430 100096a8 10428->10430 10452 10004db1 InternetCloseHandle 10429->10452 10432 100096b1 memset 10430->10432 10433 1000972f 10430->10433 10454 10004d96 InternetReadFile 10432->10454 10456 10004db1 InternetCloseHandle 10433->10456 10435 1000968e 10453 10004db1 InternetCloseHandle 10435->10453 10437 10009738 10457 10004db1 InternetCloseHandle 10437->10457 10439 100096e3 memcpy 10440 10009720 10439->10440 10441 10009718 10439->10441 10455 10005434 CloseHandle 10440->10455 10441->10432 10441->10440 10444 1000972c 10444->10433 10445->10411 10446->10415 10447->10417 10448->10419 10449->10421 10450->10425 10451->10428 10452->10435 10453->10426 10454->10439 10455->10444 10456->10437 10457->10426 10459 10008506 10458->10459 10472 10007dde 14 API calls 10459->10472 10461 1000850c wsprintfA 10473 10007f89 10461->10473 10465 100085f9 10480 1000793b 10465->10480 10467 10008615 10468 10008627 10467->10468 10469 1000862c OpenProcess 10467->10469 10468->10387 10469->10468 10470 10008650 10469->10470 10470->10468 10471 10008674 CreateThread 10470->10471 10471->10470 10591 10008377 10471->10591 10472->10461 10509 100210e0 10473->10509 10476 10007fe2 10477 1000805a wsprintfA wsprintfA CreateDirectoryA 10476->10477 10478 10007feb _mbscat _mbscat _mbscat _mbscat strchr 10476->10478 10479 100067ac CreateFileA strlen WriteFile CloseHandle 10477->10479 10478->10476 10479->10465 10481 100210e0 10480->10481 10482 1000795d memset CoInitializeEx CoInitializeSecurity CoCreateInstance 10481->10482 10511 10010360 6CB72DD0 10482->10511 10484 100079f6 10517 100103f0 10484->10517 10487 10010360 3 API calls 10488 10007aba 10487->10488 10520 100102d0 6CB72DD0 10488->10520 10490 10007aef 10491 100103f0 2 API calls 10490->10491 10492 10007b38 10491->10492 10493 100103f0 2 API calls 10492->10493 10503 10007b4a 10493->10503 10494 10007d72 VariantClear VariantClear 10495 10007d98 CoUninitialize 10494->10495 10495->10467 10496 10007ba4 10496->10494 10497 10007ba9 VariantInit VariantInit VariantInit 10497->10503 10501 100103f0 2 API calls 10502 10007cbf _strcmpi 10501->10502 10502->10503 10503->10494 10503->10496 10503->10497 10504 10010360 6CB72DD0 SysAllocString _CxxThrowException 10503->10504 10505 10011290 6 API calls 10503->10505 10526 10011290 10503->10526 10504->10503 10506 10007d29 _mbscpy 10505->10506 10507 100103f0 2 API calls 10506->10507 10508 10007d4b StrStrIA 10507->10508 10508->10503 10510 10007f96 _mbscpy strchr 10509->10510 10510->10476 10512 10010398 10511->10512 10514 100103a4 10511->10514 10530 100104c0 SysAllocString 10512->10530 10515 100103d7 10514->10515 10534 100214a2 10514->10534 10515->10484 10543 10010440 10517->10543 10521 10010314 10520->10521 10522 10010308 10520->10522 10524 10010347 10521->10524 10525 100214a2 LockFreeStack _CxxThrowException 10521->10525 10560 10010470 10522->10560 10524->10490 10525->10524 10527 100112a1 10526->10527 10528 10007c9d _mbscpy 10526->10528 10575 100105a0 10527->10575 10528->10501 10531 10010502 10530->10531 10532 100104f2 10530->10532 10531->10514 10532->10531 10533 100214a2 LockFreeStack _CxxThrowException 10532->10533 10533->10531 10537 10021633 10534->10537 10541 10021657 10537->10541 10540 100214ad 10540->10515 10542 10021649 _CxxThrowException 10541->10542 10542->10540 10544 10007a3f CoSetProxyBlanket wcscat 10543->10544 10545 1001044f 10543->10545 10544->10487 10547 10010510 InterlockedDecrement 10545->10547 10548 10010546 10547->10548 10549 1001052a 10547->10549 10548->10544 10549->10548 10551 10010560 10549->10551 10554 100105f0 10551->10554 10553 1001056f 10553->10548 10557 10010610 10554->10557 10556 100105ff 10556->10553 10558 10010621 SysFreeString 10557->10558 10559 1001062d 10557->10559 10558->10559 10559->10556 10565 100214ee 10560->10565 10563 100104b1 10563->10521 10564 100214a2 LockFreeStack _CxxThrowException 10564->10563 10566 10010494 10565->10566 10567 100214fd lstrlen 10565->10567 10566->10563 10566->10564 10568 100210e0 10567->10568 10569 10021516 MultiByteToWideChar 10568->10569 10570 10021553 SysAllocString 10569->10570 10571 10021531 GetLastError 10569->10571 10570->10566 10572 1002154b 10571->10572 10573 1002153d GetLastError 10571->10573 10574 100214a2 LockFreeStack _CxxThrowException 10572->10574 10573->10572 10574->10570 10576 100105b0 10575->10576 10577 100105dc 10575->10577 10581 10021563 10576->10581 10577->10528 10580 100214a2 LockFreeStack _CxxThrowException 10580->10577 10582 10021573 wcslen 6CB72DD0 10581->10582 10586 100105bb 10581->10586 10583 10021597 WideCharToMultiByte 10582->10583 10584 1002158d 10582->10584 10583->10586 10587 100215ac GetLastError 10583->10587 10585 100214a2 LockFreeStack _CxxThrowException 10584->10585 10585->10583 10586->10577 10586->10580 10588 100215c6 10587->10588 10589 100215b8 GetLastError 10587->10589 10590 100214a2 LockFreeStack _CxxThrowException 10588->10590 10589->10588 10590->10586 10592 100083b5 10591->10592 10593 100083bd 6CB72DD0 10591->10593 10592->10593 10597 100083dd 10593->10597 10594 100083f2 10596 100084da CloseHandle 10594->10596 10595 100083f7 VirtualQueryEx 10595->10594 10595->10597 10597->10594 10597->10595 10598 1000847e ReadProcessMemory 10597->10598 10600 10008460 6CB72DD0 10597->10600 10601 1000805f 10597->10601 10598->10597 10600->10598 10602 1000806c 10601->10602 10603 100082f7 10602->10603 10604 10008088 10602->10604 10609 100082f9 10602->10609 10603->10597 10604->10603 10606 100080b5 memcmp 10604->10606 10605 10008334 memcmp 10605->10609 10607 100082f2 10606->10607 10608 100080dc wsprintfA 10606->10608 10607->10597 10610 10007f89 7 API calls 10608->10610 10609->10603 10609->10605 10611 10008139 wsprintfA wsprintfA CreateDirectoryA 10610->10611 10614 100067ac CreateFileA strlen WriteFile CloseHandle 10611->10614 10613 100081c9 14 API calls 10613->10607 10614->10613 10615->10394 10616->10399 10636 10004d54 InternetOpenA 10617->10636 10619 1000a087 10620 1000a0a5 10619->10620 10637 10004d73 InternetOpenUrlA 10619->10637 10620->10399 10622 1000a0cb 10622->10620 10623 1000a120 memset 10622->10623 10628 1000a2b8 strlen 10622->10628 10638 10004d96 InternetReadFile 10623->10638 10625 1000a17c 10625->10628 10626 1000a181 6 API calls 10627 1000a153 10626->10627 10627->10622 10627->10625 10627->10626 10630 1000a373 6CAEC7F0 6CAEC7F0 10628->10630 10631 1000a3a7 wsprintfA strlen 10628->10631 10630->10620 10632 1000a3e4 10631->10632 10633 1000a46e strrchr 10632->10633 10634 1000a4c1 6CAEC7F0 6CAEC7F0 10633->10634 10635 1000a489 6CAEC7F0 6CAEC7F0 10633->10635 10634->10620 10635->10620 10636->10619 10637->10622 10638->10627 10645 100213d5 10647 100213f1 10645->10647 10649 100213e8 10645->10649 10647->10649 10652 10021419 10647->10652 10653 1002132a 10647->10653 10648 10021439 10650 1002132a 3 API calls 10648->10650 10648->10652 10649->10648 10651 1002132a 3 API calls 10649->10651 10649->10652 10650->10652 10651->10648 10654 10021332 10653->10654 10655 10021353 malloc 10654->10655 10656 10021368 10654->10656 10658 10021392 10654->10658 10655->10656 10657 1002136c _initterm 10655->10657 10656->10649 10657->10656 10658->10656 10659 100213bf free 10658->10659 10659->10656 10660 1000903a 10679 10005af9 RegQueryValueExA 10660->10679 10662 10009076 10680 10005abc RegCloseKey 10662->10680 10664 10009085 _mbscpy 10665 100090ae 10664->10665 10681 1000883b 10665->10681 10669 100090c6 GlobalMemoryStatusEx 10670 100090fa __aulldiv 10669->10670 10671 10004cea wvsprintfA 10670->10671 10672 10009139 _mbscpy GetSystemDefaultUILanguage 10671->10672 10703 10008f00 10672->10703 10675 100091a4 _mbscpy 10677 100091d7 10675->10677 10676 100091bf 10678 10004cea wvsprintfA 10676->10678 10678->10677 10679->10662 10680->10664 10682 10008855 10681->10682 10683 1000885a strlen 10681->10683 10688 10008c6a memset GetVersionExA 10682->10688 10683->10682 10684 10008873 GlobalAlloc memset _mbscpy 10683->10684 10685 100088aa 10684->10685 10686 100088f1 GlobalFree 10685->10686 10687 100088c9 memset _mbscpy 10685->10687 10686->10682 10687->10686 10689 10008cca _mbscpy 10688->10689 10691 10008ce5 10688->10691 10689->10691 10690 10008d12 10693 10008d3f 10690->10693 10694 10008d24 _mbscpy 10690->10694 10691->10690 10692 10008cf7 _mbscpy 10691->10692 10692->10690 10695 10008d6c 10693->10695 10696 10008d51 _mbscpy 10693->10696 10694->10693 10697 10008d99 10695->10697 10698 10008d7e _mbscpy 10695->10698 10696->10695 10700 10008dc6 10697->10700 10701 10008dab _mbscpy 10697->10701 10698->10697 10699 10008df3 sprintf 10699->10669 10700->10699 10702 10008dd8 _mbscpy 10700->10702 10701->10700 10702->10699 10704 10004cea wvsprintfA 10703->10704 10705 10008f39 10704->10705 10720 10005304 PathFileExistsA 10705->10720 10707 10008f48 10708 10008f56 10707->10708 10709 10008f4f 10707->10709 10721 1000584f CreateFileA 10708->10721 10709->10675 10709->10676 10711 10008f7b 10719 10008f8d 10711->10719 10722 10005876 ReadFile 10711->10722 10713 10008fab 10723 10005434 CloseHandle 10713->10723 10715 10008fba 10724 10005326 StrStrIA 10715->10724 10717 10008fcb 10717->10719 10725 10005326 StrStrIA 10717->10725 10719->10709 10720->10707 10721->10711 10722->10713 10723->10715 10724->10717 10725->10719 10726 1000249d 10729 100024a7 10726->10729 10728 100024a5 10730 10001000 10729->10730 10731 100024b4 GetProcAddress 10730->10731 10731->10728 10732 1000c83d 10752 100339e5 10732->10752 10734 1000c857 6CB72DD0 10738 1000c88d 10734->10738 10735 1000cae2 10736 10008e20 6 API calls 10736->10738 10737 10004cea wvsprintfA 10737->10738 10738->10735 10738->10736 10738->10737 10739 1000c925 memset 10738->10739 10740 1000960f 7 API calls 10739->10740 10747 1000c951 10740->10747 10741 10005ce2 14 API calls 10743 1000c977 Sleep 10741->10743 10742 1000ca17 strlen 10744 1000caca Sleep 10742->10744 10745 1000ca2f wsprintfA 10742->10745 10743->10738 10744->10738 10746 10007f89 7 API calls 10745->10746 10748 1000ca87 10746->10748 10747->10741 10747->10742 10749 100067ac CreateFileA strlen WriteFile CloseHandle 10748->10749 10750 100067ac CreateFileA strlen WriteFile CloseHandle 10748->10750 10749->10748 10751 1000cab3 strcmp 10750->10751 10751->10744 10753 100339f6 10752->10753 10753->10753 10754 10005b9e RegSetValueExA

                                      Executed Functions

                                      Function 10007225 Relevance: 96.6, APIs: 46, Strings: 9, Instructions: 387networksleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000729A
                                      • socket.WS2_32(00000002,00000002,00000000), ref: 100072A6
                                      • socket.WS2_32(00000002,00000002,00000000), ref: 100072B8
                                      • htons.WS2_32(00000035), ref: 100072CF
                                      • inet_addr.WS2_32(127.0.0.1), ref: 100072E1
                                      • htons.WS2_32(00000035), ref: 100072F8
                                      • inet_addr.WS2_32(?), ref: 1000730C
                                      • bind.WS2_32(?,00000002,00000010), ref: 10007328
                                      • ioctlsocket.WS2_32(?,8004667E,00000001), ref: 1000734B
                                      • select.WS2_32(00000000,00000000,00000000,00000000,000003E8), ref: 1000741B
                                      • WSAGetLastError.WS2_32 ref: 10007430
                                      • Sleep.KERNEL32(000003E8), ref: 10007441
                                      • memset.MSVCRT ref: 10007464
                                      • recvfrom.WS2_32(?,00000000,00000200,00000000,?,00000010), ref: 1000748F
                                      • memset.MSVCRT ref: 100074C2
                                        • Part of subcall function 1000713B: memset.MSVCRT ref: 10007157
                                        • Part of subcall function 1000713B: memcpy.MSVCRT(?,-0000000C,-00000010), ref: 10007171
                                        • Part of subcall function 1000713B: strlen.MSVCRT ref: 1000717D
                                      • wsprintfA.USER32 ref: 10007513
                                      • StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,00000000), ref: 10007528
                                      • StrStrIA.SHLWAPI(00000000,alyac), ref: 10007553
                                      • StrStrIA.SHLWAPI(00000000,ahnlab), ref: 10007569
                                      • StrStrIA.SHLWAPI(00000000,v3lite), ref: 1000757F
                                      • malloc.MSVCRT ref: 10007595
                                      • memcpy.MSVCRT(?,00000000,00000002), ref: 100075B4
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 100075D1
                                      • htons.WS2_32(00008180), ref: 100075DE
                                      • htons.WS2_32(00008182), ref: 10007602
                                      • memcpy.MSVCRT(?,?,00000002), ref: 1000761F
                                      • htons.WS2_32(00000001), ref: 10007629
                                      • memcpy.MSVCRT(?,?,00000002), ref: 10007646
                                      • htons.WS2_32(0000C00C), ref: 10007685
                                      • memcpy.MSVCRT(00000000,?,00000002), ref: 100076A2
                                      • htons.WS2_32(00000001), ref: 100076BB
                                      • memcpy.MSVCRT(00000000,?,00000002), ref: 100076DF
                                      • htons.WS2_32(00000001), ref: 100076F8
                                      • memcpy.MSVCRT(00000000,?,00000002), ref: 1000771C
                                      • htonl.WS2_32(0000007B), ref: 10007735
                                      • memcpy.MSVCRT(00000000,?,00000004), ref: 10007758
                                      • htons.WS2_32(00000004), ref: 10007771
                                      • memcpy.MSVCRT(00000000,?,00000002), ref: 10007795
                                      • inet_addr.WS2_32(1002D030), ref: 100077C4
                                      • inet_addr.WS2_32(127.0.0.1), ref: 100077D7
                                      • memcpy.MSVCRT(00000000,00000000,00000004), ref: 100077FA
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 1000783F
                                      • sendto.WS2_32(?,00000000,00000000,00000000,?,00000010), ref: 10007867
                                      • closesocket.WS2_32(?), ref: 10007898
                                      • closesocket.WS2_32(?), ref: 100078A5
                                      • WSACleanup.WS2_32 ref: 100078AB
                                      Strings
                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007523
                                      • @, xrefs: 100073BE
                                      • 8.8.8.8, xrefs: 10007261
                                      • %s|, xrefs: 10007507
                                      • alyac, xrefs: 10007547
                                      • 127.0.0.1, xrefs: 100077D2
                                      • ahnlab, xrefs: 1000755D
                                      • v3lite, xrefs: 10007573
                                      • 127.0.0.1, xrefs: 100072DC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy$htons$inet_addr$memset$closesocketsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtostrlenwsprintf
                                      • String ID: %s|$127.0.0.1$127.0.0.1$8.8.8.8$@$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                      • API String ID: 3038323916-584143555
                                      • Opcode ID: ec22ab86a417ae1e4f9f74b60d11c1c3b79606598b03a26890ee4ca86a7e9a34
                                      • Instruction ID: 3390842cec86af49ff68c52d0698ecfc573ce0de94bd3180ff3bf18654662f0a
                                      • Opcode Fuzzy Hash: ec22ab86a417ae1e4f9f74b60d11c1c3b79606598b03a26890ee4ca86a7e9a34
                                      • Instruction Fuzzy Hash: B1025E75D04229ABEB64CB54CC89BE9B7B4FF48300F0045E9E60DA6295D7786B84CF91
                                      Function 1000E763 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 233stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrcpy.KERNEL32(00000000,1000EBC9), ref: 1000E791
                                      • lstrcat.KERNEL32(00000000,1002B328), ref: 1000E7A3
                                      • lstrcat.KERNEL32(00000000,*.*), ref: 1000E7B5
                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 1000E7C9
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 1000E7F3
                                      • lstrcpy.KERNEL32(00000000,1000EBC9), ref: 1000E844
                                      • lstrcat.KERNEL32(00000000,1002B330), ref: 1000E856
                                      • lstrcat.KERNEL32(00000000,?), ref: 1000E86A
                                      • _strcmpi.MSVCRT ref: 1000E87C
                                      • PathIsDirectoryA.SHLWAPI(00000000), ref: 1000E8CD
                                      • 6CB72DD0.MFC42(00A00000), ref: 1000E906
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcat$FileFindlstrcpy$DirectoryFirstNextPath_strcmpi
                                      • String ID: %s\%s$*.*$/image.php$107.163.56.240:18963/main.php$11221450$NPKI$P
                                      • API String ID: 562152879-1605710944
                                      • Opcode ID: 5323aa14ce14103c62f6defea5f8f5adb60392233718185841180439375045da
                                      • Instruction ID: 19444b947d153ba7138296ce0e6c54724dfe7cb5038b80b89ac979f494543493
                                      • Opcode Fuzzy Hash: 5323aa14ce14103c62f6defea5f8f5adb60392233718185841180439375045da
                                      • Instruction Fuzzy Hash: 6991A6B59002A8AFEB64CBA4CC84BDE77B9EB58341F0044E5E30DA6141DB75AF98CF51
                                      Function 10009FAB Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 335timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 1000A00F
                                      • wsprintfA.USER32 ref: 1000A027
                                      • 6CB72DD0.MFC42(0007D000), ref: 1000A035
                                      • memset.MSVCRT ref: 1000A063
                                        • Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 1000A0C6
                                      Strings
                                      • http://blog.sina.com.cn/u/%s, xrefs: 1000A01B
                                      • title, xrefs: 1000A2BA
                                      • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000A07D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$FormatInternetOpenTime___crtwsprintf
                                      • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$http://blog.sina.com.cn/u/%s$title
                                      • API String ID: 1034901129-1204782975
                                      • Opcode ID: 7525d85f0729b2756f7b8b5f37a10be24308e38b0f83a2db50cfdef104767434
                                      • Instruction ID: e515f712fb1f60d133b8907fa9568e81727eaea72b4f5efa335cc261a660f667
                                      • Opcode Fuzzy Hash: 7525d85f0729b2756f7b8b5f37a10be24308e38b0f83a2db50cfdef104767434
                                      • Instruction Fuzzy Hash: F4E117B4D00268EFEB24CB58CC85BDEB7B0EB59300F1042D9EA09A7280DB756E85CF51
                                      Function 10011C72 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140filewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • sprintf.MSVCRT ref: 10011C8E
                                      • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4
                                      • DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,?,00000018,10011A6D,00000000), ref: 10011CF0
                                      • GetLastError.KERNEL32(00000400,?,00000000,00000000), ref: 10011D0C
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10011D1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ControlCreateDeviceErrorFileFormatLastMessagesprintf
                                      • String ID: \\.\PHYSICALDRIVE%d
                                      • API String ID: 1111953355-613073274
                                      • Opcode ID: 9f30885270635e6f7f4378129046c2ac62e5a9f342dcb6496bc87d1829db50c4
                                      • Instruction ID: ac9daaf844bbbce85607c204d6ced58bc456b83f5b99ea7e7b7fe265a51f8282
                                      • Opcode Fuzzy Hash: 9f30885270635e6f7f4378129046c2ac62e5a9f342dcb6496bc87d1829db50c4
                                      • Instruction Fuzzy Hash: C351A6B5A00218ABEB24CF54CC41BDD7775EF85704F148294F6096A2C1DB729A94CF55
                                      Function 10006843 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 280 10006843-100068ad LoadLibraryA GetProcAddress GetExtendedUdpTable 281 100068c3-100068e0 malloc 280->281 282 100068af-100068b6 280->282 284 100068e2-100068e8 281->284 285 100068ed-10006916 GetExtendedUdpTable 281->285 282->281 283 100068b8-100068be 282->283 286 100069d9-100069dc 283->286 284->286 287 10006918-1000691a 285->287 288 1000691f-10006929 285->288 287->286 289 1000693a-10006948 288->289 290 100069b6-100069d3 free FreeLibrary 289->290 291 1000694a-10006994 htons 289->291 290->286 292 100069b1 291->292 293 10006996-100069af 291->293 292->289 293->290
                                      APIs
                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 10006865
                                      • GetProcAddress.KERNEL32(?,GetExtendedUdpTable), ref: 1000687D
                                      • GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 1000689A
                                      • malloc.MSVCRT ref: 100068CA
                                      • GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 10006903
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExtendedTable$AddressLibraryLoadProcmalloc
                                      • String ID: GetExtendedUdpTable$iphlpapi.dll$z
                                      • API String ID: 2385667234-347336574
                                      • Opcode ID: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
                                      • Instruction ID: e72f5ed3c2909e77353821d2c1bd01ab583724ea6bb6368f571f4905b0ca2030
                                      • Opcode Fuzzy Hash: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
                                      • Instruction Fuzzy Hash: 3541E9F09002289BDB24DB50CD85BD8B7B9EB88304F20C5E9E70967295D7709EC6CF59
                                      Function 1000960F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 10009674
                                      Strings
                                      • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 10009631
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FormatInternetOpenTime___crt
                                      • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                      • API String ID: 483802873-1756078650
                                      • Opcode ID: fc573f735e20f11bc9a4b6e7dc4e8630eb1bfbc45aca1a4b6379a652c7b6df0f
                                      • Instruction ID: edbbad18566889c42df8cf001e4eb437ffe5273fdd268d158c28225184eb7580
                                      • Opcode Fuzzy Hash: fc573f735e20f11bc9a4b6e7dc4e8630eb1bfbc45aca1a4b6379a652c7b6df0f
                                      • Instruction Fuzzy Hash: F5311DF6D00208EBEB20DB94CC86BCD73B8EB44340F5185A4E70877285E775AB948B99
                                      Function 10005EBA Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
                                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
                                      • CloseHandle.KERNEL32(?), ref: 10005F29
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                      • String ID:
                                      • API String ID: 3038321057-0
                                      • Opcode ID: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
                                      • Instruction ID: efa5140f03dfd4bc98f9291f5672f447fd415e0b54fcefeffd77d2d0beff28df
                                      • Opcode Fuzzy Hash: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
                                      • Instruction Fuzzy Hash: FB012D70A1020AABFB14CFE4CC85BBF77B8EB88741F208515FA05D6284D6799A42CB60
                                      Function 100055E1 Relevance: 1.5, APIs: 1, Instructions: 9processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 100055EC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3332741929-0
                                      • Opcode ID: ea1125fc6efff60c22231dd8e74bc2e2f11368403fa6fc4b095aa2b2bc07678f
