Edit tour

Windows Analysis Report
yKVQVNB2qI.dll

Overview

General Information

Sample name:	yKVQVNB2qI.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	8b20e683ad19b1fffe5eb08697cb02afb62503b2.dll.exe
Analysis ID:	1558482
MD5:	0a3307b04bfc73db7eac08b2821e2032
SHA1:	8b20e683ad19b1fffe5eb08697cb02afb62503b2
SHA256:	791d63cffe80821bf93e3900b117e54826e3f251ec82a9e5621250b90c63da31
Tags:	dllexeuser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2836 cmdline: loaddll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5584 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4304 cmdline: rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 6276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1784 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3084 cmdline: rundll32.exe C:\Users\user\Desktop\yKVQVNB2qI.dll,inflate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 4988 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5656 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 2156 cmdline: rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5236 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3768 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7156 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6884 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7116 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 3084 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6456 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5644 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yKVQVNB2qI.dll	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0xfda0:$x1: cracked by ximo 0x23bee:$x1: cracked by ximo

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x41f07:$x1: cracked by ximo 0x41fbe:$x1: cracked by ximo 0x42075:$x1: cracked by ximo 0x4212c:$x1: cracked by ximo 0x421e3:$x1: cracked by ximo 0x4229a:$x1: cracked by ximo 0x42351:$x1: cracked by ximo 0x42408:$x1: cracked by ximo 0x53ac7:$x1: cracked by ximo 0x67915:$x1: cracked by ximo

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flate

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yKVQVNB2qI.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: yKVQVNB2qI.dll

ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: yKVQVNB2qI.dll

Joe Sandbox ML: detected

Source: yKVQVNB2qI.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_stricmp,PathIsDirectoryA,#823,strcpy,strcpy,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,strrchr,_stricmp,strcpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD strcpy,strcat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.240 18963	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.143 12388	Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 107.163.56.241 ports 18530,0,1,3,5,8
Source: global traffic	TCP traffic: 107.163.56.240 ports 18963,1,3,6,8,9

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic	TCP traffic: 192.168.2.6:49705 -> 107.163.56.241:18530
Source: global traffic	TCP traffic: 192.168.2.6:49706 -> 107.163.43.143:12388
Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 107.163.56.251:6658
Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 107.163.56.240:18963

Source: Joe Sandbox View

IP Address: 107.163.56.251 107.163.56.251

Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US

Source: global traffic

TCP traffic: 192.168.2.6:49719 -> 202.108.0.52:80

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.143
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007225 WSAStartup,socket,socket,htons,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,WSACleanup,

4_2_10007225

Source: global traffic

DNS traffic detected: DNS query: blog.sina.com.cn

Source: rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/main
Source: rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/mainMozilla/4.0
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.143:12388/new_u.php
Source: rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.143:12388/new_u.php$
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240/
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4427092707.00000000060FE000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4427048449.000000000607D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4427187084.000000000631C000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.php
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.php-
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.php3
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.phpfsk
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.phpi6r
Source: rundll32.exe, 00000004.00000002.4427048449.000000000607D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.240:1963/main.php
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.241:18530/
Source: rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnteYnti
Source: rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%s
Source: rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%sfound~
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/NT
Source: rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%sMozilla/4.0
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093HsA
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ks
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100052CF OpenClipboard,

4_2_100052CF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E8E SetClipboardData,

4_2_10004E8E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004F4C GetClipboardData,

4_2_10004F4C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004788 GetAsyncKeyState,

4_2_10004788

System Summary

Malicious sample detected (through community Yara rule)

Source: yKVQVNB2qI.dll, type: SAMPLE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005F3C GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		4_2_10005F3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005FD3 NtQueryInformationFile,		4_2_10005FD3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100059A0 DeleteService,

4_2_100059A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004804 CreateProcessAsUserA,

4_2_10004804

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005238 ExitWindowsEx,

4_2_10005238

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100150F3	4_2_100150F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F200	4_2_1000F200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100122E4	4_2_100122E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1004650D	4_2_1004650D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E5EC	4_2_1001E5EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018642	4_2_10018642
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A67B	4_2_1001A67B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D748	4_2_1001D748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C850	4_2_1001C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015883	4_2_10015883
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015B40	4_2_10015B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DB5D	4_2_1001DB5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10036CAA	4_2_10036CAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DD4D	4_2_1001DD4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BD60	4_2_1001BD60