                                      • Instruction ID: 58b8d6dcfabb716e12054e17064c669289570b6e525953e8c0c68f1c4d85f407
                                      • Opcode Fuzzy Hash: ea1125fc6efff60c22231dd8e74bc2e2f11368403fa6fc4b095aa2b2bc07678f
                                      • Instruction Fuzzy Hash: 0CC0487611020CAB8A44EB98D884C9A77ACAB58621B008006BA0986200CA31E9508BA0
                                      Function 1000FFF3 Relevance: 61.4, APIs: 28, Strings: 7, Instructions: 200sleepthreadfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658,1002B5F8), ref: 10010016
                                      • GetLastError.KERNEL32 ref: 10010022
                                      • wsprintfA.USER32 ref: 1001006D
                                      • Sleep.KERNEL32(000007D0), ref: 10010090
                                      • DeleteFileA.KERNEL32(00000000), ref: 1001009A
                                      • PathIsDirectoryA.SHLWAPI(C:\Users\user\Desktop\11221450), ref: 100100C4
                                      • CreateDirectoryA.KERNEL32(C:\Users\user\Desktop\11221450,00000000), ref: 10010102
                                      • Sleep.KERNEL32(000007D0), ref: 10010113
                                      • DeleteFileA.KERNEL32(00000000), ref: 1001011D
                                      • CreateThread.KERNEL32(00000000,00000000,1000FEA3,00000000,00000000,00000000), ref: 1001013B
                                      • CreateThread.KERNEL32(00000000,00000000,1000C5DD,00000000,00000000,00000000), ref: 10010155
                                      • Sleep.KERNEL32(000003E8), ref: 10010160
                                      • WSAStartup.WS2_32(00000202,?), ref: 10010172
                                      • CreateThread.KERNEL32(00000000,00000000,1000BDDD,107.163.56.251:6658,00000000,00000000), ref: 10010190
                                      • CreateThread.KERNEL32(00000000,00000000,1000EAE6,00000000,00000000,00000000), ref: 100101A5
                                      • Sleep.KERNEL32(00000BB8), ref: 100101B0
                                      • CreateThread.KERNEL32(00000000,00000000,1000CB08,00000000,00000000,00000000), ref: 10010201
                                      • CreateThread.KERNEL32(00000000,00000000,1000EF29,00000000,00000000,00000000), ref: 10010216
                                      • Sleep.KERNEL32(00000BB8), ref: 10010221
                                      • CreateThread.KERNEL32(00000000,00000000,10007225,00000000,00000000,00000000), ref: 10010236
                                      • CreateThread.KERNEL32(00000000,00000000,1000C753,00000000,00000000,00000000), ref: 1001024B
                                      • Sleep.KERNEL32(000927C0), ref: 10010256
                                      • Sleep.KERNEL32(000927C0), ref: 1001026A
                                      • CreateThread.KERNEL32(00000000,00000000,1000BA90,00000000,00000000,00000000), ref: 1001027F
                                      • Sleep.KERNEL32(0000EA60), ref: 1001028A
                                      • CreateThread.KERNEL32(00000000,00000000,1000F9DF,00000000,00000000,00000000), ref: 1001029F
                                      • Sleep.KERNEL32(000000FF), ref: 100102A7
                                      • Sleep.KERNEL32(0036EE80), ref: 100102BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Create$SleepThread$DeleteDirectoryFile$ErrorLastMutexPathStartupwsprintf
                                      • String ID: 107.163.56.251:6658$123$C:\Users\user\Desktop$C:\Users\user\Desktop\11221450$M107.163.56.251:6658$SeDebugPrivilege$cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s"
                                      • API String ID: 1343898817-2701472524
                                      • Opcode ID: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
                                      • Instruction ID: 202ca25a55749d9caac28ba7abe87623cc4d3d132b78e06582e95a8dd985acec
                                      • Opcode Fuzzy Hash: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
                                      • Instruction Fuzzy Hash: 31616F30B81324BBF720DBA08C4BF9A7661EB14B42F604594F749BD1D0DBF066928F56
                                      Function 10009806 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strcspnstrstr$_mbscpy$___crtstrncpy$FormatInfoLocaleStartupTimeatoiclosesocketconnecthtonsmemsetsocket
                                      • String ID: http://
                                      • API String ID: 2442996125-1121587658
                                      • Opcode ID: ac03bdceba01dc52bc363b04a17981fe5360d76d08a8c37df158606eb789235e
                                      • Instruction ID: 328f30d5f0abd543537b81f1a207a30335c7fdbd19ea60133f8a33c6dacf31c1
                                      • Opcode Fuzzy Hash: ac03bdceba01dc52bc363b04a17981fe5360d76d08a8c37df158606eb789235e
                                      • Instruction Fuzzy Hash: 4151CF71900218BFEF14DBA4DC89BDA77BCEF45304F1041A8F649A6144EB319B99CFA2
                                      Function 1000EF29 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 189sleepstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DirectorySleepSystem_mbscat$memsetstrcmpstrlenwsprintf
                                      • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$cmd.exe /c ipconfig /flushdns$http://107.163.56.240:18963/main.php
                                      • API String ID: 3822996416-3520984710
                                      • Opcode ID: aa691f7f0b4581c29a1b0b2e2bf558332fb2c82c52178c3595a21c5e9e7c2a48
                                      • Instruction ID: 1b7d056821bea9ffcc31071dd2aa98b9aaa464bf06ce50bac68d0a223335520a
                                      • Opcode Fuzzy Hash: aa691f7f0b4581c29a1b0b2e2bf558332fb2c82c52178c3595a21c5e9e7c2a48
                                      • Instruction Fuzzy Hash: 1571A1B5D04218ABEB60CB68DCC5BD9B3B5EB58340F1041E8E60CA7281DB75AF858F91
                                      Function 10005CE2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 130stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _mbscpy.MSVCRT(00000000,00000000), ref: 10005D1A
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005D32
                                      • strrchr.MSVCRT ref: 10005D41
                                      • CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95
                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 10005DBC
                                      • time.MSVCRT(00000000), ref: 10005DC4
                                      • _localtime32.MSVCRT(?), ref: 10005DDA
                                      • strftime.MSVCRT ref: 10005DF2
                                      • vsprintf.MSVCRT ref: 10005E48
                                      • sprintf.MSVCRT ref: 10005E75
                                      • strlen.MSVCRT ref: 10005E8B
                                      • WriteFile.KERNEL32(?,?,00000000,00000000), ref: 10005EA2
                                      • CloseHandle.KERNEL32(?), ref: 10005EAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleModuleNamePointerWrite_localtime32_mbscpysprintfstrftimestrlenstrrchrtimevsprintf
                                      • String ID: %s%s$log.txt
                                      • API String ID: 1342927364-1489102009
                                      • Opcode ID: c49ee3aaf1ee1162d53095b1f85a859aca8ff1944970cf77330318e6a4c8fa1f
                                      • Instruction ID: 4248ec1d1ae275c58dfadc2bb918cf7de6159c9ba061f12476aacb7595d00ccb
                                      • Opcode Fuzzy Hash: c49ee3aaf1ee1162d53095b1f85a859aca8ff1944970cf77330318e6a4c8fa1f
                                      • Instruction Fuzzy Hash: 29519375D00268EBEB25CB94CC8DBDA7778EB68301F0045D5E709A6280DBB55AC9CF91
                                      Function 1000903A Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 110timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 10009071
                                        • Part of subcall function 10005AF9: RegQueryValueExA.KERNEL32(?,?,?,?,?,?), ref: 10005B14
                                        • Part of subcall function 10005ABC: RegCloseKey.KERNEL32(?), ref: 10005AC3
                                      • _mbscpy.MSVCRT(?,?), ref: 10009093
                                        • Part of subcall function 10008C6A: memset.MSVCRT ref: 10008CA2
                                        • Part of subcall function 10008C6A: GetVersionExA.KERNEL32(0000009C), ref: 10008CBB
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A5F8), ref: 10008CDD
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2000), ref: 10008D0A
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A604), ref: 10008D37
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2003), ref: 10008D64
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,Vista), ref: 10008D91
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2008), ref: 10008DBE
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A620), ref: 10008DEB
                                        • Part of subcall function 10008C6A: sprintf.MSVCRT ref: 10008E0F
                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
                                      • __aulldiv.LIBCMT ref: 100090F5
                                      • __aulldiv.LIBCMT ref: 10009103
                                      • _mbscpy.MSVCRT(?,11221450), ref: 1000914A
                                      • GetSystemDefaultUILanguage.KERNEL32 ref: 10009152
                                      • _mbscpy.MSVCRT(?,?), ref: 100091B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscpy$__aulldiv$CloseDefaultFormatGlobalLanguageMemoryQueryStatusSystemTimeValueVersion___crtmemsetsprintf
                                      • String ID: %u MB$11221450$@$ProcessorNameString$http://107.163.56.240:18963/main.php
                                      • API String ID: 2523359522-3766294513
                                      • Opcode ID: f3cec5f9f4bb72eded7be3d6a1194272b7ab6b05dfbae89aa0aad055c6315b36
                                      • Instruction ID: 8a61a220ec85d4577d8487cf19c966246fee9173dbb9e664f4393ddf2635a315
                                      • Opcode Fuzzy Hash: f3cec5f9f4bb72eded7be3d6a1194272b7ab6b05dfbae89aa0aad055c6315b36
                                      • Instruction Fuzzy Hash: E241F6FA901214ABEB10CB54DC85FDA7375EF54340F0482A8F60CA7285EB71AB948F95
                                      Function 1000F9DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121registrysleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 265 1000f9df-1000fa28 call 100210e0 268 1000fa29-1000fa30 265->268 269 1000fa36-1000fa56 RegOpenKeyExA 268->269 270 1000fbaf-1000fbb5 268->270 271 1000fb92-1000fbaa RegCloseKey Sleep 269->271 272 1000fa5c-1000faa4 RegQueryInfoKeyA 269->272 271->268 272->271 273 1000faaa-1000fab4 272->273 274 1000fac5-1000fad1 273->274 274->271 275 1000fad7-1000fb61 memset * 2 RegEnumValueA 274->275 276 1000fb63-1000fb77 StrStrIA 275->276 277 1000fb8d 275->277 276->277 278 1000fb79-1000fb87 RegDeleteValueA 276->278 277->274 278->277
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000), ref: 1000FA4E
                                      • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000FA9C
                                      • memset.MSVCRT ref: 1000FAE5
                                      • memset.MSVCRT ref: 1000FAFB
                                      • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 1000FB54
                                      • StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000FB6F
                                      • RegDeleteValueA.ADVAPI32(?,?), ref: 1000FB87
                                      • RegCloseKey.ADVAPI32(00000000), ref: 1000FB99
                                      • Sleep.KERNEL32(000493E0), ref: 1000FBA4
                                      Strings
                                      • svchsot.exe, xrefs: 1000FB63
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000FA44
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
                                      • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$svchsot.exe
                                      • API String ID: 1121228644-2172464104
                                      • Opcode ID: 9d00bb194b07a1bb5b771fdc727d592163efcfe6b350b88652163b49e7477233
                                      • Instruction ID: c6f70cebfc850f900d70c9a4584eddebb96ea2d54561a80a661612636b8fad89
                                      • Opcode Fuzzy Hash: 9d00bb194b07a1bb5b771fdc727d592163efcfe6b350b88652163b49e7477233
                                      • Instruction Fuzzy Hash: 87416475A40168ABEB24CB54CD45FD9B3B8FB48740F1081D9E349A6180DBF4AEC8DFA4
                                      Function 1000909D Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 83COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _mbscpy.MSVCRT(?,Find CPU Error), ref: 100090A6
                                        • Part of subcall function 10008C6A: memset.MSVCRT ref: 10008CA2
                                        • Part of subcall function 10008C6A: GetVersionExA.KERNEL32(0000009C), ref: 10008CBB
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A5F8), ref: 10008CDD
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2000), ref: 10008D0A
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A604), ref: 10008D37
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2003), ref: 10008D64
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,Vista), ref: 10008D91
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,2008), ref: 10008DBE
                                        • Part of subcall function 10008C6A: _mbscpy.MSVCRT(00000000,1002A620), ref: 10008DEB
                                        • Part of subcall function 10008C6A: sprintf.MSVCRT ref: 10008E0F
                                      • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
                                      • __aulldiv.LIBCMT ref: 100090F5
                                      • __aulldiv.LIBCMT ref: 10009103
                                      • _mbscpy.MSVCRT(?,11221450), ref: 1000914A
                                      • GetSystemDefaultUILanguage.KERNEL32 ref: 10009152
                                      • _mbscpy.MSVCRT(?,?), ref: 100091B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscpy$__aulldiv$DefaultGlobalLanguageMemoryStatusSystemVersionmemsetsprintf
                                      • String ID: %u MB$11221450$@$Find CPU Error
                                      • API String ID: 1940419460-3873182742
                                      • Opcode ID: 14774b4b09ef8726e03d71dfcfb47c054d4e1c66f41bae1ea81a70528e2cff26
                                      • Instruction ID: fb897ab344b5bf2f3fef7126d7be210817f5d4ddccfe4a8bfac4ea34fc8177c1
                                      • Opcode Fuzzy Hash: 14774b4b09ef8726e03d71dfcfb47c054d4e1c66f41bae1ea81a70528e2cff26
                                      • Instruction Fuzzy Hash: 0E31B6F99002046BEB10CB64DC85FD97775FF58340F1481A4F64CAB285DB74AA948B95
                                      Function 1000BA90 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • 6CB72DD0.MFC42(00001218), ref: 1000BA9E
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000BAC1
                                        • Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC
                                        • Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E
                                      • memset.MSVCRT ref: 1000BB06
                                        • Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A00F
                                        • Part of subcall function 10009FAB: wsprintfA.USER32 ref: 1000A027
                                        • Part of subcall function 10009FAB: 6CB72DD0.MFC42(0007D000), ref: 1000A035
                                        • Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A063
                                      • Sleep.KERNEL32(0002BF20), ref: 1000BB28
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BB4E
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BB5D
                                      • CloseHandle.KERNEL32(?), ref: 1000BB67
                                      • Sleep.KERNEL32(0002BF20), ref: 1000BB72
                                      • CloseHandle.KERNEL32(?), ref: 1000BB84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
                                      • String ID: 0x5d65r455f$5762479093
                                      • API String ID: 1532593739-2446933972
                                      • Opcode ID: 935d26d071e824d425e8d2cc749a798677f370bd26d164792da0be028e5ad9c1
                                      • Instruction ID: ee4fe3ff80eea35deae1171875856fc337cdd1930f9e5ee3871eb6d0d01d88b9
                                      • Opcode Fuzzy Hash: 935d26d071e824d425e8d2cc749a798677f370bd26d164792da0be028e5ad9c1
                                      • Instruction Fuzzy Hash: 922184B5A40214BBF710DBE0CD8BFDD7774EB55741F2041A4FA09962C8DB706A508B96
                                      Function 1000C83D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 192sleepstringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • 6CB72DD0.MFC42(00080000), ref: 1000C876
                                      • memset.MSVCRT ref: 1000C932
                                      • Sleep.KERNEL32(000927C0,1002AEE0), ref: 1000C981
                                      • strlen.MSVCRT ref: 1000CA1E
                                      • wsprintfA.USER32 ref: 1000CA40
                                        • Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049
                                        • Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                        • Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
                                        • Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                        • Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                      • strcmp.MSVCRT ref: 1000CAC2
                                      • Sleep.KERNEL32(000927C0), ref: 1000CAD1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscat$FileSleepstrchrstrlen$CloseCreateHandleWrite_mbscpymemsetstrcmpwsprintf
                                      • String ID: c:\1.txt$http://107.163.56.240:18963/main.php$iOffset
                                      • API String ID: 2734459437-992998774
                                      • Opcode ID: 3e260d5ced38feb380025d23839234b3779fe039044ebaa0f4b9b0109cac3653
                                      • Instruction ID: 38d56a867debf3668477e47f832bb14d7cc83a34d2ec41b954da4208bafbb5ac
                                      • Opcode Fuzzy Hash: 3e260d5ced38feb380025d23839234b3779fe039044ebaa0f4b9b0109cac3653
                                      • Instruction Fuzzy Hash: F771AEB5D04218ABEB21CB64CC85BDAB7B5EF59340F1445E8E50CA7242EB35AE84CF51
                                      Function 10011E80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 366 10011e80-10011ef4 memset * 2 Netbios 367 10011f06-10011f10 366->367 368 10011ef6-10011f01 366->368 370 10011f21-10011f32 367->370 369 10012078-1001207b 368->369 371 10011f74-10011f82 370->371 372 10011f34-10011f6e Netbios 370->372 375 10011f94-10012003 memset _mbscpy Netbios 371->375 376 10011f84-10011f8f 371->376 373 10011f70 372->373 374 10011f72 372->374 373->371 374->370 378 10012012-10012076 sprintf 375->378 379 10012005-10012010 375->379 376->369 378->369 379->369
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Netbiosmemset
                                      • String ID: %02X%02X%02X%02X%02X%02X$3
                                      • API String ID: 1915571530-847158874
                                      • Opcode ID: e682560842b1c5bbc8f73b42685206b775cb85e69039e3f260726e3811ab9e07
                                      • Instruction ID: 995f6e05dfeb694b0f45a1fd62118eef7e3e694447b149082da1e2005757cfe0
                                      • Opcode Fuzzy Hash: e682560842b1c5bbc8f73b42685206b775cb85e69039e3f260726e3811ab9e07
                                      • Instruction Fuzzy Hash: 2D518F7592065A8BDB36CB14CC42BE9B3B8EF95300F4441F8A44CAA242EBB49BD4DF45
                                      Function 1000CB08 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 154sleepstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(00080000), ref: 1000CB24
                                      • memset.MSVCRT ref: 1000CBD2
                                      • Sleep.KERNEL32(000927C0), ref: 1000CC09
                                      • strlen.MSVCRT ref: 1000CCA5
                                      • strcmp.MSVCRT ref: 1000CCBB
                                      • wsprintfA.USER32 ref: 1000CCD5
                                        • Part of subcall function 100084F9: wsprintfA.USER32 ref: 1000853B
                                        • Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085AF
                                        • Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085CE
                                        • Part of subcall function 100084F9: CreateDirectoryA.KERNEL32(%s|%s,00000000), ref: 100085E0
                                      • Sleep.KERNEL32(000927C0), ref: 1000CCE9
                                      Strings
                                      • http://107.163.56.240:18963/main.php, xrefs: 1000CBAF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: wsprintf$Sleep$CreateDirectorymemsetstrcmpstrlen
                                      • String ID: http://107.163.56.240:18963/main.php
                                      • API String ID: 3532960077-1318255662
                                      • Opcode ID: 4637aacad46155c886cacdf7dce6b247ba0ad8017c1fc82085497abba0df931b
                                      • Instruction ID: acf207941c7ebc88904dff186f98427c2258807a785c7ff7885373aecb3466dd
                                      • Opcode Fuzzy Hash: 4637aacad46155c886cacdf7dce6b247ba0ad8017c1fc82085497abba0df931b
                                      • Instruction Fuzzy Hash: 38518AB5D0061CABEB10CB94CC82FEFB7B5EF48341F1444A8E508A7245D771AB858F91
                                      Function 1000C43A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscpystrstr
                                      • String ID: %s/joy.asp?sid=%s$%s|NULL|%s|%s$11221450$http://$http://107.163.56.241:18530/
                                      • API String ID: 3519433431-1877419398
                                      • Opcode ID: 0254b7d8e6ad7b57eb08eea51ca6514a7af33ffecfce02173311f40570baa90b
                                      • Instruction ID: 96c4c4460f3670001d58eb54bbc12df5c97e6194365fac138d2a8c86e213b446
                                      • Opcode Fuzzy Hash: 0254b7d8e6ad7b57eb08eea51ca6514a7af33ffecfce02173311f40570baa90b
                                      • Instruction Fuzzy Hash: EC4156F5D00218AFEB20CF14DC81B9AB7B4EB85240F4045F9E70967281EB356A898F5A
                                      Function 1000BDDD Relevance: 9.0, APIs: 6, Instructions: 49sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000BDF8
                                        • Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC
                                        • Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BE47
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BE56
                                      • CloseHandle.KERNEL32(?), ref: 1000BE60
                                      • Sleep.KERNEL32(00002710), ref: 1000BE6B
                                      • CloseHandle.KERNEL32(?), ref: 1000BE7A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
                                      • String ID:
                                      • API String ID: 3243752880-0
                                      • Opcode ID: 6a0ff8178f114081aaf7592776aff84cfed35b2bf825fcab4e17160426ab56ff
                                      • Instruction ID: e824f486e2537cd13a86d57df264f215c657a490cf5d40ca5208cd8ad212e3ab
                                      • Opcode Fuzzy Hash: 6a0ff8178f114081aaf7592776aff84cfed35b2bf825fcab4e17160426ab56ff
                                      • Instruction Fuzzy Hash: 0411AD74A44208FBFB14DFE0CC9AFEDB774EB44711F204594FB0A9A2D0CA705A918B95
                                      Function 10008F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B
                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008F76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                      • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                      • API String ID: 1721638100-2283769073
                                      • Opcode ID: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
                                      • Instruction ID: 60212f5056ad82ff0ae5ea45a156ac378cfaaf25f5a26cee64a353fcc168191f
                                      • Opcode Fuzzy Hash: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
                                      • Instruction Fuzzy Hash: 9D21C8759042097BEB60C674DC02FDB7369EB24380F5045B4BB88E6185EBB5FB848B95
                                      Function 10008E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B
                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008E96
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                      • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                      • API String ID: 1721638100-2510504628
                                      • Opcode ID: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
                                      • Instruction ID: 524591cf8a4eee935b205e257a8c60c4d1d170a2f2a088a70314005468ca3b98
                                      • Opcode Fuzzy Hash: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
                                      • Instruction Fuzzy Hash: CD21DAB5D04248B7EB20C664DC41FCB7368DB54790F1045A4FB89A61C5EBB1BBC48F95
                                      Function 1002132A Relevance: 3.8, APIs: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _inittermfreemalloc
                                      • String ID:
                                      • API String ID: 1678931842-0
                                      • Opcode ID: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
                                      • Instruction ID: a13e4d924212a13dcf2931888b3098d0df1cffd824a8125765e678fcc9b3a535
                                      • Opcode Fuzzy Hash: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
                                      • Instruction Fuzzy Hash: 4D114C366646B1EBF314DF61EC84AC937E6FB64359BB14019E804D65A0F731AD828B50
                                      Function 10009751 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 100097B3
                                      Strings
                                      • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10009773
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FormatInternetOpenTime___crt
                                      • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                      • API String ID: 483802873-1918919809
                                      • Opcode ID: eb5feb71ccd3ee4712878d6671d16c7788954ce60b86c6be03ef3b7bbb10802f
                                      • Instruction ID: aa3042b00974eb3661dab9a980acd1570a60d3873d689b260169291dcc9804a7
                                      • Opcode Fuzzy Hash: eb5feb71ccd3ee4712878d6671d16c7788954ce60b86c6be03ef3b7bbb10802f
                                      • Instruction Fuzzy Hash: 271121F9D00208EBEB20DB50CC46B8D73B4DB44380F2181A5F6087B285EA75BA948B99
                                      Function 100043BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(75BD0000,00000000), ref: 100043D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: Q2xvc2VXaW5kb3c=
                                      • API String ID: 190572456-2652562148
                                      • Opcode ID: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
                                      • Instruction ID: 86b06878a34977032f00de5cded76d8bf0c7f73d773c853c7e08730fcfccc261
                                      • Opcode Fuzzy Hash: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
                                      • Instruction Fuzzy Hash: 50C08CF580021C6FF600EBE4ADCAE423BACE70C2997100022FB0DC2216EB32A05186A2
                                      Function 100024A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(6DB10000,00000000), ref: 100024BE
                                      Strings
                                      • TmV0TG9jYWxHcm91cEVudW0=, xrefs: 100024AA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: TmV0TG9jYWxHcm91cEVudW0=
                                      • API String ID: 190572456-980335172
                                      • Opcode ID: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
                                      • Instruction ID: 94a68914744b6255420893e6e3bedd0a82bd00ad7f141df6458ff9631ea00634
                                      • Opcode Fuzzy Hash: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
                                      • Instruction Fuzzy Hash: 1EC080F540061C6FF200D7D8ACC5E41379CD3482997100011F60DC2211D53160414652
                                      Function 100024D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(6DB10000,00000000), ref: 100024EC
                                      Strings
                                      • TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 100024D8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
                                      • API String ID: 190572456-3430808999
                                      • Opcode ID: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
                                      • Instruction ID: 0e6cf0e7949062256b1582b677e2dc4b335822ba4defa2ba0336d22a514f21fc
                                      • Opcode Fuzzy Hash: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
                                      • Instruction Fuzzy Hash: 38C080F5C0061C6FF300D7D4ACC9D4137DCD3081997100011F70DC2211D73160414652
                                      Function 1000255F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(6DB10000,00000000), ref: 10002576
                                      Strings
                                      • TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 10002562
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: TmV0QXBpQnVmZmVyRnJlZQ==
                                      • API String ID: 190572456-3244026974
                                      • Opcode ID: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
                                      • Instruction ID: ff91b108fad4cc851aac3f9e389e9e2a63f3c8257eb8f5e683f791925ec63412
                                      • Opcode Fuzzy Hash: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
                                      • Instruction Fuzzy Hash: 21C08CF680161CAFF200DBE4ACCAE823BACD3082A97110022F60EC3212E631B041C662
                                      Function 1000258D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00000000), ref: 100025A4
                                      Strings
                                      • R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==, xrefs: 10002590
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==
                                      • API String ID: 190572456-3292411561
                                      • Opcode ID: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
                                      • Instruction ID: c4aeed86ffe8b449379c60583828ab32e035c01f2a5dfc01b8ce5ea512c12cf6
                                      • Opcode Fuzzy Hash: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
                                      • Instruction Fuzzy Hash: A5C08CF580026CAFF700DBE4ACCAE4237ACF30829D7100022FA0AC3212E721A44186A2
                                      Function 1000172D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(74DD0000,00000000), ref: 10001744
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: U2V0RXJyb3JNb2Rl
                                      • API String ID: 190572456-495186574
                                      • Opcode ID: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
                                      • Instruction ID: b616446aa3eae8f0e246bd7a0e97171c4ab2d65e5c8aa983a289ca1212d1c33e
                                      • Opcode Fuzzy Hash: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
                                      • Instruction Fuzzy Hash: A6C08CF980021CABF300DBE4ACC6E46379CF30C19D7A00423F60AC2612EB31B40287A3
                                      Function 1000EAE6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: C:\Program Files
                                      • API String ID: 3472027048-1387799010
                                      • Opcode ID: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
                                      • Instruction ID: c4e0b3600881029edc50d20150f75f5e2cc0ea145c3db068fc966fb5d715c26f
                                      • Opcode Fuzzy Hash: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
                                      • Instruction Fuzzy Hash: DB314BB4D04298DBEB10CFA4C9816DEBBB0FB08344F248499D806B7346D37AAE46DB55
                                      Function 100086C0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • inet_addr.WS2_32(?), ref: 100086CA
                                      • inet_addr.WS2_32(?), ref: 100086D7
                                        • Part of subcall function 10004733: gethostbyname.WS2_32(?), ref: 1000473A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: inet_addr$gethostbyname
                                      • String ID:
                                      • API String ID: 2998999989-0
                                      • Opcode ID: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
                                      • Instruction ID: 7e645cfb302764e8d8533147197651d5e6009befd3d72f555b77b30a82d9c00f
                                      • Opcode Fuzzy Hash: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
                                      • Instruction Fuzzy Hash: 93F0D0B9A14208EFDB10DFA4C48898DBBB4FB48251F208595ED4997309D735EB51DF50
                                      Function 10005A8D Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10005AB4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
                                      • Instruction ID: 4cfd926ed5ee4b74160d84ed1ccf0fcb76e3c9c35cbabeff5299be230ac46b6e
                                      • Opcode Fuzzy Hash: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
                                      • Instruction Fuzzy Hash: 5CE0FEB6214109AB8B44CF8DD890DEB77EDAB8C654B158248BA1DD3254D634E8518BA4
                                      Function 10005B51 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
                                      • Instruction ID: 003bc1bca6d8c776606440d32dd4298a63b416cb58658e6586ac9de98fafa826
                                      • Opcode Fuzzy Hash: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
                                      • Instruction Fuzzy Hash: 20D092B221420DAB8B04CF88D880CDB37EDAB8C610B008108FA0DC3200C630E9518BA0
                                      Function 10004D54 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID:
                                      • API String ID: 2038078732-0
                                      • Opcode ID: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
                                      • Instruction ID: 01f520d78d0293c333997eaa499525b6bf33e0a14dea869d1b4eebbdcbea7866
                                      • Opcode Fuzzy Hash: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
                                      • Instruction Fuzzy Hash: E4D092B221020DAB8B04CF88D884C9B77ADAB8C600B008108BA0DC3210C630E951CBA0
                                      Function 10005784 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetShortPathNameA.KERNEL32(?,?,?), ref: 10005793
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: NamePathShort
                                      • String ID:
                                      • API String ID: 1295925010-0
                                      • Opcode ID: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
                                      • Instruction ID: ceb44158fe26a4df53ddd6796a7450bcc70568043160c05e16c1b80753528501
                                      • Opcode Fuzzy Hash: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
                                      • Instruction Fuzzy Hash: 64C04C7A11420CABCB04DFD8DC84CAB77EDAB8C610B14C508FA1D87200DA31F9118BA4
                                      Function 10004CAD Relevance: 1.5, APIs: 1, Instructions: 11synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID:
                                      • API String ID: 1964310414-0
                                      • Opcode ID: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
                                      • Instruction ID: 7a9713bbb07ef6c8d943612d259fbcec43348370ec0d3c79817316860ce7ebf9
                                      • Opcode Fuzzy Hash: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
                                      • Instruction Fuzzy Hash: ABC04C7611424CABCB04DFD8DC84CAB37ADFB8C610B148548FA1D87200C730F9119BA4
                                      Function 10005C20 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • Process32First.KERNEL32(?,?), ref: 10005C2B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FirstProcess32
                                      • String ID:
                                      • API String ID: 2623510744-0
                                      • Opcode ID: c79bdcad5e10c768a08032ba641c64ddcb979c0910df32a7b8fa983ae43e6ce7
                                      • Instruction ID: 0bb13c6bd5e1f785d1e646858d06fe0d6ff5ed3b3de7d82a9b6b4d9c5b6da0f5
                                      • Opcode Fuzzy Hash: c79bdcad5e10c768a08032ba641c64ddcb979c0910df32a7b8fa983ae43e6ce7
                                      • Instruction Fuzzy Hash: A9C0927611420CAFCB44EFD8D884C9A7BACEB5C610B008015FA098B200CB32F910CBA0
                                      Function 10005C35 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • Process32Next.KERNEL32(?,?), ref: 10005C40
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: NextProcess32
                                      • String ID:
                                      • API String ID: 1850201408-0
                                      • Opcode ID: 5719e2930ea7f0706ad915643aa64af8f4188bc628acbc2e8ca6497f3c28941c
                                      • Instruction ID: 73a06e9c4e2301444ffdfcdd7f424da4889f6d9468e2cbe3174ce95ed40330bc
                                      • Opcode Fuzzy Hash: 5719e2930ea7f0706ad915643aa64af8f4188bc628acbc2e8ca6497f3c28941c
                                      • Instruction Fuzzy Hash: B4C0927611420CAFCB44EFD8D884C9A77ACFB5C610B408405FA0A87200CB31F910CBA0
                                      Function 100015AD Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(04061050,?,100015AB), ref: 100015B6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
                                      • Instruction ID: aa9e6f373e50f86635e89be718cfcb74191758a12ce1f5a61408757a6cf1a103
                                      • Opcode Fuzzy Hash: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
                                      • Instruction Fuzzy Hash: C4B0927240432C9FE600DBE89CC9C1237ACB3086093A00452E90AC3A21D730A402CA96
                                      Function 100015ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(007DD030,?,100015EB), ref: 100015F6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
                                      • Instruction ID: 29f41251ce689b307b62650387fb13a5c84ed48d826cf923518eb1e266bdb45f
                                      • Opcode Fuzzy Hash: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
                                      • Instruction Fuzzy Hash: EAB0927240432D9BE700DBE89CCAC0137ACA7086087604412E909C3A21D630A4428B52
                                      Function 1000164D Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(007DA018,?,1000164B), ref: 10001656
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
                                      • Instruction ID: ba1e3f7c76a82d39c198cdf2c2322580641102d8f53e3edecd95e5ced58cbd87
                                      • Opcode Fuzzy Hash: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
                                      • Instruction Fuzzy Hash: B8B0927244432C9BE600DBE99CC8C0137ACE608A083604412E90A83A21D630A4428F92
                                      Function 100016ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(007D4FF0,?,100016EB), ref: 100016F6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
                                      • Instruction ID: ceafc5a161691708641d67a93fab1652c5b609e1f825db1f72d2572ab5d16a00
                                      • Opcode Fuzzy Hash: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
                                      • Instruction Fuzzy Hash: DDB0927240432C9BF600DBE89CC8D1677ACB6086083604822E909D3A21D630A4428B92
                                      Function 10005304 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID:
                                      • API String ID: 1174141254-0
                                      • Opcode ID: 8fbd92a01ea9a44224101bdf60dc518226490cae3da14b9b4e0f38dd0ac429c9
                                      • Instruction ID: 6f4f072259eb8095dc5d08f605961f37381177791d3a9d26a151bb050024273c
                                      • Opcode Fuzzy Hash: 8fbd92a01ea9a44224101bdf60dc518226490cae3da14b9b4e0f38dd0ac429c9
                                      • Instruction Fuzzy Hash: 87B0123100030C97CA005BD8D848CC537DC964C5007004001F50CC3100CA30F4004690
                                      Function 10004733 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: gethostbyname
                                      • String ID:
                                      • API String ID: 930432418-0
                                      • Opcode ID: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
                                      • Instruction ID: ed7e62d2018f1f5fe489a5e2af283e66eb16d0056b782be615d6e68807e7cafe
                                      • Opcode Fuzzy Hash: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
                                      • Instruction Fuzzy Hash: 1EB0123140030C97CA005BE8D84CC95779CD6085047000400F50C83500C631F4004A90
                                      Function 10005812 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeA.KERNEL32(1000EBB8,?,1000EBB8,1002B35C), ref: 10005819
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DriveType
                                      • String ID:
                                      • API String ID: 338552980-0
                                      • Opcode ID: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
                                      • Instruction ID: 70a1fadde607be084ccef56658dda61e356474f6f706b475b9c53b19a0d7fe5b
                                      • Opcode Fuzzy Hash: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
                                      • Instruction Fuzzy Hash: 0FB0123100030C97CA005BD8D848C8577DC970C6407408000F60C83101CA70F4004AD0
                                      Function 10005ABC Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
                                      • Instruction ID: d309ecb02fbcf521f446e64dffd2c407881538d3ff2428412e6fd22df4654e57
                                      • Opcode Fuzzy Hash: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
                                      • Instruction Fuzzy Hash: A5B0123200430C97CA005BD8D848CC5379CD60C5007000051F50CC3100C730F4004A90
                                      Function 10011A40 Relevance: 1.3, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 10011A5B
                                        • Part of subcall function 10011C72: sprintf.MSVCRT ref: 10011C8E
                                        • Part of subcall function 10011C72: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4
                                        • Part of subcall function 10011E80: memset.MSVCRT ref: 10011E9A
                                        • Part of subcall function 10011E80: memset.MSVCRT ref: 10011EB0
                                        • Part of subcall function 10011E80: Netbios.NETAPI32(00000037), ref: 10011EDB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$CreateFileNetbiossprintf
                                      • String ID:
                                      • API String ID: 2265170204-0
                                      • Opcode ID: a4332b1645f862f82f7eb4b219ddf43da0a854aa1b97c9327c3544342e36a4f3
                                      • Instruction ID: dceb83b943926abd5faf33fd0d5094280e9a27f0c6a434b0c500408138b30427
                                      • Opcode Fuzzy Hash: a4332b1645f862f82f7eb4b219ddf43da0a854aa1b97c9327c3544342e36a4f3
                                      • Instruction Fuzzy Hash: 99E09A74A04208FBCB08DBD4ED52B9EB7B8DF00340F1000A9F9056B381DAB2EF009AD4
                                      Function 1000FEA3 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 4fce0586221d5b7f2ab32fed1b7aed4802dceffac77cf3fcc1f851374ffc7c6a
                                      • Instruction ID: 48dbc91ac08fb344a6ac96d98cd474edb1b2e67bc503a630d425958a5cdb5dd6
                                      • Opcode Fuzzy Hash: 4fce0586221d5b7f2ab32fed1b7aed4802dceffac77cf3fcc1f851374ffc7c6a
                                      • Instruction Fuzzy Hash: D3D02B30508300BED612B7A98D49C4B7EB6EB50B40F014A2CB1D050263837B00A0E563

                                      Non-executed Functions

                                      Function 1000D7E3 Relevance: 96.7, APIs: 40, Strings: 15, Instructions: 414sleepsynchronizationstringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
                                        • Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D856
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D86A
                                      • strrchr.MSVCRT ref: 1000D879
                                      • _mbscat.MSVCRT ref: 1000D891
                                      • strrchr.MSVCRT ref: 1000D8A2
                                        • Part of subcall function 10005EBA: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
                                        • Part of subcall function 10005EBA: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
                                        • Part of subcall function 10005EBA: CloseHandle.KERNEL32(?), ref: 10005F29
                                      • CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658), ref: 1000D8E2
                                      • GetLastError.KERNEL32 ref: 1000D8EE
                                      • ReleaseMutex.KERNEL32(?), ref: 1000D916
                                      • CloseHandle.KERNEL32(?), ref: 1000D923
                                      • ReleaseMutex.KERNEL32(?), ref: 1000D952
                                      • CloseHandle.KERNEL32(?), ref: 1000D95F
                                      • GetTickCount.KERNEL32 ref: 1000DA2C
                                      • srand.MSVCRT ref: 1000DA33
                                      • rand.MSVCRT ref: 1000DA3C
                                      • rand.MSVCRT ref: 1000DAAA
                                      • Sleep.KERNEL32(00000064), ref: 1000DAE5
                                      • SetFileAttributesA.KERNEL32(c:\,00000002), ref: 1000DAF4
                                      • wsprintfA.USER32 ref: 1000DB0D
                                      • _mbscpy.MSVCRT(00000000,c:\), ref: 1000DB24
                                        • Part of subcall function 1000D747: GetTickCount.KERNEL32 ref: 1000D75F
                                        • Part of subcall function 1000D747: srand.MSVCRT ref: 1000D766
                                        • Part of subcall function 1000D747: rand.MSVCRT ref: 1000D76F
                                        • Part of subcall function 1000D747: rand.MSVCRT ref: 1000D7BA
                                      • _mbscat.MSVCRT ref: 1000DB71
                                      • _mbscat.MSVCRT ref: 1000DB87
                                        • Part of subcall function 10004DC0: CreateDirectoryA.KERNEL32(?,?), ref: 10004DCB
                                      • Sleep.KERNEL32(00000064), ref: 1000DBA2
                                      • memset.MSVCRT ref: 1000DBB3
                                      • _mbscat.MSVCRT ref: 1000DBD8
                                      • _mbscat.MSVCRT ref: 1000DBEE
                                      • _mbscat.MSVCRT ref: 1000DC02
                                      • MoveFileA.KERNEL32(00000000,00000000), ref: 1000DC18