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 10001000 appears 296 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1784

Source: yKVQVNB2qI.dll

Binary or memory string: OriginalFilenameDXTRANS.DLL~/ vs yKVQVNB2qI.dll

Source: yKVQVNB2qI.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: yKVQVNB2qI.dll, type: SAMPLE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winDLL@32/5@1/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72 sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005EBA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	4_2_10005EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005912 AdjustTokenPrivileges,	4_2_10005912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007DDE #823,#823,#823,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,	4_2_10007DDE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005821 GetDiskFreeSpaceExA,

4_2_10005821

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: strcpy,strcat,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlenA,RegSetValueExA,memset,wsprintfA,RegCreateKeyA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,memset,strcpy,RegOpenKeyExA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegCloseKey,

4_2_1000ABAC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100055E1 CreateToolhelp32Snapshot,

4_2_100055E1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100114B0 CoCreateInstance,

4_2_100114B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005000 LockResource,

4_2_10005000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000AAC4 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\11251252

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:776:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4304

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\414f0544-69eb-4344-9c8e-aea459066414

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1

Source: yKVQVNB2qI.dll

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yKVQVNB2qI.dll,inflate
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1784
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\yKVQVNB2qI.dll,inflate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: initial sample

Static PE information: section where entry point is pointing to: .lak1

Source: yKVQVNB2qI.dll	Static PE information: section name: .lak0
Source: yKVQVNB2qI.dll	Static PE information: section name: .lak1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100352AC pushfd ; mov dword ptr [esp], 9616A963h	4_2_100352C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003B601 push dword ptr [esp+30h]; retn 0034h	4_2_1003B661
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100357E9 push edx; mov dword ptr [esp], B873513Fh	4_2_1003B0DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003B962 push 4DF288F7h; mov dword ptr [esp], 9616688Fh	4_2_1003B97F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000CB08 push eax; mov dword ptr [esp], ECA52385h	4_2_1004388C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10038020 push dword ptr [esp+30h]; retn 0034h	4_2_1003802F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10038032 push edx; mov dword ptr [esp], 961659A5h	4_2_10038033
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001057 push dword ptr [esp+18h]; retn 001Ch	4_2_10038071
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10038059 push dword ptr [esp+18h]; retn 001Ch	4_2_10038071
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001097 push dword ptr [esp+44h]; retn 0048h	4_2_10034480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100370C6 push es; ret	4_2_100370CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100010D7 pushfd ; mov dword ptr [esp], 9097BDA7h	4_2_100346A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210E0 push eax; ret	4_2_1002110E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10070126 push dword ptr [esp+34h]; retn 0038h	4_2_10070135
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10038128 push dword ptr [esp+38h]; retn 003Ch	4_2_1003814B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D183 push 74A6F5A1h; mov dword ptr [esp], ecx	4_2_1000D189
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100011BD pushfd ; mov dword ptr [esp], ebx	4_2_100011C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C1E6 push dword ptr [esp+28h]; retn 002Ch	4_2_10034380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100342B8 push eax; mov dword ptr [esp], ebp	4_2_100342D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100342CE push eax; mov dword ptr [esp], ebp	4_2_100342D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100012CF push dword ptr [esp]; mov dword ptr [esp], 064C06CBh	4_2_100012D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100372F6 push 341038DCh; mov dword ptr [esp], E5677E7Ah	4_2_10037308
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100352FF push dword ptr [esp+30h]; retn 0034h	4_2_10035320
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10037319 push dword ptr [esp+3Ch]; retn 0040h	4_2_10037360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035328 push dword ptr [esp+30h]; retn 0034h	4_2_1003536C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10034343 push dword ptr [esp+28h]; retn 002Ch	4_2_10034380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003340C push dword ptr [esp+04h]; retn 0008h	4_2_1003347B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003340C push dword ptr [esp+38h]; retn 003Ch	4_2_100337CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003340C push dword ptr [esp+2Ch]; retn 0030h	4_2_100341A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1007047E push dword ptr [esp+50h]; retn 0054h	4_2_100704A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003548D push dword ptr [esp+2Ch]; retn 0030h	4_2_100354D5