                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000DC41
                                        • Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E
                                      • ___crtGetLocaleInfoEx.LIBCMTD ref: 1000DC5C
                                        • Part of subcall function 1000556F: SetFilePointer.KERNEL32(?,?,?,?), ref: 10005582
                                        • Part of subcall function 10005434: CloseHandle.KERNEL32(10008EDA,?,10008EDA,000000FF), ref: 1000543B
                                        • Part of subcall function 10005558: GetModuleFileNameA.KERNEL32(?,?,?), ref: 10005567
                                      • rand.MSVCRT ref: 1000DC89
                                      • rand.MSVCRT ref: 1000DC9B
                                      • rand.MSVCRT ref: 1000DCAD
                                      • rand.MSVCRT ref: 1000DCBF
                                      • rand.MSVCRT ref: 1000DCD1
                                      • rand.MSVCRT ref: 1000DCE3
                                      • rand.MSVCRT ref: 1000DCF5
                                      • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000DD32
                                        • Part of subcall function 10005BF2: CopyFileA.KERNEL32(?,?,?), ref: 10005C01
                                      • Sleep.KERNEL32(00001388), ref: 1000DD55
                                      • memset.MSVCRT ref: 1000DD66
                                        • Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 1000DDD2
                                        • Part of subcall function 10004FB3: ShellExecuteA.SHELL32(?,?,?,?,?,?), ref: 10004FCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: rand$File$_mbscat$CloseCreateHandle$ModuleMutexNameSleep$CountMoveProcessReleaseTickTimerToken___crtmemsetsrandstrrchr$AdjustAttributesConcurrency::details::platform::__CopyCurrentDirectoryErrorExecuteExistsFormatInfoLastLocaleLookupOpenPathPointerPrivilegePrivilegesQueueShellTimeValue_mbscpywsprintf
                                      • String ID: %s\%c%c%c%c%c%c%c.exe$%s\ReadMe.txt$.txt$123$3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6$M107.163.56.251:6658$SeDebugPrivilege$SeDebugPrivilege$WinSta0\Default$\ReadMe.txt$c:\$c:\windows\system32$c:\wiseman.exe$c:\wiseman.exe$launch
                                      • API String ID: 652726865-1276110213
                                      • Opcode ID: 7301c903defd3cd70dc9b3d825b2f00b4d4087626143eb540bbaa64f9a2eb160
                                      • Instruction ID: e7302aca530db56d1bf951a45ff3e4a786c1631362df480cdb7b9b2581457961
                                      • Opcode Fuzzy Hash: 7301c903defd3cd70dc9b3d825b2f00b4d4087626143eb540bbaa64f9a2eb160
                                      • Instruction Fuzzy Hash: 12F1F5B1D00218ABFB20DB60CC96FDA7775EB54301F4045E9F709A6181EBB66B948F61
                                      Function 1000ABAC Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 244serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _mbscpy.MSVCRT(00000000,%SystemRoot%\System32\svchost.exe -k ), ref: 1000AC15
                                      • _mbscat.MSVCRT ref: 1000AC28
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AC57
                                      • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AC9E
                                      • GetLastError.KERNEL32 ref: 1000ACB3
                                      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 1000ACD0
                                      Strings
                                      • Description, xrefs: 1000AD42
                                      • RegSetValueEx(Svchost\krnlsrvc), xrefs: 1000AECF
                                      • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 1000AD6E
                                      • RegSetValueEx(ServiceDll), xrefs: 1000ADFD
                                      • ServiceDll, xrefs: 1000ADD8
                                      • %SystemRoot%\System32\svchost.exe -k , xrefs: 1000AC09
                                      • SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000AD01
                                      • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 1000AE3B
                                      • RegOpenKeyEx(Svchost), xrefs: 1000AE78
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: OpenService$CreateErrorLastManager_mbscat_mbscpy
                                      • String ID: %SystemRoot%\System32\svchost.exe -k $Description$RegOpenKeyEx(Svchost)$RegSetValueEx(ServiceDll)$RegSetValueEx(Svchost\krnlsrvc)$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                      • API String ID: 3611292957-660433390
                                      • Opcode ID: fdd77ce7bfc91025276ee73616ce416ce080ae0130899ba4a85b8e3b0fcc4d2e
                                      • Instruction ID: fc4fc097f2df58436204c54070e46900803d4f9edc1039ca72ef93cdf2176969
                                      • Opcode Fuzzy Hash: fdd77ce7bfc91025276ee73616ce416ce080ae0130899ba4a85b8e3b0fcc4d2e
                                      • Instruction Fuzzy Hash: 51A11EB5900218BBEB25DF90DC89FEE7778EB48740F504598F609A6281D774AA85CFA0
                                      Function 10006322 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 299memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32 ref: 1000634F
                                        • Part of subcall function 100060BF: CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE
                                        • Part of subcall function 10005F3C: GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
                                        • Part of subcall function 10005F3C: RtlAllocateHeap.NTDLL(00000000), ref: 10005F56
                                      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 100063BB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocateCreateFileFree
                                      • String ID: Close Files Handle....Failure$Close Files Handle....Success$Handle: %d .... FileName: %s$Not found File %s $Not found File: %s $Process:%d Handle: %d ..%s.. FileName: %s$c:\am.log$c:\am.log$c:\am.log
                                      • API String ID: 630072122-2461064422
                                      • Opcode ID: 4a2fa82e81c51744bbad076017243a3063161b3bda1db87adcc9503e7b70c574
                                      • Instruction ID: 645c5e70bbac33feba3ad968f02ee579f9001a7514e99284e2577437101ece5e
                                      • Opcode Fuzzy Hash: 4a2fa82e81c51744bbad076017243a3063161b3bda1db87adcc9503e7b70c574
                                      • Instruction Fuzzy Hash: 63C141B4900228AFEB24CB54CC86FD9B3B5EB58344F2085D8F609A7245DB75AED5CF90
                                      Function 1000949C Relevance: 52.6, APIs: 3, Strings: 27, Instructions: 95timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 10009517
                                        • Part of subcall function 10004D73: InternetOpenUrlA.WININET(80000100,00000000,00000000,1000C5CB,00000000,100097B8), ref: 10004D8E
                                      • memset.MSVCRT ref: 1000953C
                                      • ___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E
                                        • Part of subcall function 10004D96: InternetReadFile.WININET(00000400,?,00000000,100096E3), ref: 10004DA9
                                        • Part of subcall function 10004DB1: InternetCloseHandle.WININET(100097ED), ref: 10004DB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Internet$Open___crt$CloseFileFormatHandleInfoLocaleReadTimememset
                                      • String ID: $ $ $ $!$P$a$a$a$b$c$d$d$e$e$e$g$http$i$l$n$n$o$p$s$t$y
                                      • API String ID: 484075888-3281237192
                                      • Opcode ID: d7a047d3dc299d41884a073b28951d72715d9003de778e60012301e531c3000a
                                      • Instruction ID: 2007758cba872cfcd8f6e98331750ef100b8103267b94e19ec89753a2b5b510a
                                      • Opcode Fuzzy Hash: d7a047d3dc299d41884a073b28951d72715d9003de778e60012301e531c3000a
                                      • Instruction Fuzzy Hash: 10413174D043C8EAFB11C6A8CC097DEBEB55B15744F0440D9D5882A282D7FA5798CBB6
                                      Function 1000F200 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 277sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CountTick$Sleep$DeleteFile
                                      • String ID: %c%c%c%c%c$%s\%c%c%c%c.%c%c%c$C:\Users\user\Desktop$InstallPath$QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$RootDir$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==$U09GVFdBUkVcRVNUc29mdFxBTFlhYw==
                                      • API String ID: 1805227871-3371360845
                                      • Opcode ID: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
                                      • Instruction ID: 6bdac8f9476eec08e9e208a458106ac04ec5b4e33c9511cad80c78820eb665b7
                                      • Opcode Fuzzy Hash: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
                                      • Instruction Fuzzy Hash: 5FA1E9F1D00218ABFB15DB60CC85FEE76B6EB88311F4481A9F709B6285DB786B41CB51
                                      Function 10009A63 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 328timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 10009AC7
                                      • wsprintfA.USER32 ref: 10009ADF
                                      • 6CB72DD0.MFC42(0007D000), ref: 10009AED
                                      • memset.MSVCRT ref: 10009B1B
                                        • Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B
                                      • ___crtGetTimeFormatEx.LIBCMTD ref: 10009B7E
                                      • GetLastError.KERNEL32 ref: 10009BA1
                                      Strings
                                      • http://%s.qzone.qq.com/main, xrefs: 10009AD3
                                      • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)), xrefs: 10009B35
                                      • title, xrefs: 10009D7E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$ErrorFormatInternetLastOpenTime___crtwsprintf
                                      • String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))$http://%s.qzone.qq.com/main$title
                                      • API String ID: 1425117833-1009673476
                                      • Opcode ID: eb7ccd6424966163245f6a4910b4252bb0aa0d489a6889406ffc990a346c3163
                                      • Instruction ID: 75add62b751d2a89d33563ab18894b4b61e0b6b77b5213ad1a6e48b09e06675d
                                      • Opcode Fuzzy Hash: eb7ccd6424966163245f6a4910b4252bb0aa0d489a6889406ffc990a346c3163
                                      • Instruction Fuzzy Hash: 6DE106B4D04268EFEB24CB64CC85BEEB7B4EB59300F1041D9E609A7280DB716E85CF91
                                      Function 1000D49E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 187stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen
                                      • String ID: .txt
                                      • API String ID: 39653677-2195685702
                                      • Opcode ID: c50e63abc1ed21ce169ad536dfc37e2def676ba547544a4074c9d87b2f1db99d
                                      • Instruction ID: da2023ba958a437e8159f0edfaac4ee8086fbd0d10ec377c4abfad880adb4c2a
                                      • Opcode Fuzzy Hash: c50e63abc1ed21ce169ad536dfc37e2def676ba547544a4074c9d87b2f1db99d
                                      • Instruction Fuzzy Hash: AD71B3B5C04218EBDB25EFA0DC85BEEB7B8FB18341F408599F91996144E735AB84CF60
                                      Function 10007DDE Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 104stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(00000004,?,?,?,?,?,?,?,?,?,?,?,?,1002AF1C,1000850C,?), ref: 10007E36
                                      • 6CB72DD0.MFC42(00000000), ref: 10007E5A
                                      • 6CB72DD0.MFC42(00000000), ref: 10007E8B
                                      • strrchr.MSVCRT ref: 10007EA5
                                      • strncpy.MSVCRT ref: 10007EBF
                                      • strncpy.MSVCRT ref: 10007ED3
                                      • GetSystemInfo.KERNEL32(1002AEEC), ref: 10007EE0
                                      • GetCurrentProcess.KERNEL32(00000020,XGhvc3RzLmljcw==), ref: 10007EFE
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,1002AEE4), ref: 10007F16
                                      • AdjustTokenPrivileges.ADVAPI32(76684758,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
                                      • CloseHandle.KERNEL32(76684758), ref: 10007F50
                                      • strlen.MSVCRT ref: 10007F5B
                                      • sscanf.MSVCRT ref: 10007F7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
                                      • String ID: %[^$C:\Users\user\Desktop$SeDebugPrivilege$XGhvc3RzLmljcw==$etc\hosts
                                      • API String ID: 285331769-458102315
                                      • Opcode ID: 287b0fb3bef6307d023093b803194b5ad108c20d71a950418e2c80ed23f0cce9
                                      • Instruction ID: 328226fcebd27085c81d03e9fdf447683c520cb5a300c2c2c943bb7813867aca
                                      • Opcode Fuzzy Hash: 287b0fb3bef6307d023093b803194b5ad108c20d71a950418e2c80ed23f0cce9
                                      • Instruction Fuzzy Hash: ED4118B5900628AFE704DFD4DDC9F9A7BB4FB48304F244119EA04A7290E7B5B586CF91
                                      Function 10008C6A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 10008CA2
                                      • GetVersionExA.KERNEL32(0000009C), ref: 10008CBB
                                      • _mbscpy.MSVCRT(00000000,1002A5F8), ref: 10008CDD
                                      • _mbscpy.MSVCRT(00000000,2000), ref: 10008D0A
                                      • _mbscpy.MSVCRT(00000000,1002A604), ref: 10008D37
                                      • _mbscpy.MSVCRT(00000000,2003), ref: 10008D64
                                      • _mbscpy.MSVCRT(00000000,Vista), ref: 10008D91
                                      • _mbscpy.MSVCRT(00000000,2008), ref: 10008DBE
                                      • _mbscpy.MSVCRT(00000000,1002A620), ref: 10008DEB
                                      • sprintf.MSVCRT ref: 10008E0F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscpy$Versionmemsetsprintf
                                      • String ID: 2000$2003$2008$Vista$Win %s SP%d
                                      • API String ID: 3885147864-2264339393
                                      • Opcode ID: b0dda3c9e9704149881d6b70f2d4795d212c9c5038a049737117f2f39d285b42
                                      • Instruction ID: 77eacedbfa7f7fe8781faf61d33db6b13d9c70aa213e0c00e07d5b6916aea476
                                      • Opcode Fuzzy Hash: b0dda3c9e9704149881d6b70f2d4795d212c9c5038a049737117f2f39d285b42
                                      • Instruction Fuzzy Hash: 5F414CB5C00259EBEF24CB50EC4ABCDB7B4FB25345F4085EAE28862185DB755BC88F91
                                      Function 1000EBE4 Relevance: 22.7, APIs: 15, Instructions: 177stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen
                                      • String ID:
                                      • API String ID: 39653677-0
                                      • Opcode ID: 977d6aa2a66cf02e5eb0b43c96ef48471811bab0f4bc719f0e4928a6bb009116
                                      • Instruction ID: 926a6b6b4829fdad5a48eee5d06f223062afaab11e92024be4e075249e096e26
                                      • Opcode Fuzzy Hash: 977d6aa2a66cf02e5eb0b43c96ef48471811bab0f4bc719f0e4928a6bb009116
                                      • Instruction Fuzzy Hash: B5619EB2C00298ABEB24CFA0DC85BEEB7B8FB04341F108599F519A2154D7359F84CFA0
                                      Function 10018642 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 609COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,0000012C), ref: 100186C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: /../$/..\$\../$\..\
                                      • API String ID: 3510742995-3885502717
                                      • Opcode ID: 8ca54e9e268d5d0a5d30a8b15a7a10c3931bc0e57381aad834b00bc6333cea2b
                                      • Instruction ID: 9a1aa32fb16f76f9e15c91fcc0f4f4f6e0de75efd59efe9036ad9dbbfd9191c7
                                      • Opcode Fuzzy Hash: 8ca54e9e268d5d0a5d30a8b15a7a10c3931bc0e57381aad834b00bc6333cea2b
                                      • Instruction Fuzzy Hash: 84521C74E042199FDB29CF68C895BDDB7B1FF49304F2481A9E959AB342D731AA81CF40
                                      Function 1000AAC4 Relevance: 16.6, APIs: 11, Instructions: 78servicesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AAD3
                                      • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 1000AAF3
                                      • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AB1E
                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000AB2C
                                      • GetLastError.KERNEL32 ref: 1000AB36
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB4C
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB56
                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1000AB6B
                                      • Sleep.KERNEL32(00000064), ref: 1000AB7D
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB8D
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB97
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigErrorLastManagerQuerySleepStartStatus
                                      • String ID:
                                      • API String ID: 3874167810-0
                                      • Opcode ID: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
                                      • Instruction ID: f423053ba5e51ed5b3dfd7871e9b23df293113642488d2f777d942f78633b468
                                      • Opcode Fuzzy Hash: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
                                      • Instruction Fuzzy Hash: 56214A78A00218FBFB10DBE4CCC8F9D77BAEB09761F200345EA05A6186C7749A81DB24
                                      Function 10006DB7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _mbscpy.MSVCRT(00000000,?,?), ref: 10006DFE
                                      • _mbscat.MSVCRT ref: 10006E12
                                      • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?), ref: 10006E28
                                      • wsprintfA.USER32 ref: 10006E79
                                      • strlen.MSVCRT ref: 10006E86
                                      • FindNextFileA.KERNEL32(000000FF,?), ref: 10006F72
                                      • FindClose.KERNEL32(000000FF,?,?,?,?), ref: 10006F87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext_mbscat_mbscpystrlenwsprintf
                                      • String ID: %s\%s$\*.*
                                      • API String ID: 1837839071-3247893053
                                      • Opcode ID: e5535df46834fc9ddb26b1ccfc2d17500088a23ab9259e3a8e010982974df7e8
                                      • Instruction ID: 2440652bd15ff8e6eaa9a308958dcc277bfe13f4e468759e469709181464b455
                                      • Opcode Fuzzy Hash: e5535df46834fc9ddb26b1ccfc2d17500088a23ab9259e3a8e010982974df7e8
                                      • Instruction Fuzzy Hash: 9E51AAF6900258ABDB14CB94DC84BEE73B9EB58301F1045E9F609A7245DB35AB88CF54
                                      Function 100069DD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext_mbscat_mbscpystrlenwsprintf
                                      • String ID: %s\%s$\*.*
                                      • API String ID: 1837839071-3247893053
                                      • Opcode ID: c99d676474442853c0752dee0b8013e09eef1df9e24bfb4125041fcdc24b46ce
                                      • Instruction ID: b1425089a467f23f8ccf7f8da9b04ec626d8d48fdd8cc5af3b7584fd2f615a50
                                      • Opcode Fuzzy Hash: c99d676474442853c0752dee0b8013e09eef1df9e24bfb4125041fcdc24b46ce
                                      • Instruction Fuzzy Hash: 0A41A9F6900118ABDB14CB94DC80BDE77B9EB58301F2485E9F60997245EB35AB88CF50
                                      Function 1000C295 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memsetstrlen
                                      • String ID: Applications\iexplore.exe\shell\open\command$D$wINsTA0\dEFauLT
                                      • API String ID: 841943882-2639649127
                                      • Opcode ID: 9ea0d28496458144b4e3b0da579f1ae704baac2cc19045301615b11dfb097a25
                                      • Instruction ID: 9d13b316d50dd73b30fc64fb160f47868d1605c9bd796a93d971f2c642a19c96
                                      • Opcode Fuzzy Hash: 9ea0d28496458144b4e3b0da579f1ae704baac2cc19045301615b11dfb097a25
                                      • Instruction Fuzzy Hash: 54415DB190025CABEB50CF50CC56BEB73B8EB45341F404588E60967281EBB66B89CF91
                                      Function 10005F3C Relevance: 10.6, APIs: 7, Instructions: 52memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
                                      • RtlAllocateHeap.NTDLL(00000000), ref: 10005F56
                                      • NtQuerySystemInformation.NTDLL(?,00000000,00008000,?), ref: 10005F79
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 10005F91
                                      • HeapFree.KERNEL32(00000000), ref: 10005F98
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocateFreeInformationQuerySystem
                                      • String ID:
                                      • API String ID: 4073547687-0
                                      • Opcode ID: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
                                      • Instruction ID: 6c64949c2fda0a623aee8140e43d1c032e6d4005dbe1664f83852c3263ea8444
                                      • Opcode Fuzzy Hash: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
                                      • Instruction Fuzzy Hash: 6B110675D04219FFEB00DBE4C948BAEB7B8FB58342F108968EA1693250D7799A81CB50
                                      Function 1001F343 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,?,?,?,?,?,1001FCA6), ref: 1001F3BB
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 1001F40D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
                                      • Instruction ID: 48a290c9093e3f11dd492f44913f2ca40d6bf3ce9a607d2c265816181fa2b1c7
                                      • Opcode Fuzzy Hash: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
                                      • Instruction Fuzzy Hash: 4E5194759002099FDB14CFA8C494BDEBBB5BB48304F24C259E825AB391D775E945CFA0
                                      Function 1001C850 Relevance: 5.3, Strings: 4, Instructions: 296COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Code too clever$insufficient lookahead$no future$wild scan
                                      • API String ID: 0-1205821253
                                      • Opcode ID: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
                                      • Instruction ID: 833f2951eaadcd835606261b93df60c7d4ef739d43d3d893d275862163d02827
                                      • Opcode Fuzzy Hash: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
                                      • Instruction Fuzzy Hash: F7D10B74E0414A9FCB08CFA8C8949EEBBF2FF89348F1481A8D459AB345D735AA41CF44
                                      Function 100150F3 Relevance: 3.2, Strings: 2, Instructions: 654COMMON
                                      Download Yara Rule
                                      Strings
                                      • invalid literal/length code, xrefs: 1001572A
                                      • invalid distance code, xrefs: 1001554C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid distance code$invalid literal/length code
                                      • API String ID: 0-1393003055
                                      • Opcode ID: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
                                      • Instruction ID: 088faa1eed008bce60876dcdc8d515551ea8ecd5600a09dd07154e6a01506fcf
                                      • Opcode Fuzzy Hash: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
                                      • Instruction Fuzzy Hash: 60628F74E0520ADFCB08CF98C5909EEBBB2FF88314F248259D815AB355D735AA91CF94
                                      Function 100122E4 Relevance: 3.1, Strings: 2, Instructions: 583COMMON
                                      Download Yara Rule
                                      Strings
                                      • invalid literal/length code, xrefs: 10012626
                                      • invalid distance code, xrefs: 100128F2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: invalid distance code$invalid literal/length code
                                      • API String ID: 0-1393003055
                                      • Opcode ID: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
                                      • Instruction ID: 343714719a1f4e9367ad39c9344e86e2aeab645b661284dda1b7cf89b2300665
                                      • Opcode Fuzzy Hash: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
                                      • Instruction Fuzzy Hash: 815254B8A04209DFCB08CF98C59099DBBB2FF8C314B25C599E819AB355D731EA51CF94
                                      Function 1001DD4D Relevance: 1.8, Strings: 1, Instructions: 584COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K
                                      • API String ID: 0-856455061
                                      • Opcode ID: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
                                      • Instruction ID: be64ce4ea56ae2ff729ee4095f2c16fd9afa4c64b7be4d3cfcffd6d849276ff5
                                      • Opcode Fuzzy Hash: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
                                      • Instruction Fuzzy Hash: FD325C71A00249AFCB04CF98DC95EEE7B75FF88300F088568F9199F281D675DA68CB95
                                      Function 1001D748 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K
                                      • API String ID: 0-856455061
                                      • Opcode ID: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
                                      • Instruction ID: 13cd30b145176b83a50ea1d93efe1898842d2fb191c5ff5e9592714297f69bd4
                                      • Opcode Fuzzy Hash: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
                                      • Instruction Fuzzy Hash: 16F15B71A00249AFCB04CF98DC95EEE7B75EF88300F08C568F9199F281D675DA64CBA5
                                      Function 10004804 Relevance: 1.5, APIs: 1, Instructions: 27processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004833
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateProcessUser
                                      • String ID:
                                      • API String ID: 2217836671-0
                                      • Opcode ID: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
                                      • Instruction ID: dada26caca61fb62188d8dac9e18892904bbd52ffffd674216947e8ac7d19412
                                      • Opcode Fuzzy Hash: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
                                      • Instruction Fuzzy Hash: 3FF048B2214109AF8B48CF8DDC90DEB77EEBB8C614B158208FA1DD3250D630E851CBA4
                                      Function 10004925 Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004954
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocateInitialize
                                      • String ID:
                                      • API String ID: 220217950-0
                                      • Opcode ID: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
                                      • Instruction ID: 90eb217eefec1c1fdc0b769d8b89dca4f8ae21869411f64d3a2a456763029fa7
                                      • Opcode Fuzzy Hash: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
                                      • Instruction Fuzzy Hash: 72F04EB2214149AF8B48CF9DDC90DEB77EDAF8C614B159248FA1DD3250D630E851CBA4
                                      Function 10005FD3 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtQueryInformationFile.NTDLL ref: 10005FFD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileInformationQuery
                                      • String ID:
                                      • API String ID: 365787318-0
                                      • Opcode ID: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
                                      • Instruction ID: 577e262fd81ac71086ec76a3c5116955c632cb2abf2027a79d8cb05fcdf68b55
                                      • Opcode Fuzzy Hash: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
                                      • Instruction Fuzzy Hash: F0E01A75A00208BFDB04DF98C881EAFB7B8EB98300F008659FA159B344D670AA10CBD4
                                      Function 100114B0 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.COMBASE(00000000,10024578,1000FC00,1002B6A0,00000017), ref: 100114CC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateInstance
                                      • String ID:
                                      • API String ID: 542301482-0
                                      • Opcode ID: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
                                      • Instruction ID: b63ec98ceaf2e436dc9e91b5981eb5a547416335e9ba9d76a1a5ab58316722bb
                                      • Opcode Fuzzy Hash: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
                                      • Instruction Fuzzy Hash: 7BD067B651410CBB8B04CFC9ED44CABB7ACEB4C310B50814DBA0897200D635AA109BA5
                                      Function 10004E1F Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(?,?,?,?,?), ref: 10004E36
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
                                      • Instruction ID: cd64bc9c04189baa85cc60a7def0010568bcfbf044096a859e3bd7374a512153
                                      • Opcode Fuzzy Hash: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
                                      • Instruction Fuzzy Hash: 0DD092B221020DAF8B04CF88D884CDB37ADAB8C610B008108BA0DC3200C630E8518BA5
                                      Function 10004E04 Relevance: 1.5, APIs: 1, Instructions: 13keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • keybd_event.USER32(?,?,?,?), ref: 10004E17
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: keybd_event
                                      • String ID:
                                      • API String ID: 2665452162-0
                                      • Opcode ID: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
                                      • Instruction ID: f831d9c8cafff6064600b4124d045f46117a7ffc6ffe7c2727ae22ba67f01528
                                      • Opcode Fuzzy Hash: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
                                      • Instruction Fuzzy Hash: 93D0127600428D7BCF00CFD89C54CEB7BAC5A4C600B048044FA5CC7201C531E410C771
                                      Function 10005238 Relevance: 1.5, APIs: 1, Instructions: 9shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExitWindowsEx.USER32(?,?), ref: 10005243
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExitWindows
                                      • String ID:
                                      • API String ID: 1089080001-0
                                      • Opcode ID: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
                                      • Instruction ID: 9a2dd19b8ecf135439890cac36e4a679dfc02a0ed1c5e43b286b51b805b47a2f
                                      • Opcode Fuzzy Hash: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
                                      • Instruction Fuzzy Hash: 52B0927611030CABCB04DFD8DC88CAA37ACAB8CA10B108004FA0D87240CA31F9408BA0
                                      Function 100057EC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLogicalDriveStringsA.KERNEL32(?,?), ref: 100057F7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DriveLogicalStrings
                                      • String ID:
                                      • API String ID: 2022863570-0
                                      • Opcode ID: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
                                      • Instruction ID: 3f99846e5fc03f1cd515f911f6ea334dcbd29f04822414012a5ac230d652ecea
                                      • Opcode Fuzzy Hash: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
                                      • Instruction Fuzzy Hash: A9B0927611030CABCB04DFD9DC84C9A37ECAB8CA10B108004FA0D87200CA31F9008BA0
                                      Function 100058AC Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(?,?), ref: 100058B7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
                                      • Instruction ID: 1268fd6e3a6fee96902ddf7f8e53f7d66be35c16e869bb3695433d0dc63322dc
                                      • Opcode Fuzzy Hash: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
                                      • Instruction Fuzzy Hash: 9EB0927611020CABCB18DFDCD884C9A37ECAB8C610B008104FA0D87200CA31F9008BA0
                                      Function 10005BDF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ClearEventLogA.ADVAPI32(?,?), ref: 10005BEA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ClearEvent
                                      • String ID:
                                      • API String ID: 3812438431-0
                                      • Opcode ID: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
                                      • Instruction ID: 7434daefe77f6d47902705726ab8f34eda02ab0099602c090bfecb55a22fb0ef
                                      • Opcode Fuzzy Hash: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
                                      • Instruction Fuzzy Hash: B2B092B611420CABCB04DFD8D894C9A37ACFB4C614B008005FA0D87200CB31F9008BA0
                                      Function 10004E8E Relevance: 1.5, APIs: 1, Instructions: 9clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetClipboardData.USER32(?,?), ref: 10004E99
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ClipboardData
                                      • String ID:
                                      • API String ID: 2952336681-0
                                      • Opcode ID: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
                                      • Instruction ID: 00ad4f47f5e7d0ee9b57b808d9b7f0335e52eb5749179ceb83dcd797ee5f95d7
                                      • Opcode Fuzzy Hash: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
                                      • Instruction Fuzzy Hash: DFB092B612160CABEB04DFE8D888C9AB7ACAB4C610B008004FA1D87201CA32F940CBA0
                                      Function 10005000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LockResource
                                      • String ID:
                                      • API String ID: 1236514755-0
                                      • Opcode ID: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
                                      • Instruction ID: 29e56bc91a9f9482983e27dc0ed5834eb45bd4535224dddbaac4bf5a93215658
                                      • Opcode Fuzzy Hash: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
                                      • Instruction Fuzzy Hash: EBB0123100030C97CA009BD8DC4CC95379C96089007100000F50C83500C634F4004690
                                      Function 100052CF Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ClipboardOpen
                                      • String ID:
                                      • API String ID: 2793039342-0
                                      • Opcode ID: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
                                      • Instruction ID: 7efb55d811d09cfa6076e2c53c0765dc55be4d0596901329b8c6f4113f5758ef
                                      • Opcode Fuzzy Hash: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
                                      • Instruction Fuzzy Hash: 75B0123140030C9BCB006BD8D848C8537DCA6085007404000F50C83500CB30F40046D4
                                      Function 1000558A Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 10005591
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
                                      • Instruction ID: 3446f4351d0fb0315f265c1257496f9b218a963c1e1e8a386bbfb0b0138b3b89
                                      • Opcode Fuzzy Hash: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
                                      • Instruction Fuzzy Hash: EEB0123100030C97DA005BD8D848C8577DC96086047008001F60CC3101CA30F8014690
                                      Function 10004788 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetAsyncKeyState.USER32(?), ref: 1000478F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AsyncState
                                      • String ID:
                                      • API String ID: 425341421-0
                                      • Opcode ID: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
                                      • Instruction ID: 941f2af9b74db5ebe652a3bc5d90ee6d32c6752af74bb884e1b1cde712639612
                                      • Opcode Fuzzy Hash: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
                                      • Instruction Fuzzy Hash: 80B0123100030C97CF005FE8D84CC85379CA6085007100500F50C83100C630F40046D0
                                      Function 100059A0 Relevance: 1.5, APIs: 1, Instructions: 7serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteService.ADVAPI32(?), ref: 100059A7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DeleteService
                                      • String ID:
                                      • API String ID: 700001626-0
                                      • Opcode ID: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
                                      • Instruction ID: f211721f13ae4b958aaaf00c1e1ea3e1c88187a953ac96f05739ed6fd255fc66
                                      • Opcode Fuzzy Hash: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
                                      • Instruction Fuzzy Hash: 37B0123100030C97CA005BD8D848C8537DC96485407048010F50C83100CA70F40146A1
                                      Function 10004DF5 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
                                      • Instruction ID: 3baf6831cd208484881523ebff87dae9b7360ad4edd65dec015b26fc2e4f2711
                                      • Opcode Fuzzy Hash: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
                                      • Instruction Fuzzy Hash: 86B0127100030CA7CB009BD8E84CC85379CB6086047000001F50C83100C730F84046D0
                                      Function 10004F4C Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClipboardData.USER32(?), ref: 10004F53
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ClipboardData
                                      • String ID:
                                      • API String ID: 2952336681-0
                                      • Opcode ID: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
                                      • Instruction ID: 954e834f1d5633d9c78c7ea24322f83793bd12d053b1b78d752a87b4747b0001
                                      • Opcode Fuzzy Hash: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
                                      • Instruction Fuzzy Hash: 06B0123100030C97CB00DBD8D849C85379CA608544B040400F50D93500C670F40046D1
                                      Function 1001DB5D Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K
                                      • API String ID: 0-856455061
                                      • Opcode ID: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
                                      • Instruction ID: 4821ffda97bad3917eb01a0464c429c8a6cf820fb574935c82d8a63edae2efce
                                      • Opcode Fuzzy Hash: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
                                      • Instruction Fuzzy Hash: 25715D31900249AFDB04CF98DC95FEE7B75FF88300F088568FA199B281D675D668CBA5
                                      Function 1001BD60 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: bad d_code
                                      • API String ID: 0-2582332627
                                      • Opcode ID: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
                                      • Instruction ID: 2f6b2f45191638f2ae3ba07ee8899200e8ad8888839ee98c0dc0e920f83f02b8
                                      • Opcode Fuzzy Hash: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
                                      • Instruction Fuzzy Hash: 9B71CE75E00549DBCB04CF99C895AEEBBB2FF8C304F148168E909AB345D735AA91CB94
                                      Function 10015B40 Relevance: .2, Instructions: 216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
                                      • Instruction ID: 34f3d6fbe751ec779d85210cdb32b2997779c4aff4a46c926cb419fb41892b26
                                      • Opcode Fuzzy Hash: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
                                      • Instruction Fuzzy Hash: 06A15F74E05148EFCB08CF99C590A9DFBF2EF88304F28C1A9E859AB355D631AB51DB44
                                      Function 1001E5EC Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
                                      • Instruction ID: 9283f13a6b71ff4d28867ba0371fcc3830cb864e567d112fffee3ea95ca30d3f
                                      • Opcode Fuzzy Hash: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
                                      • Instruction Fuzzy Hash: 8261F230614549ABDB08CF2DC8916A97BE2EF8D358F55C128E829CF250D739EA91CF80
                                      Function 10015883 Relevance: .2, Instructions: 152COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
                                      • Instruction ID: 3e186bd40632953d342a1ca4b5c669cc8258e70e124af2b7e38ac243e047a4b5
                                      • Opcode Fuzzy Hash: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
                                      • Instruction Fuzzy Hash: 35610331610549AFDB08CF2DC891AA97BE2FF8D354F55C128E929CF350D639EA81CB40
                                      Function 1001A67B Relevance: .1, Instructions: 119COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
                                      • Instruction ID: b646244c15df26bb11706b77c13e2002d061b3e9df5792a36ac078930f46edd7
                                      • Opcode Fuzzy Hash: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
                                      • Instruction Fuzzy Hash: FB51EF38A04149ABCB15CF58C4908EDB7F2FF8C354F25C199E9599B345C630AA92CB80
                                      Function 1000DDEE Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 399COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 1000DE30
                                      • memset.MSVCRT ref: 1000DE46
                                      • memset.MSVCRT ref: 1000DE5C
                                        • Part of subcall function 10005B51: RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$Open
                                      • String ID: $JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
                                      • API String ID: 276825008-1418283934
                                      • Opcode ID: e69c9a474d398a8b05f591ddfb3d6d06423474bb97eaa632e0af6825814c9152
                                      • Instruction ID: 113f87ce97fe6d344733f2fe9a47c20ccde4d7fba6159d7e819c2bc1bb10b482
                                      • Opcode Fuzzy Hash: e69c9a474d398a8b05f591ddfb3d6d06423474bb97eaa632e0af6825814c9152
                                      • Instruction Fuzzy Hash: C5E153B6D002589BEB14DF90DC85FDE77B8EB48340F404199F609B6284E775AE988FA1
                                      Function 1000793B Relevance: 47.6, APIs: 16, Strings: 11, Instructions: 308comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 1000797B
                                      • CoInitializeEx.COMBASE(00000000,00000000), ref: 10007987
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
                                      • CoCreateInstance.COMBASE(100246B0,00000000,00000001,100245E0,00000000), ref: 100079BE
                                        • Part of subcall function 10010360: 6CB72DD0.MFC42(0000000C), ref: 10010380
                                      • CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
                                      • wcscat.MSVCRT ref: 10007A97
                                        • Part of subcall function 100102D0: 6CB72DD0.MFC42(0000000C,00000000,1002AF20), ref: 100102F0
                                      • VariantInit.OLEAUT32(1002AF10), ref: 10007BAD
                                      • VariantInit.OLEAUT32(c:\1.txt), ref: 10007BB7
                                      • VariantInit.OLEAUT32(1002A718), ref: 10007BC4
                                      • _mbscpy.MSVCRT(00000000,00000000,FADB9516), ref: 10007CA5
                                      • _strcmpi.MSVCRT ref: 10007CCB
                                      • _mbscpy.MSVCRT(00000000,00000000,00000000), ref: 10007D31
                                      • StrStrIA.SHLWAPI(100286FC,svchost.exe -k NetworkService), ref: 10007D57
                                      • VariantClear.OLEAUT32(1002AF10), ref: 10007D76
                                      • VariantClear.OLEAUT32(c:\1.txt), ref: 10007D80
                                      • CoUninitialize.COMBASE ref: 10007DC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Variant$Init$ClearInitialize_mbscpy$BlanketCreateInstanceProxySecurityUninitialize_strcmpimemsetwcscat
                                      • String ID: 5r455f$CommandLine$Name$ProcessID$SELECT * FROM $WQL$c:\1.txt$cheEntryInfoA$http$svchost.exe$svchost.exe -k NetworkService
                                      • API String ID: 56062499-2074608166
                                      • Opcode ID: aaf45c52288c47e4c4ac5a154b3a7f6ce62af5da4cf99c67da78fd531393a822
                                      • Instruction ID: 189a79c95d12f2324ed77b7531e52b51722813dc0f720325a82f4d3d448fa42a
                                      • Opcode Fuzzy Hash: aaf45c52288c47e4c4ac5a154b3a7f6ce62af5da4cf99c67da78fd531393a822
                                      • Instruction Fuzzy Hash: D7D11879A01228ABDB24DB64CC89BDDB7F4FB48700F1081D9E119A7290DF75AB85CF90
                                      Function 1000805F Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215filesleepinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
                                      • wsprintfA.USER32 ref: 1000810B
                                        • Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049
                                      • wsprintfA.USER32 ref: 1000817F
                                      • wsprintfA.USER32 ref: 1000819E
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0
                                        • Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                        • Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
                                        • Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                        • Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
                                      • time.MSVCRT(00000000), ref: 10008208
                                      • srand.MSVCRT ref: 10008212
                                      • rand.MSVCRT ref: 1000821B
                                      • rand.MSVCRT ref: 1000822D
                                      • rand.MSVCRT ref: 1000823F
                                      • rand.MSVCRT ref: 10008251
                                      • rand.MSVCRT ref: 10008263
                                      • rand.MSVCRT ref: 10008275
                                      • wsprintfA.USER32 ref: 10008293
                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
                                      • CloseHandle.KERNEL32(?), ref: 100082C5
                                      • Sleep.KERNEL32(000003E8), ref: 100082D0