Source: yKVQVNB2qI.dll

Static PE information: section name: .lak1 entropy: 7.931946564058133

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run flate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run flate			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run flate			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005BDF ClearEventLogA,

4_2_10005BDF

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-11051

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_4-10451

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6304	Thread sleep time: -19800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5948	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1364	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6304	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5340	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1364	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2032	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_stricmp,PathIsDirectoryA,#823,strcpy,strcpy,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,strrchr,_stricmp,strcpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD strcpy,strcat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,strcpy,strcat,strcat,FindFirstFileA,FindClose,strcpy,strcat,strcat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007DDE #823,#823,#823,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,

4_2_10007DDE

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: rundll32.exe, 00000004.00000002.4426005774.0000000002F7B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000004.00000002.4426123512.0000000003444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW!
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons\\VMwareHostO
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000004.00000002.4426428388.0000000004F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ions\\VMwareHostOpen.exe
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004DF5 BlockInput,

4_2_10004DF5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006322 GetProcessHeap,HeapFree,_strnicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,CloseHandle,memset,strrchr,_strnicmp,CloseHandle,CloseHandle,lstrlenA,_strnicmp,OpenProcess,GetModuleFileNameExA,_strnicmp,GetCurrentProcess,DuplicateHandle,CloseHandle,CloseHandle,HeapFree,

4_2_10006322

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000558A SetUnhandledExceptionFilter,

4_2_1000558A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.240 18963	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.143 12388	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E04 keybd_event,

4_2_10004E04

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E1F mouse_event,

4_2_10004E1F

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100048C9 SetSecurityDescriptorDacl,

4_2_100048C9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004925 AllocateAndInitializeSid,

4_2_10004925

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,memcpy,	4_2_1000960F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,#823,memset,___crtGetTimeFormatEx,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,#823,MultiByteToWideChar,WideCharToMultiByte,#823,WideCharToMultiByte,#825,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,#825,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,strlen,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,wsprintfA,strlen,#825,strrchr,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	4_2_10009FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: strlen,memset,___crtGetLocaleInfoEx,lstrcpyA,	4_2_1000C295
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,	4_2_1000949C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetModuleFileNameA,GetModuleFileNameA,strrchr,strcat,strrchr,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ReleaseMutex,CloseHandle,GetTickCount,srand,rand,rand,Sleep,SetFileAttributesA,wsprintfA,strcpy,strcat,strcat,Sleep,memset,strcat,strcat,strcat,MoveFileA,Concurrency::details::platform::__CreateTimerQueueTimer,___crtGetLocaleInfoEx,rand,rand,rand,rand,rand,rand,rand,MoveFileExA,Sleep,memset,___crtGetTimeFormatEx,	4_2_1000D7E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,#823,memset,___crtGetTimeFormatEx,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,#823,MultiByteToWideChar,WideCharToMultiByte,#823,WideCharToMultiByte,#825,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z,#825,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,strlen,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,wsprintfA,strlen,#825,strrchr,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,	4_2_10009A63

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1001F343 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

4_2_1001F343

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004996 LookupAccountNameA,

4_2_10004996

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10008C6A memset,GetVersionExA,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,sprintf,