                                      • DeleteFileA.KERNEL32(?), ref: 100082DD
                                      • memcmp.MSVCRT(00000000,00000000,-00000002), ref: 1000834E
                                      Strings
                                      • c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
                                      • c:\windows\system32\drivers\%s\%s, xrefs: 10008192
                                      • %s\%s, xrefs: 100080FF
                                      • c:\windows\system32\drivers\%s, xrefs: 10008173
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: rand$File_mbscatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryProcessSleep_mbscpysrandstrlentime
                                      • String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
                                      • API String ID: 3843169200-1917988604
                                      • Opcode ID: 1491cef888996cd526795351f172c59571ecb1c96255f6ff221f3e58b708ccc6
                                      • Instruction ID: 1fc89b949b869141e7d21f023f72e52535fd7918e05709aa5f44e13cd79eb387
                                      • Opcode Fuzzy Hash: 1491cef888996cd526795351f172c59571ecb1c96255f6ff221f3e58b708ccc6
                                      • Instruction Fuzzy Hash: 8B81A370900218FFEB14CBA8CC85FD9777AFB88304F1485A8E609A7255DB75AB85CF51
                                      Function 100080A0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 168filesleepinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
                                      • wsprintfA.USER32 ref: 1000810B
                                        • Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049
                                      • wsprintfA.USER32 ref: 1000817F
                                      • wsprintfA.USER32 ref: 1000819E
                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0
                                        • Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                        • Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
                                        • Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                        • Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
                                      • time.MSVCRT(00000000), ref: 10008208
                                      • srand.MSVCRT ref: 10008212
                                      • rand.MSVCRT ref: 1000821B
                                      • rand.MSVCRT ref: 1000822D
                                      • rand.MSVCRT ref: 1000823F
                                      • rand.MSVCRT ref: 10008251
                                      • rand.MSVCRT ref: 10008263
                                      • rand.MSVCRT ref: 10008275
                                      • wsprintfA.USER32 ref: 10008293
                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
                                      • CloseHandle.KERNEL32(?), ref: 100082C5
                                      • Sleep.KERNEL32(000003E8), ref: 100082D0
                                      • DeleteFileA.KERNEL32(?), ref: 100082DD
                                      Strings
                                      • c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
                                      • c:\windows\system32\drivers\%s\%s, xrefs: 10008192
                                      • %s\%s, xrefs: 100080FF
                                      • c:\windows\system32\drivers\%s, xrefs: 10008173
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: rand$File_mbscatwsprintf$Create$CloseHandleWritestrchr$DeleteDirectoryMemoryProcessSleep_mbscpymemcmpsrandstrlentime
                                      • String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
                                      • API String ID: 2821110951-1917988604
                                      • Opcode ID: b3a0a7c7159a84962405ee64190d82e482e6a88e6c63d58b1461d50fb48282a3
                                      • Instruction ID: 9b1f3f05a2db119796ee803a315ca48c205a346098eddc4b2f03f44ea683e2e5
                                      • Opcode Fuzzy Hash: b3a0a7c7159a84962405ee64190d82e482e6a88e6c63d58b1461d50fb48282a3
                                      • Instruction Fuzzy Hash: 9C51C370900218BFEB14CBA4CC89FD9777AFB88305F1484A8F309A6291DF796B498F51
                                      Function 1001983E Relevance: 36.2, APIs: 1, Strings: 23, Instructions: 154stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Caller: additions to the zip have already been ended, xrefs: 10019A81
                                      • Zip-bug: tried to change mind, but not allowed, xrefs: 10019AAE
                                      • File not found in the zipfile, xrefs: 10019A21
                                      • Correct password required, xrefs: 10019A4B
                                      • Caller: mixing creation and opening of zip, xrefs: 10019A8A
                                      • Success, xrefs: 100199E5
                                      • Still more data to unzip, xrefs: 10019A2D
                                      • Couldn't create/open file, xrefs: 100199FD
                                      • Zipfile is corrupt or not a zipfile, xrefs: 10019A39
                                      • Zip-bug: the anticipated size turned out wrong, xrefs: 10019AA5
                                      • Caller: the file had already been partially unzipped, xrefs: 10019A5D
                                      • Caller: not enough space allocated for memory zipfile, xrefs: 10019A6F
                                      • unknown zip result code, xrefs: 10019852
                                      • Caller: faulty arguments, xrefs: 10019A54
                                      • Caller: can only get memory of a memory zipfile, xrefs: 10019A66
                                      • Caller: there was a previous error, xrefs: 10019A78
                                      • Failed to allocate memory, xrefs: 10019A09
                                      • Error reading file, xrefs: 10019A42
                                      • Zip-bug: internal initialisation not completed, xrefs: 10019A93
                                      • Zip-bug: trying to seek the unseekable, xrefs: 10019A9C
                                      • Error writing to file, xrefs: 10019A15
                                      • Zip-bug: an internal error during flation, xrefs: 10019AB7
                                      • Culdn't duplicate handle, xrefs: 100199F1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen
                                      • String ID: Caller: additions to the zip have already been ended$Caller: can only get memory of a memory zipfile$Caller: faulty arguments$Caller: mixing creation and opening of zip$Caller: not enough space allocated for memory zipfile$Caller: the file had already been partially unzipped$Caller: there was a previous error$Correct password required$Couldn't create/open file$Culdn't duplicate handle$Error reading file$Error writing to file$Failed to allocate memory$File not found in the zipfile$Still more data to unzip$Success$Zip-bug: an internal error during flation$Zip-bug: internal initialisation not completed$Zip-bug: the anticipated size turned out wrong$Zip-bug: tried to change mind, but not allowed$Zip-bug: trying to seek the unseekable$Zipfile is corrupt or not a zipfile$unknown zip result code
                                      • API String ID: 39653677-623105054
                                      • Opcode ID: 758aca4aa3c28b89c750bf8aad23f8a2e8376273e6f5f691afde7864671419ce
                                      • Instruction ID: a83791a1f2fbf65fc3504aa118a75d67dc6fc6344bb7a2db01cb83caf290f6f2
                                      • Opcode Fuzzy Hash: 758aca4aa3c28b89c750bf8aad23f8a2e8376273e6f5f691afde7864671419ce
                                      • Instruction Fuzzy Hash: 41617770D08659DBDB61CF84D4443EEBAB0FF00345FE0869A99262E254D7B5A6C8DBC3
                                      Function 1002080E Relevance: 36.2, APIs: 2, Strings: 22, Instructions: 150stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Caller: not enough space allocated for memory zipfile, xrefs: 10020A26
                                      • Caller: there was a previous error, xrefs: 10020A2F
                                      • Zipfile is corrupt or not a zipfile, xrefs: 100209F9
                                      • unknown zip result code, xrefs: 10020822
                                      • Zip-bug: trying to seek the unseekable, xrefs: 10020A53
                                      • Culdn't duplicate handle, xrefs: 100209B4
                                      • Zip-bug: the anticipated size turned out wrong, xrefs: 10020A5C
                                      • Zip-bug: internal initialisation not completed, xrefs: 10020A4A
                                      • Caller: the file had already been partially unzipped, xrefs: 10020A14
                                      • Still more data to unzip, xrefs: 100209F0
                                      • Zip-bug: an internal error during flation, xrefs: 10020A6E
                                      • Caller: can only get memory of a memory zipfile, xrefs: 10020A1D
                                      • Success, xrefs: 100209A8
                                      • Zip-bug: tried to change mind, but not allowed, xrefs: 10020A65
                                      • Couldn't create/open file, xrefs: 100209C0
                                      • Error writing to file, xrefs: 100209D8
                                      • Caller: faulty arguments, xrefs: 10020A0B
                                      • File not found in the zipfile, xrefs: 100209E4
                                      • Caller: mixing creation and opening of zip, xrefs: 10020A41
                                      • Error reading file, xrefs: 10020A02
                                      • Caller: additions to the zip have already been ended, xrefs: 10020A38
                                      • Failed to allocate memory, xrefs: 100209CC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlenstrncpy
                                      • String ID: Caller: additions to the zip have already been ended$Caller: can only get memory of a memory zipfile$Caller: faulty arguments$Caller: mixing creation and opening of zip$Caller: not enough space allocated for memory zipfile$Caller: the file had already been partially unzipped$Caller: there was a previous error$Couldn't create/open file$Culdn't duplicate handle$Error reading file$Error writing to file$Failed to allocate memory$File not found in the zipfile$Still more data to unzip$Success$Zip-bug: an internal error during flation$Zip-bug: internal initialisation not completed$Zip-bug: the anticipated size turned out wrong$Zip-bug: tried to change mind, but not allowed$Zip-bug: trying to seek the unseekable$Zipfile is corrupt or not a zipfile$unknown zip result code
                                      • API String ID: 3366577668-1255542691
                                      • Opcode ID: d8374c3ad5f4ebd14834886504741f0533b2edd860437b87c5c23429274d2f67
                                      • Instruction ID: ec3a13afa7cd80cc0a229431ce520e6303d2f69214dbb925724a83a4e5159c47
                                      • Opcode Fuzzy Hash: d8374c3ad5f4ebd14834886504741f0533b2edd860437b87c5c23429274d2f67
                                      • Instruction Fuzzy Hash: BE619B70D0435DEADF61CF90E4447AEB7B2FB04385FE0C65AA81226162C7F54A84DB83
                                      Function 1000622A Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrIA.SHLWAPI(?,cmd.exe), ref: 1000623D
                                      • GetCurrentProcessId.KERNEL32 ref: 1000625B
                                        • Part of subcall function 10005CE2: _mbscpy.MSVCRT(00000000,00000000), ref: 10005D1A
                                        • Part of subcall function 10005CE2: CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateCurrentFileProcess_mbscpy
                                      • String ID: %s.%d$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.vir$cmd.exe$cmd.exe$self
                                      • API String ID: 121295410-3617494418
                                      • Opcode ID: 91cf0a0ba8f98502c9d259689074db0627cca884428cf93000f2fd6a3497df10
                                      • Instruction ID: 11dda13007a575690e2789da7b2ac66cc1117108efdf45987319c1011c6ab237
                                      • Opcode Fuzzy Hash: 91cf0a0ba8f98502c9d259689074db0627cca884428cf93000f2fd6a3497df10
                                      • Instruction Fuzzy Hash: 9F21D275900214FBFB00EFF4DC8AF9A3769EF1A351F208054FB0996180DF7296A58BA1
                                      Function 1000A948 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 104registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 1000A9C6
                                      • _CxxThrowException.MSVCRT(?,10024C88), ref: 1000A9EB
                                      • RegQueryValueExA.ADVAPI32(00000000,DLLPath,00000000,00000002,00000000,00000080), ref: 1000AA0A
                                      • _CxxThrowException.MSVCRT(1002E0FC,10024C88), ref: 1000AA2F
                                      • StrStrIA.SHLWAPI(00000000,mp3), ref: 1000AA40
                                      • lstrlen.KERNEL32(1000B2F9,00000000), ref: 1000AA50
                                      • RegCloseKey.ADVAPI32(00000000), ref: 1000AAAD
                                      Strings
                                      • net start RemoteAccess, xrefs: 1000AA8F
                                      • sc stop RemoteAccess, xrefs: 1000AA75
                                      • mp3, xrefs: 1000AA34
                                      • 3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6, xrefs: 1000A968
                                      • sc config RemoteAccess start= auto, xrefs: 1000AA82
                                      • DLLPath, xrefs: 1000AA5D
                                      • DLLPath, xrefs: 1000AA01
                                      • U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==, xrefs: 1000A982
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExceptionThrow$CloseOpenQueryValuelstrlen
                                      • String ID: 3EPT4X7UM2QL1D9VFA08OR5NWCIHZBKGSYZ6$DLLPath$DLLPath$U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==$mp3$net start RemoteAccess$sc config RemoteAccess start= auto$sc stop RemoteAccess
                                      • API String ID: 1704467221-3716379865
                                      • Opcode ID: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
                                      • Instruction ID: 43c9b28ce93485f090b6302de8d1e2f99a1725c96703827c3c982aa9faeb6eb3
                                      • Opcode Fuzzy Hash: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
                                      • Instruction Fuzzy Hash: BA418FB5900218BFEB10DFD4DD89FEEBB78EB49740F504158F205B6281DB785A85CBA1
                                      Function 100084F9 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10007DDE: 6CB72DD0.MFC42(00000004,?,?,?,?,?,?,?,?,?,?,?,?,1002AF1C,1000850C,?), ref: 10007E36
                                        • Part of subcall function 10007DDE: 6CB72DD0.MFC42(00000000), ref: 10007E5A
                                        • Part of subcall function 10007DDE: 6CB72DD0.MFC42(00000000), ref: 10007E8B
                                        • Part of subcall function 10007DDE: strrchr.MSVCRT ref: 10007EA5
                                        • Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007EBF
                                        • Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007ED3
                                        • Part of subcall function 10007DDE: GetSystemInfo.KERNEL32(1002AEEC), ref: 10007EE0
                                        • Part of subcall function 10007DDE: GetCurrentProcess.KERNEL32(00000020,XGhvc3RzLmljcw==), ref: 10007EFE
                                        • Part of subcall function 10007DDE: OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
                                        • Part of subcall function 10007DDE: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,1002AEE4), ref: 10007F16
                                        • Part of subcall function 10007DDE: AdjustTokenPrivileges.ADVAPI32(76684758,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
                                        • Part of subcall function 10007DDE: CloseHandle.KERNEL32(76684758), ref: 10007F50
                                        • Part of subcall function 10007DDE: strlen.MSVCRT ref: 10007F5B
                                        • Part of subcall function 10007DDE: sscanf.MSVCRT ref: 10007F7C
                                      • wsprintfA.USER32 ref: 1000853B
                                        • Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
                                        • Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
                                        • Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049
                                      • wsprintfA.USER32 ref: 100085AF
                                      • wsprintfA.USER32 ref: 100085CE
                                      • CreateDirectoryA.KERNEL32(%s|%s,00000000), ref: 100085E0
                                        • Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                        • Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
                                        • Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                        • Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                        • Part of subcall function 1000793B: memset.MSVCRT ref: 1000797B
                                        • Part of subcall function 1000793B: CoInitializeEx.COMBASE(00000000,00000000), ref: 10007987
                                        • Part of subcall function 1000793B: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
                                        • Part of subcall function 1000793B: CoCreateInstance.COMBASE(100246B0,00000000,00000001,100245E0,00000000), ref: 100079BE
                                        • Part of subcall function 1000793B: CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
                                        • Part of subcall function 1000793B: wcscat.MSVCRT ref: 10007A97
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000863A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscat$CreateProcesswsprintf$CloseFileHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryInfoInstanceLookupPrivilegePrivilegesProxySecuritySystemValueWrite_mbscpymemsetsscanfstrrchrwcscat
                                      • String ID: %s\%s$%s|%s$65r455f$ROOT\CIMv2$Win32_process$ZU11dGV4$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                      • API String ID: 2046235666-808396485
                                      • Opcode ID: b96300de3a959b6f6867844c2c09bc134bfcc2d97d8e8c2f8824ba90d23407a5
                                      • Instruction ID: 0c0eef8aac9374081f6669d655c3be3116369b3939affcc587e91564fd5685db
                                      • Opcode Fuzzy Hash: b96300de3a959b6f6867844c2c09bc134bfcc2d97d8e8c2f8824ba90d23407a5
                                      • Instruction Fuzzy Hash: 6F41B771900A6CAFEB20CBA8CC89FDA77B5FB84304F1005E4E609B6245DB766BD58F45
                                      Function 10009337 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 101libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(urlmon.dll), ref: 10009348
                                      • LoadLibraryA.KERNEL32(wininet.dll), ref: 10009359
                                      • GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 10009391
                                      • GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 100093A6
                                      • 6CB72DD0.MFC42(00000050), ref: 100093B4
                                      • _mbscat.MSVCRT ref: 1000941F
                                      • _mbscat.MSVCRT ref: 10009435
                                      • _mbscat.MSVCRT ref: 10009449
                                      • memset.MSVCRT ref: 10009459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscat$AddressLibraryLoadProc$memset
                                      • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
                                      • API String ID: 2031231167-1569318151
                                      • Opcode ID: 56a1589901f8aabe118a646b912a3cdc0cf0df542718620ddd9976822323ba36
                                      • Instruction ID: 81b372d6bc21d2fef04a9a1ddd25012b240df206b743b4629fc927ee19ea9d3e
                                      • Opcode Fuzzy Hash: 56a1589901f8aabe118a646b912a3cdc0cf0df542718620ddd9976822323ba36
                                      • Instruction Fuzzy Hash: 2031C7B5D042586FEB10CBA0DC85FEFBB74EB18701F5004A5F709A6280DB756A84CF55
                                      Function 1000EE6E Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 61stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _strcmpi$strstr$strrchr
                                      • String ID: .aye$.dll$.exe$.sys$AYLaunch.exe$V3Lite.exe
                                      • API String ID: 4200840081-2419393344
                                      • Opcode ID: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
                                      • Instruction ID: 466c2cd852741ed10da6fcfff3d329652218b2498b962fc8da7131ac82429ea1
                                      • Opcode Fuzzy Hash: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
                                      • Instruction Fuzzy Hash: 4A1173B4900189F7EB10CBA4ED49AAE37A8EF043C6F544164FD05A6205E733EF24C7A1
                                      Function 1000D3D5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57stringprocessCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000D3E9
                                      • Process32First.KERNEL32(00000000,00000128), ref: 1000D410
                                      • lstrcmpiA.KERNEL32(?,ASDsvc.exe), ref: 1000D42A
                                      • lstrcmpiA.KERNEL32(?,V3Lite.exe), ref: 1000D440
                                      • DebugActiveProcess.KERNEL32(?), ref: 1000D451
                                      • GetLastError.KERNEL32 ref: 1000D45B
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 1000D486
                                      • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1000D494
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process32lstrcmpi$ActiveCloseCreateDebugErrorFirstHandleLastNextProcessSnapshotToolhelp32
                                      • String ID: ASDsvc.exe$Name:%s,Err:%d$V3Lite.exe$c:\11.txt
                                      • API String ID: 608465442-3371721576
                                      • Opcode ID: c18b3d23d155f9587325d57439c56cf246679df23ea64fe2c8240aed7f81cd06
                                      • Instruction ID: a3de1c484c0ff0f41d4c4eb311ab122c9ab8193aeb8075ee7d44cccd805fc309
                                      • Opcode Fuzzy Hash: c18b3d23d155f9587325d57439c56cf246679df23ea64fe2c8240aed7f81cd06
                                      • Instruction Fuzzy Hash: 30113D75D00218BBEB10EFA1CC85BDEB7B8EB48344F908999E215A2145D774AA85CF61
                                      Function 1000BC72 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(00001218), ref: 1000BC80
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000BCA3
                                        • Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC
                                        • Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E
                                      • memset.MSVCRT ref: 1000BCE8
                                        • Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
                                        • Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
                                        • Part of subcall function 10009A63: 6CB72DD0.MFC42(0007D000), ref: 10009AED
                                        • Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B
                                      • Sleep.KERNEL32(0002BF20), ref: 1000BD0A
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BD30
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BD3F