4_2_10008C6A

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_10007225

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Service Execution	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	12 Windows Service	11 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	12 Windows Service	1 Software Packing	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	111 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
yKVQVNB2qI.dll	84%	ReversingLabs	Win32.Backdoor.Venik
yKVQVNB2qI.dll	100%	Avira	TR/Spy.Gen
yKVQVNB2qI.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://107.163.56.240:1963/main.php	0%	Avira URL Cloud	safe
http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnteYnti	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.php	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.php3	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.phpfsk	0%	Avira URL Cloud	safe
http://107.163.43.143:12388/new_u.php	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.phpi6r	0%	Avira URL Cloud	safe
http://107.163.56.241:18530/	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.php-	0%	Avira URL Cloud	safe
http://107.163.43.143:12388/new_u.php$	0%	Avira URL Cloud	safe
http://107.163.56.240/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blogx.sina.com.cn	202.108.0.52	true	false		high
blog.sina.com.cn	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://blog.sina.com.cn/u/5762479093.	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.163.56.240:1963/main.php	rundll32.exe, 00000004.00000002.4427048449.000000000607D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.143:12388/new_u.php	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.240:18963/main.php	rundll32.exe, rundll32.exe, 00000004.00000002.4427092707.00000000060FE000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.4427048449.000000000607D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4427187084.000000000631C000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.240:18963/main.phpfsk	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093HsA	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false		high
http://67.229.227.140:999/ver.asp?v=%sfound~	rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://blog.sina.com.cn/u/%sMozilla/4.0	rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://%s.qzone.qq.com/main	rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://107.163.56.240:18963/main.php3	rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.241:18530//joy.asp?sid=rungnejcmKqYndK2Fe5vteX8v2LUicbtudb8mteYnteYnti	rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.18.dr	false		high
http://%s.qzone.qq.com/mainMozilla/4.0	rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://107.163.56.240:18963/main.php-	rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093ks	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/%s	rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high
http://blog.sina.com.cn/u/5762479093	rundll32.exe, 00000004.00000002.4426123512.0000000003451000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.163.43.143:12388/new_u.php$	rundll32.exe, 00000004.00000002.4426123512.00000000033F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.240:18963/main.phpi6r	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.241:18530/	rundll32.exe, rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/NT	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.163.56.240/	rundll32.exe, 00000004.00000002.4426123512.0000000003424000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://67.229.227.140:999/ver.asp?v=%s	rundll32.exe, 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
202.108.0.52	blogx.sina.com.cn	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
107.163.56.241	unknown	United States	20248	TAKE2US	true
107.163.43.143	unknown	United States	20248	TAKE2US	true
107.163.56.251	unknown	United States	20248	TAKE2US	true
107.163.56.240	unknown	United States	20248	TAKE2US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558482
Start date and time:	2024-11-19 14:13:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yKVQVNB2qI.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	8b20e683ad19b1fffe5eb08697cb02afb62503b2.dll.exe
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@32/5@1/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 50 Number of non-executed functions: 105
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: yKVQVNB2qI.dll

Simulations

Behavior and APIs

Time	Type	Description
08:14:42	API Interceptor	83x Sleep call for process: rundll32.exe modified
08:14:43	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:18:28	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
202.108.0.52	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
107.163.56.241	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse
107.163.43.143	46PhJ3XpBT.dll	Get hash	malicious	Unknown	Browse
	01JkTmNJhe.dll	Get hash	malicious	Unknown	Browse
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse
107.163.56.251	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse
	abc.dll	Get hash	malicious	Unknown	Browse
107.163.56.240	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
107.163.56.240	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
blogx.sina.com.cn	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	http://zeuso.cc	Get hash	malicious	Unknown	Browse	202.108.0.52
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	abc.dll	Get hash	malicious	Unknown	Browse	123.126.45.92