                                      • CloseHandle.KERNEL32(?), ref: 1000BD49
                                      • Sleep.KERNEL32(001B7740), ref: 1000BD54
                                      • CloseHandle.KERNEL32(?), ref: 1000BD66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
                                      • String ID: 0x5d65r455f$2073372682
                                      • API String ID: 1532593739-3710683282
                                      • Opcode ID: 7d9646abece6b82209e7ef78c52bb4bb71e564df0c9c5c023be7e2423251d611
                                      • Instruction ID: ec3ba378adc137da86a7fa9cbe3624fdafc09a65b00566f21923adef7c9e2253
                                      • Opcode Fuzzy Hash: 7d9646abece6b82209e7ef78c52bb4bb71e564df0c9c5c023be7e2423251d611
                                      • Instruction Fuzzy Hash: 93218475A40214BBFB10DFE0CC8AFDD7774EB54741F2041A5F6099A2D5EB706A508B92
                                      Function 1000F8F9 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 64fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE30
                                        • Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE46
                                        • Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE5C
                                      • wsprintfA.USER32 ref: 1000F97A
                                      • DeleteFileA.KERNEL32(00000000), ref: 1000F98A
                                      • memset.MSVCRT ref: 1000F99E
                                      • wsprintfA.USER32 ref: 1000F9B9
                                      • DeleteFileA.KERNEL32(00000000), ref: 1000F9C9
                                      • DeleteFileA.KERNEL32(C:\1.vbs), ref: 1000F9D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memset$DeleteFile$wsprintf
                                      • String ID: %s\ASDSvc.exe$%s\V3Lite.exe$C:\1.vbs$InstallPath$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==
                                      • API String ID: 1479746147-790033058
                                      • Opcode ID: 76510e5ad0f0a7d840a7ac59a9f66772fcdb44f7757913529646aec1d244dc55
                                      • Instruction ID: 3f8b95e0ea3bd24813ccbb7ad79f06d8baedde75e715387043a4284ac7343189
                                      • Opcode Fuzzy Hash: 76510e5ad0f0a7d840a7ac59a9f66772fcdb44f7757913529646aec1d244dc55
                                      • Instruction Fuzzy Hash: A311D6B5810618BBE710D7A4DC89FE6B378EB24300F4001D4F748A6181EBB126D88B91
                                      Function 1001918D Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 410COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %s%s$%s%s%s
                                      • API String ID: 0-1506711308
                                      • Opcode ID: 45fbbcafc04d3f2f4a753065e64132dbcea6940707117ead0aeb28bc355f3517
                                      • Instruction ID: 7f3d1bd727637aae945e036ecbbf7404439f41d044326d2380a7333964229f50
                                      • Opcode Fuzzy Hash: 45fbbcafc04d3f2f4a753065e64132dbcea6940707117ead0aeb28bc355f3517
                                      • Instruction Fuzzy Hash: 7B0215B4904228DBDB26CF54C984BA9B7B9EB49305F1482D9E81DAB291D730EFC5CF50
                                      Function 1001EAC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 208fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 1001EAD1
                                      • GetFileSize.KERNEL32(?,00000000), ref: 1001EBA0
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1001EBBD
                                      • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1001EBD3
                                      • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1001EBE3
                                      • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1001EBF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$PointerRead$HandleInformationSize
                                      • String ID: ($PE
                                      • API String ID: 2979504256-3347799738
                                      • Opcode ID: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
                                      • Instruction ID: a2f518cc74f5bf6d3c6c6775fd81b0518a7a4a596ada43fd48c2c3d5df82ea48
                                      • Opcode Fuzzy Hash: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
                                      • Instruction Fuzzy Hash: 27810D71E00248ABEB08CFD4D895BAEB7B5FF88340F148129F515AB294D734E886CF94
                                      Function 1000C668 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10006322: GetProcessHeap.KERNEL32 ref: 1000634F
                                        • Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                        • Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
                                        • Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                        • Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                      • CloseHandle.KERNEL32 ref: 1000C6D1
                                      • Sleep.KERNEL32(00001388), ref: 1000C6DC
                                      • MoveFileExA.KERNEL32(00000000,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000C6EF
                                      • CopyFileA.KERNEL32(00000000,?,00000000), ref: 1000C702
                                      • DeleteFileA.KERNEL32(00000000), ref: 1000C70F
                                      • Sleep.KERNEL32(000003E8), ref: 1000C71A
                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 1000C736
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleSleep$CopyDeleteHeapMoveProcessWritestrlen
                                      • String ID: %s\data.db$C:\Users\user\Desktop$hosts
                                      • API String ID: 3797919734-815068316
                                      • Opcode ID: efc404cb1c36cd2c8ce508b618bdaed85bcec96449d26f1028287ccc5fd69aa9
                                      • Instruction ID: f5900b32a1c57befda946730cab26c328d09066f7718e655d8f69fd7b70c79ee
                                      • Opcode Fuzzy Hash: efc404cb1c36cd2c8ce508b618bdaed85bcec96449d26f1028287ccc5fd69aa9
                                      • Instruction Fuzzy Hash: A421B0B6A00218BBEB14CFA4DC85FCA3769FB58710F104294FB199B1C0DBB1AA85CB50
                                      Function 10007F89 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
                                      • strchr.MSVCRT ref: 10007FD3
                                      • _mbscat.MSVCRT ref: 10007FFD
                                      • _mbscat.MSVCRT ref: 1000800E
                                      • _mbscat.MSVCRT ref: 1000801E
                                      • _mbscat.MSVCRT ref: 1000802F
                                      • strchr.MSVCRT ref: 10008049
                                      Strings
                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007FB0
                                      • U11dGV4, xrefs: 10007F96
                                      • , xrefs: 10008005
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbscat$strchr$_mbscpy
                                      • String ID: $U11dGV4$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                      • API String ID: 702901625-1239733050
                                      • Opcode ID: f326c0bdbb4f28ea7d5a4b7c8fd45c6401bdca4bcea2e6c00a19b61eabe8c604
                                      • Instruction ID: 2bc11947cdbfdc4e0e0399083b1b6a46f6613d3c1d050bc1cbc246461a669991
                                      • Opcode Fuzzy Hash: f326c0bdbb4f28ea7d5a4b7c8fd45c6401bdca4bcea2e6c00a19b61eabe8c604
                                      • Instruction Fuzzy Hash: 91219379D00158ABDB11CFA8ED81BDD7774FB68302F5084A5EA0CA7244D6B5ABD48BA0
                                      Function 1000BB90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(00001218), ref: 1000BB9E
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000BBC1
                                        • Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC
                                        • Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E
                                      • CloseHandle.KERNEL32(?), ref: 1000BC66
                                        • Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
                                        • Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
                                        • Part of subcall function 10009A63: 6CB72DD0.MFC42(0007D000), ref: 10009AED
                                        • Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B
                                      • Sleep.KERNEL32(0002BF20), ref: 1000BC0D
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BC33
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BC42
                                      • CloseHandle.KERNEL32(?), ref: 1000BC4C
                                      • Sleep.KERNEL32(0002BF20), ref: 1000BC57
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleSleepmemset$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
                                      • String ID: 0x555dasfas$2963854030
                                      • API String ID: 2708768594-3075894505
                                      • Opcode ID: 44dd402188ac6d3b7afbe79d39589ed243b30a272ae3c6fbaaeeb9753b6d9d2b
                                      • Instruction ID: d84f95eccd45cc1831ea6bca91d576b8e54f65b4ebe8b4c65b06786423185a31
                                      • Opcode Fuzzy Hash: 44dd402188ac6d3b7afbe79d39589ed243b30a272ae3c6fbaaeeb9753b6d9d2b
                                      • Instruction Fuzzy Hash: DB21B1B5A40214BBFB10DFE0CD8AFDD7775EB55341F2041A4FA099A284DB706A91CB52
                                      Function 10010940 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248comstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 10010968
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1001098D
                                      • CoCreateInstance.COMBASE(100246B0,00000000,00000001,Function_000245E0,?), ref: 100109A8
                                        • Part of subcall function 10010360: 6CB72DD0.MFC42(0000000C), ref: 10010380
                                      • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10010A3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: BlanketCreateInitializeInstanceProxySecuritystrlen
                                      • String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
                                      • API String ID: 570563250-2582412207
                                      • Opcode ID: 98bf76f53860a594a0a0b1b9da7cabe3198b5f99b835eb4c1d9bb814207d1e67
                                      • Instruction ID: 5cbe6ac5fde7eb26dc338a514e816c495378dc4111dc2c4ddae531228331e323
                                      • Opcode Fuzzy Hash: 98bf76f53860a594a0a0b1b9da7cabe3198b5f99b835eb4c1d9bb814207d1e67
                                      • Instruction Fuzzy Hash: 0EA10874A00249EBDB04CFA4CD95BEEB7B4FF14314F208258F5516B2D2D7B4AA86CB91
                                      Function 1000D232 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExpandEnvironmentStringsA.KERNEL32(%systemroot%\system32\csrss.exe,?,00000104), ref: 1000D24F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000208), ref: 1000D288
                                      • GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 1000D298
                                      • GetProcAddress.KERNEL32(00000000), ref: 1000D29F
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000018,?), ref: 1000D2D6
                                      • wcscpy.MSVCRT ref: 1000D312
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressByteCharCurrentEnvironmentExpandHandleModuleMultiProcProcessStringsWidewcscpy
                                      • String ID: %systemroot%\system32\csrss.exe$NtQueryInformationProcess$ntdll.dll
                                      • API String ID: 703503636-1587409518
                                      • Opcode ID: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
                                      • Instruction ID: d4a10707df85f749384b0f406625ba1c85e5810cd389dcc908323d6700f8676c
                                      • Opcode Fuzzy Hash: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
                                      • Instruction Fuzzy Hash: 04212F71910218BFEB65CBA4CC89FDABBB8EB48310F50419AE609E6291DB705B45CF61
                                      Function 10006F92 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen$strrchr$DirectoryPath_mbscpy
                                      • String ID: 123
                                      • API String ID: 2492324655-2286445522
                                      • Opcode ID: 6ae7ca9b40b598d48eb85bbcc3ba575c99ff50f77e4743fd11b9f870836d6378
                                      • Instruction ID: b10010325145a17280ae543c62f60846424ed8c502da58d9684bb6765ff15b86
                                      • Opcode Fuzzy Hash: 6ae7ca9b40b598d48eb85bbcc3ba575c99ff50f77e4743fd11b9f870836d6378
                                      • Instruction Fuzzy Hash: 634173FAD00248BBEB14CBA4DC42BDE77B5EF58340F1445A4F9099B241E636EB84CB91
                                      Function 100060BF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE
                                      • CloseHandle.KERNEL32(000000FF), ref: 1000610B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateFileHandle
                                      • String ID: NUL
                                      • API String ID: 3498533004-1038343538
                                      • Opcode ID: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
                                      • Instruction ID: e9d1fb6442f0c914e32f04b904cbdd2044a8a5df72d57b902c957921bdc8d841
                                      • Opcode Fuzzy Hash: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
                                      • Instruction Fuzzy Hash: 7C313D7090022AEBEB10CBE4CC85BEEB7B6FF49344F344554EA117B286C730AA55DB91
                                      Function 100214EE Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 45memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(00000000,Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1,SELECT * FROM ,1002AEF4,10010494,00000001,00000000,1002AF0C,10010314,00007325), ref: 10021500
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,c:\1.txt,00000001), ref: 10021527
                                      • GetLastError.KERNEL32 ref: 10021537
                                      • GetLastError.KERNEL32 ref: 1002153D
                                      • SysAllocString.OLEAUT32(c:\1.txt), ref: 10021554
                                      Strings
                                      • c:\1.txt, xrefs: 10021519, 10021553
                                      • SELECT * FROM , xrefs: 100214F5
                                      • Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100214F6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
                                      • String ID: Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1$SELECT * FROM $c:\1.txt
                                      • API String ID: 4196186757-3737772539
                                      • Opcode ID: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
                                      • Instruction ID: 1fe5ed956030cf47e0064620fe093005c6aabeb1075080af0839e4b43014f2e2
                                      • Opcode Fuzzy Hash: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
                                      • Instruction Fuzzy Hash: 7501F436500526F7E7209BA1DC85FDA3FA8EF613A1FB18031FD09D1090E730956286A1
                                      Function 1000AF61 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 34synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
                                        • Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
                                      • CreateMutexA.KERNEL32(00000000,00000001,Global\98012trt8-d8dfsf), ref: 1000AF86
                                      • GetLastError.KERNEL32 ref: 1000AF8F
                                      • ReleaseMutex.KERNEL32(?), ref: 1000AFC4
                                      • CloseHandle.KERNEL32(?), ref: 1000AFCE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: MutexProcess$CloseCreateCurrentErrorHandleLastOpenReleaseToken
                                      • String ID: ERROR_ALREADY_EXISTS$Global\98012trt8-d8dfsf$SeDebugPrivilege$c:\11.txt
                                      • API String ID: 1194210303-4205529783
                                      • Opcode ID: d03401780029131dd6c219b55038ed026ffa60db7316472a2721190242966462
                                      • Instruction ID: bda5bf97716bd855d7aa97815c2b0071a65dd76f9c377fc55d067d3e89c7e2b6
                                      • Opcode Fuzzy Hash: d03401780029131dd6c219b55038ed026ffa60db7316472a2721190242966462
                                      • Instruction Fuzzy Hash: 8AF0FF74D01309FBEB10DBE0DC89F8D7BB5EB15342F504155F90562251DB755684CB51
                                      Function 1000A780 Relevance: 13.6, APIs: 9, Instructions: 146registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 1000A7E8
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A80A
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8A2
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8DC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Open$Create
                                      • String ID:
                                      • API String ID: 161609438-0
                                      • Opcode ID: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
                                      • Instruction ID: e3d78695a21ea1c89d74b4d509c2f3cee1bcccb682452cc6d6267459aaa28678
                                      • Opcode Fuzzy Hash: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
                                      • Instruction Fuzzy Hash: 83512F75A04209EFEB14CF95CC85FEE77B8EB49780F208219FA15A7284D775E981CB60
                                      Function 10006B6A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen$strrchr$_mbscpy
                                      • String ID: 123
                                      • API String ID: 3579317598-2286445522
                                      • Opcode ID: a7e80eb94064d2ce436cfba56af2053f82b0d1ab16597864ea567c708455ceb3
                                      • Instruction ID: 05727ab8fcb7bc7a0250f8534c20c239d1b1129ff1e51f3b6d4c9ceecbf6bad0
                                      • Opcode Fuzzy Hash: a7e80eb94064d2ce436cfba56af2053f82b0d1ab16597864ea567c708455ceb3
                                      • Instruction Fuzzy Hash: 4031A3FAD00208ABEB10CBA4DC81ADE77B5EF58340F1441A4F9099B241E776EB848BD1
                                      Function 1000F6C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80processstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F6DA
                                      • Process32First.KERNEL32(00000000,00000128), ref: 1000F701
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 1000F716
                                      • lstrcmpiA.KERNEL32(00000000,?), ref: 1000F733
                                      • wsprintfA.USER32 ref: 1000F77C
                                      • CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F7F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpiwsprintf
                                      • String ID: pid_%d
                                      • API String ID: 4001055788-1598735649
                                      • Opcode ID: 2aa5c24c09c0c7920b2168c1d3eb21d9af395b2587bffe16ded94feffb8d1a77
                                      • Instruction ID: c9d53c2518a1c93e9c5bb71c043409e6e03239473161a3a160f8e14674c82ed7
                                      • Opcode Fuzzy Hash: 2aa5c24c09c0c7920b2168c1d3eb21d9af395b2587bffe16ded94feffb8d1a77
                                      • Instruction Fuzzy Hash: 68314AB5C05218EBEB60DFA4CC85BEDB7B4EF08340F1044EAE50DA6255E6746B84DF52
                                      Function 10021563 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 10021576
                                      • 6CB72DD0.MFC42(00000002,100112AB,lNlcnZpY2VB,SELECT * FROM ,1002AF18,?,100105BB,?,?,1002AF20,100112AB), ref: 10021580
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,100112AB,000000FF,00000000,00000002,00000000,00000000,lNlcnZpY2VB,SELECT * FROM ,1002AF18,?,100105BB,?,?,1002AF20), ref: 100215A2
                                      • GetLastError.KERNEL32(?,100105BB,?,?,1002AF20,100112AB), ref: 100215B2
                                      • GetLastError.KERNEL32(?,100105BB,?,?,1002AF20,100112AB), ref: 100215B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorLast$ByteCharMultiWidewcslen
                                      • String ID: SELECT * FROM $lNlcnZpY2VB
                                      • API String ID: 4237787585-3054530141
                                      • Opcode ID: 535be1c00c74b4252f7a708f373728373532073ad4246fcc369e3bfbabe45a2c
                                      • Instruction ID: f102809e0f6523f15fafc923be23898a7ca290de0f5e000ccec9650aaf4368e9
                                      • Opcode Fuzzy Hash: 535be1c00c74b4252f7a708f373728373532073ad4246fcc369e3bfbabe45a2c
                                      • Instruction Fuzzy Hash: 4FF0286A20427ABD9210A6726C84DBBBACCDEE12F47E2467AF515D2041D815AC0181F0
                                      Function 1001E8B0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 1001E8B8
                                        • Part of subcall function 10020E70: _mbsicmp.MSVCRT ref: 10020E7B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbsicmpstrlen
                                      • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                      • API String ID: 374816253-51310709
                                      • Opcode ID: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
                                      • Instruction ID: a7750ba6201be3bd96256ed1aa53058d6e7dfdb32adcc3c4209802cf8e7f6fb8
                                      • Opcode Fuzzy Hash: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
                                      • Instruction Fuzzy Hash: D3317579D04289F7CF44CAE0AD8199D73A6EB12385F604865FD049F201E632FF80BBA5
                                      Function 1000FBB6 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 1000FBDA
                                        • Part of subcall function 100114B0: CoCreateInstance.COMBASE(00000000,10024578,1000FC00,1002B6A0,00000017), ref: 100114CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstance
                                      • String ID: HTTP$kbstar
                                      • API String ID: 3519745914-2680672251
                                      • Opcode ID: c055f2331def5bf038289990834060b95847416c0c95277ab3e019e8c3a3d24e
                                      • Instruction ID: c3a8321b607e1ec655a761ab1389a6ee785db716c21e47efde926ca263a9be4b
                                      • Opcode Fuzzy Hash: c055f2331def5bf038289990834060b95847416c0c95277ab3e019e8c3a3d24e
                                      • Instruction Fuzzy Hash: 63A11574D00648DFDB08DFA4C995BEDBBB1FF58344F20815CE412AB292EB34AA45DB91
                                      Function 1001904F Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 10019062
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019073
                                      • memcpy.MSVCRT(?,?,?), ref: 100190FA
                                      • _mbscpy.MSVCRT(00000000,00000000), ref: 1001914D
                                      • _mbscat.MSVCRT ref: 10019160
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 1001916F
                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019183
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AttributesCreateDirectoryFile$_mbscat_mbscpymemcpy
                                      • String ID:
                                      • API String ID: 3659483993-0
                                      • Opcode ID: 401fb6a168ac80da8bdcaef0b1af1669b1b76f47dcf4406e61fa6151f8434c8d
                                      • Instruction ID: 9d745a1a41eb4a7a2a12bfbab4145b738384b9807def3fcce6aed419c037e121
                                      • Opcode Fuzzy Hash: 401fb6a168ac80da8bdcaef0b1af1669b1b76f47dcf4406e61fa6151f8434c8d
                                      • Instruction Fuzzy Hash: C7413579D04118ABCB19CFA4D894AEDBBB5EF59310F208699E9599B240D770EFC0CF90
                                      Function 1000A617 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A65F
                                      • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A671
                                      • _mbscat.MSVCRT ref: 1000A68C
                                      • _mbscat.MSVCRT ref: 1000A6A9
                                        • Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B
                                        • Part of subcall function 1000A519: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556
                                      Strings
                                      • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000A694
                                      • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000A677
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DirectoryFileSystem_mbscat$CreateExistsPath
                                      • String ID: XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==
                                      • API String ID: 4049401565-2249354660
                                      • Opcode ID: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
                                      • Instruction ID: 12b72cb5e04ffb9a7e9ac27504f08d15284b6b879465d20345e618696946c61d
                                      • Opcode Fuzzy Hash: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
                                      • Instruction Fuzzy Hash: 9021F8FAC04208BBFB10D7A0DC45BCE7378DB14380F1086A5FB0996145EEB5ABC88B91
                                      Function 10006C88 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10006CC5
                                      • GetFileSize.KERNEL32(?,00000000), ref: 10006CEA
                                      • 6CB72DD0.MFC42(00000000), ref: 10006CF7
                                      • memset.MSVCRT ref: 10006D35
                                      • ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?,?,00000000), ref: 10006D59
                                      • CloseHandle.KERNEL32(?,00000000), ref: 10006DA7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSizememset
                                      • String ID:
                                      • API String ID: 849667651-0
                                      • Opcode ID: f9c555f961a5b0f5389bdd5ac6b447c4d01538643fd2ee4016fe3482f06cf0eb
                                      • Instruction ID: 20d629e5142875753669a35d1e811c0194670abf32d4287b49ac12e2b780f710
                                      • Opcode Fuzzy Hash: f9c555f961a5b0f5389bdd5ac6b447c4d01538643fd2ee4016fe3482f06cf0eb
                                      • Instruction Fuzzy Hash: DA316179A00294ABEB25CF54CC85BCAB375FB4C341F1085D5FA49A7284D6B4AAD4CF50
                                      Function 1000883B Relevance: 10.6, APIs: 7, Instructions: 67memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Global_mbscpymemset$AllocFreestrlen
                                      • String ID:
                                      • API String ID: 3317734596-0
                                      • Opcode ID: f45d5ceaf1e5b0f6367cab85ba0a1253f357690d66b4acb8c6414236b1e8fa04
                                      • Instruction ID: 371cdc15c4be44a3cd0437dc71fa5aaac8cd8a0fdcd6f9490a1cbaeabdbd2086
                                      • Opcode Fuzzy Hash: f45d5ceaf1e5b0f6367cab85ba0a1253f357690d66b4acb8c6414236b1e8fa04
                                      • Instruction Fuzzy Hash: A3219DB9D00208FBEB04CFD4D885B9DBBB4FF44304F50C158EA046B345D671AB948B95
                                      Function 1000600B Relevance: 10.6, APIs: 7, Instructions: 63memorythreadsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00000008,00000214), ref: 1000601E
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005FD3,?,00000000,00000000), ref: 10006040
                                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 1000604F
                                      • TerminateThread.KERNEL32(?,00000000), ref: 10006067
                                      • CloseHandle.KERNEL32(?), ref: 10006071
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 100060A0
                                      • HeapFree.KERNEL32(00000000,00000000,?), ref: 100060B3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: HeapThread$AllocateByteCharCloseCreateFreeHandleMultiObjectSingleTerminateWaitWide
                                      • String ID:
                                      • API String ID: 4251336913-0
                                      • Opcode ID: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
                                      • Instruction ID: 97dbfb0626745b3a13ce99f142d6799707a3ad8bdba7c53ac94dcc1e3c2afbb3
                                      • Opcode Fuzzy Hash: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
                                      • Instruction Fuzzy Hash: 3B21BAB4A40218BFFB04DBD4CC8AF6E7775EB48701F208558FB15AB2D0C671AA51CB54
                                      Function 1000D747 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • 3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000D754
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: rand$CountTicksrand
                                      • String ID: 3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6
                                      • API String ID: 3923125369-3761970555
                                      • Opcode ID: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
                                      • Instruction ID: 5baca46d6ec9984475ff302e343ac5961955fe47c9a6e1e459158899833a3c7c
                                      • Opcode Fuzzy Hash: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
                                      • Instruction Fuzzy Hash: 3E11B830815108EFDB00EFA8D894A9EBBB6FF44320F30419AE909E7345D331AA51DB60
                                      Function 100067AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
                                      • strlen.MSVCRT ref: 100067DB
                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
                                      • CloseHandle.KERNEL32(656C6261), ref: 100067F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleWritestrlen
                                      • String ID: d=TRUE
                                      • API String ID: 1350020999-2436624125
                                      • Opcode ID: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
                                      • Instruction ID: 9091ae99ca244d77819b183989e1c27e630e4a4cabccf0d25adc0486f95204c4
                                      • Opcode Fuzzy Hash: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
                                      • Instruction Fuzzy Hash: C5F082B9640208BBE710DBE4DCC6F9A777CAB48700F108144FF09A7280DA70A944CBA4
                                      Function 1001ED1E Relevance: 7.7, APIs: 5, Instructions: 155fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001ED93
                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001EDF5
                                      • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 1001EE7C
                                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1001EEAC
                                      • CloseHandle.KERNEL32(00000000), ref: 1001EEC8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleMappingPointerView
                                      • String ID:
                                      • API String ID: 1737989552-0
                                      • Opcode ID: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
                                      • Instruction ID: 743c727af9f4ebea276fef19f0abd475d21ef0e9be5fc3ab0a1b21c44a59574f
                                      • Opcode Fuzzy Hash: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
                                      • Instruction Fuzzy Hash: 0561C874A0024ADFEB14CF54C545BAEB7F1FB48715F208659E8156B382C771DE81CBA1
                                      Function 10008377 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(00000001), ref: 100083C5
                                      • VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 10008408
                                      • 6CB72DD0.MFC42(00000001), ref: 1000846D
                                      • ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 10008493
                                      • CloseHandle.KERNEL32(00000000), ref: 100084EA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseHandleMemoryProcessQueryReadVirtual
                                      • String ID:
                                      • API String ID: 1621033003-0
                                      • Opcode ID: 305ed1c15194823d856f98b977b62591590cfed0765165237a3ed488ed182224
                                      • Instruction ID: 4ce35375b4bad31ba0a910ff1afeab1654858517ab5a746a47daf2776de4f8ea
                                      • Opcode Fuzzy Hash: 305ed1c15194823d856f98b977b62591590cfed0765165237a3ed488ed182224
                                      • Instruction Fuzzy Hash: 8B51E3B5E00219AFEB14CFD8D981AAEB7B5FF88340F208129E945A7354D774AA81CF50
                                      Function 1000A519 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556
                                      • memset.MSVCRT ref: 1000A597
                                      • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 1000A5BB
                                      • CloseHandle.KERNEL32(?), ref: 1000A607
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadmemset
                                      • String ID:
                                      • API String ID: 1934991721-0
                                      • Opcode ID: 05b567c9856d8dc71aa1cd1537ca95858c2db371d4679b3c43396c213425bc9f
                                      • Instruction ID: 6a49061c0ed4d4591c571688064297fdf5beefa6cff065268dfcbfb052794fb4
                                      • Opcode Fuzzy Hash: 05b567c9856d8dc71aa1cd1537ca95858c2db371d4679b3c43396c213425bc9f
                                      • Instruction Fuzzy Hash: F2216275A00255ABEB21CB54CC81FDA7374FB4C382F1045A5FB49A7284D6B0AAC48F54
                                      Function 1000F63B Relevance: 7.5, APIs: 5, Instructions: 43processstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F64F
                                      • Process32First.KERNEL32(00000000,00000128), ref: 1000F672
                                      • Process32Next.KERNEL32(00000000,00000128), ref: 1000F687
                                      • lstrcmpiA.KERNEL32(00000000,?), ref: 1000F6A0
                                      • CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F6B9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                      • String ID:
                                      • API String ID: 868014591-0
                                      • Opcode ID: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
                                      • Instruction ID: 6a087116852af621f6414e876448160d89c161c3e2a286ec7096f0195759277d
                                      • Opcode Fuzzy Hash: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
                                      • Instruction Fuzzy Hash: AA014CB5D00208EBEB10EFE0CC85BEDB7B8EB08384F50848CA509A7254D7756B84DF50
                                      Function 1000F85D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
                                        • Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
                                        • Part of subcall function 100055B0: OpenProcess.KERNEL32(?,?,?), ref: 100055BF
                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000F8A3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process$OpenTimer$Concurrency::details::platform::__CreateCurrentQueueToken
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 3835064167-2896544425
                                      • Opcode ID: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
                                      • Instruction ID: fc672c7b5ca9b149f1a5e930f45fef3a2c969a6d647dd8d1ed25485d67561eb1
                                      • Opcode Fuzzy Hash: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
                                      • Instruction Fuzzy Hash: 381182B5E40305BBFB10DBA08C46FDE7674EB04741F104568FB04BA2C5EA7166508755
                                      Function 1000E4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100), ref: 1000E4DB
                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 1000E525
                                      • DeviceIoControl.KERNEL32(000000FF,00222000,00000000,00000400,00000000,00000000,?,00000000), ref: 1000E55F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ByteCharControlCreateDeviceFileMultiWide
                                      • String ID: \\.\moon
                                      • API String ID: 1446495253-2167628891
                                      • Opcode ID: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
                                      • Instruction ID: 23935ab2004618820c7cb13d6f81c44a57c65e4e46a841ae29926b98e247d94e
                                      • Opcode Fuzzy Hash: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
                                      • Instruction Fuzzy Hash: D71136B4550228BAE720DB54CC85FD57778EB44710F1086A9F708B72D0E7B02B86CF99
                                      Function 10009296 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 100092DB
                                        • Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E
                                      • strlen.MSVCRT ref: 10009303
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
                                      • String ID: %s\lang.ini$C:\Users\user\Desktop
                                      • API String ID: 3442345488-1738621931
                                      • Opcode ID: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
                                      • Instruction ID: 5c2cb0c0f0112b76a52748a175c0b0866aa9ac7b40e06f3532cdc33e9dc0b8a8
                                      • Opcode Fuzzy Hash: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
                                      • Instruction Fuzzy Hash: C40148F9D0021867EB20DB64DC46FCA7378DB14740F4086A4BA88671C5EAB5BBC48FD5
                                      Function 1001EF73 Relevance: 6.1, APIs: 4, Instructions: 130fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6CB72DD0.MFC42(000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFD4
                                      • memcpy.MSVCRT(00000000,?,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F000
                                      • memcpy.MSVCRT(1002B35C,00004000,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F092
                                      • WriteFile.KERNEL32(00000000,00004000,000000FF,000000FF,00000000,?,1001FADC,?,000000FF,?,00004000), ref: 1001F0CC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: memcpy$FileWrite
                                      • String ID:
                                      • API String ID: 3457131274-0
                                      • Opcode ID: dcd96ad24b5deabd6ad6734751da6d3ddb320af3399b2d07e3036afd30a7b307
                                      • Instruction ID: 4bd6022a4a2ec37f9ae3b9a4e2ff67f1137577e8ba2bc2d6a42e4c9f344f74e1
                                      • Opcode Fuzzy Hash: dcd96ad24b5deabd6ad6734751da6d3ddb320af3399b2d07e3036afd30a7b307
                                      • Instruction Fuzzy Hash: 4651BAB8E00109DFCB44CF98D491AAEBBB6FF98314F508559E9099B346D771E981CF90
                                      Function 10016729 Relevance: 6.1, APIs: 4, Instructions: 118fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100167A3
                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 100167D0
                                      • 6CB72DD0.MFC42(00000020), ref: 100167E7
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001684C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$Pointer$Create
                                      • String ID:
                                      • API String ID: 250661774-0
                                      • Opcode ID: 210e3323cf45e4e45ac76a8794f6ac64e1948e2ff99ced056d7b0a137d796a7c
                                      • Instruction ID: f591f9a745d53ad3dfe22ef2f77011fbbab233b3b6c88462e3b6b178e94e5e56
                                      • Opcode Fuzzy Hash: 210e3323cf45e4e45ac76a8794f6ac64e1948e2ff99ced056d7b0a137d796a7c
                                      • Instruction Fuzzy Hash: C4510B74E0424AEFDB11CF54C895B9EBBB1FB09304F108699EC216B381C7B5DA85CB91
                                      Function 100184CC Relevance: 6.1, APIs: 4, Instructions: 86stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100184FF
                                      • strlen.MSVCRT ref: 1001850E
                                      • _mbscat.MSVCRT ref: 10018544
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1001855C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryFilePointer_mbscatstrlen
                                      • String ID:
                                      • API String ID: 345282596-0
                                      • Opcode ID: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
                                      • Instruction ID: d652d1c918226deb8dbb541e2e319e9dea9985361b2032265780a00324afeef0
                                      • Opcode Fuzzy Hash: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
                                      • Instruction Fuzzy Hash: 5C318275D0064ADBDB00CF94C881BAE7BB6EF45300F144569F515AB281D330EBD1CB91
                                      Function 1000C063 Relevance: 6.1, APIs: 4, Instructions: 80stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strlen$malloctolowertoupper
                                      • String ID:
                                      • API String ID: 1610385915-0
                                      • Opcode ID: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
                                      • Instruction ID: 7a5db7ae6677982574b2aec189b42e08800268808c8d6061b8b5cfc946dd9c0f
                                      • Opcode Fuzzy Hash: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
                                      • Instruction Fuzzy Hash: 45317C75D0428CEBDB04CFA8C8D0AAEBBB5EF42245F2441D9D841AB306C635AB90DB45
                                      Function 10011150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(10010E30,?), ref: 10011190
                                      • SafeArrayAccessData.OLEAUT32(10010E30,00000000), ref: 100111AD
                                      • SafeArrayUnaccessData.OLEAUT32(10010E30), ref: 10011217
                                      • refcount_ptr.LIBCPMTD ref: 10011227
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ArraySafe$Data$AccessUnaccessVartyperefcount_ptr
                                      • String ID:
                                      • API String ID: 643252218-0
                                      • Opcode ID: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
                                      • Instruction ID: 2d86a0b6451a645c637edffcb08906b081acf8c9fc1e69a33f2e972db292452b
                                      • Opcode Fuzzy Hash: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
                                      • Instruction Fuzzy Hash: 7231ED75D00109EFCB08CF94C995BEEBBB5FF48310F208159E525AB281DB35AA45CBA1
                                      Function 1000C5F0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 37sleepstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Sleepmemsetstrstr
                                      • String ID: found~!
                                      • API String ID: 2489989216-3563639675
                                      • Opcode ID: 7143e2e7ad882e3708efaeca46576da121ed463c27487f09a7516927d49d91bc
                                      • Instruction ID: 8119cc500c20e04b94a5d0cf1617a111049eef5a0b8ea3278fea11a9d42b8372
                                      • Opcode Fuzzy Hash: 7143e2e7ad882e3708efaeca46576da121ed463c27487f09a7516927d49d91bc
                                      • Instruction Fuzzy Hash: F0F068B6E00108EBEB14CBD4DD86F9FB378EB98201F1045D4FA09A7241EA71AF559F51
                                      Function 1000BD79 Relevance: 6.0, APIs: 4, Instructions: 33sleepsynchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BDAC
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BDBB
                                      • CloseHandle.KERNEL32(?), ref: 1000BDC5
                                      • Sleep.KERNEL32(00000064), ref: 1000BDCD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                      • String ID:
                                      • API String ID: 422747524-0
                                      • Opcode ID: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
                                      • Instruction ID: b9f77b51fdc0ce5c79c26bcc87bcad786e5d67b6ada7f4622830d9e7383a6a42
                                      • Opcode Fuzzy Hash: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
                                      • Instruction Fuzzy Hash: A8F03074A40208BBF704DFE4CD8AF9D7B75EB54711F208154FB059A2C4D7715A518B61
                                      Function 100061D7 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,10006283,?), ref: 100061E6
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 100061FF
                                      • CloseHandle.KERNEL32(00000000), ref: 1000620D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Process$CloseHandleOpenTerminate
                                      • String ID:
                                      • API String ID: 2026632969-0
                                      • Opcode ID: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
                                      • Instruction ID: c3b055f7a518f1452caa67d907e4e45609d189d3ebd99e836d77498bd3e4c8c9
                                      • Opcode Fuzzy Hash: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
                                      • Instruction Fuzzy Hash: 6AF05875A44218FBE710DBE4DD88B5E7BA8EB0C381F308958FA05D7240D6309A819B50
                                      Function 1000D353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D39D
                                      • sprintf.MSVCRT ref: 1000D3B6
                                      Strings
                                      • cmd /c ping 127.0.0.1 -n 3&del "%s", xrefs: 1000D3AA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FileModuleNamesprintf
                                      • String ID: cmd /c ping 127.0.0.1 -n 3&del "%s"
                                      • API String ID: 1461247384-535577241
                                      • Opcode ID: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
                                      • Instruction ID: a6b8e271a6fb293dd042ad0264e0da81425d7f8170d8075a503821407d4c08d6
                                      • Opcode Fuzzy Hash: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
                                      • Instruction Fuzzy Hash: A8F0C27291021C7BEB11C7A8CCA5BD6B7BCAB54300F4001E5E70CA6181EFB52B9C8F91
                                      Function 1000F7FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3054777269.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3054753296.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054777269.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054875111.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3054898933.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: -
                                      • API String ID: 481472006-2547889144
                                      • Opcode ID: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
                                      • Instruction ID: 54c5f6dbd1dfb4096c870d722f7c1ff444cf4a43efea41441fbe41cbc9c571be
                                      • Opcode Fuzzy Hash: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
                                      • Instruction Fuzzy Hash: 47F04471D0120AEBEB14DFA4C6856FDB7B4EF40740F20C1ADD801AB648DA34AB09FB52