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	owari.mips.elf	Get hash	malicious	Unknown	Browse	111.193.177.206
	owari.x86.elf	Get hash	malicious	Unknown	Browse	60.194.199.155
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	hmips.elf	Get hash	malicious	Mirai	Browse	111.196.123.227
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	123.112.202.42
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	113.45.119.194
	botx.arm.elf	Get hash	malicious	Mirai	Browse	211.145.29.8
TAKE2US	46PhJ3XpBT.dll	Get hash	malicious	Unknown	Browse	107.163.43.236
	01JkTmNJhe.dll	Get hash	malicious	Unknown	Browse	107.163.43.235
	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
TAKE2US	46PhJ3XpBT.dll	Get hash	malicious	Unknown	Browse	107.163.43.236
	01JkTmNJhe.dll	Get hash	malicious	Unknown	Browse	107.163.43.235
	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
TAKE2US	46PhJ3XpBT.dll	Get hash	malicious	Unknown	Browse	107.163.43.236
	01JkTmNJhe.dll	Get hash	malicious	Unknown	Browse	107.163.43.235
	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_45b27b9ae4bdc5533369f53128e793cbabf13_7522e4b5_8dc497db-9d37-4dbc-adeb-aac07e38855c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1181433422434017
Encrypted:	false
SSDEEP:	192:uWi9ZOFu0BU/wjeT7aZWO3sJzuiFMZ24IO84ci:PiiFVBU/wjeERAzuiFMY4IO84ci
MD5:	25B7E0032A13621D268F37E8563DBB1D
SHA1:	313D82EBA6AA576FA170AA535E9329DA387228BD
SHA-256:	854AE94A4D3E1F1CFC7F1F8C1F12DA213B9A0077D0292EF7EE4A23CB1A3BA165
SHA-512:	66068A86DD263F845525793F32BC53D6755AF3B9CEE4E2FFC933CF5460ED7278944A1A59DF1D9AEBB7E543C0CC607EE66A24A13CB02ED88843F448ECAF883AC4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.5.7.1.2.7.1.5.0.5.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.5.7.1.3.4.3.3.8.1.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.c.4.9.7.d.b.-.9.d.3.7.-.4.d.b.c.-.a.d.e.b.-.a.a.c.0.7.e.3.8.8.5.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.4.4.7.7.b.b.-.2.9.b.3.-.4.1.7.2.-.9.e.0.d.-.8.6.7.b.f.c.e.5.2.3.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.0.-.0.0.0.1.-.0.0.1.5.-.9.d.c.8.-.8.a.f.d.8.4.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1682.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 13:15:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	234496
Entropy (8bit):	1.8169318516450723
Encrypted:	false
SSDEEP:	768:AE08Wu5pOwK7MEKKAAqTkvhdE8T85WAmYAGrt:ORmVeaKAHTkWAGrt
MD5:	171233CBA7C73D477815A407BE5EE4F8
SHA1:	20CADC90E2425020B59D9363877577A4AE99FF21
SHA-256:	FF2C7E39AD2D7C5764A1DB5CEBD0E752F27E9644F10925A95FC030CCB82B0384
SHA-512:	A511AC6CACBE60E6AE23E31BF99EF26F69E0529A6617A5E6570DAF8F4E9C9FE0E7FE9735068BE8A39D0B286660D288205F2E027089779ADE6C89157392EF225A
Malicious:	false
Preview:	MDMP..a..... .......a.<g.........................................o..........T.......8...........T...........8F...M...........)...........+..............................................................................eJ...... ,......GenuineIntel............T...........@.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1857.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.698079923557641
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9Mi6FJ6Y/X6Jgmf8jnprs89bSwsfrGm:R6lXJb676Yv6Jgmf8jjSDfz
MD5:	673F1D0AF645F04ABED9AA6E9D31BFFC
SHA1:	B18077152694BEC94F616666A5FC3EBF1DF7FE49
SHA-256:	02161BA8A904DD373E9EC18A8D776063A6981C7FBBC4934FFE34185B78DDEAFD
SHA-512:	C48E2F3911BC28FC5CE5516FAA6B4884F470998228B17F62650A623829A5EDAAC44CBFBD644AB62B45F3DC7BFD0A2D653D558A24C37BF6808A36E4D71B63C81D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1887.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.484153320067734
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI92+HyWpW8VYOXYm8M4JCdP7F/g+q8vjPFbGScS6d:uIjfXI7og7VaJBKBbJ36d
MD5:	878D74AA145E3D0F2AE1E336EDF0145C
SHA1:	17A5C8D48D08C80AB9A3544473A780FBBFD18020
SHA-256:	E248CA64C194C5E5754ED8BA3639DEFDF8BD8768E5F02FBED0682BFDCAFE65FC
SHA-512:	7E05F641F3F6375381A66EF06535F6C7949D670CC54ED65D891CAB763D1276FD58CEAAA42567C54DF2B812912A7AFFC916992E50B4AE16512E5DD7B1EF25E466
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594977" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469382451441772
Encrypted:	false
SSDEEP:	6144:UzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNFjDH5S:aZHtYZWOKnMM6bFpHj4
MD5:	68666F2FF4EA6AC5147C0A54BCFF9FEF
SHA1:	1DBC4A4755AABCE41A72D34CF851D0FBB3DA4DD8
SHA-256:	6A8CA84812C120BBB5F5CA0234BAD09CF734B90402801F73746096960320DF37
SHA-512:	135210A985A0CAFB3607435CF54D87A3B0719AD560567AEC54A5460D910F21CCBF5564504B96BF1F511DE3788401E79D4D11C7776A20C0BB86D02DDBD29E8F7F
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJp...:..............................................................................................................................................................................................................................................................................................................................................i .$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.706231902786819
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.38% DOS Executable Borland Pascal 7.0x (2037/25) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Lumena CEL bitmap (63/63) 0.01%
File name:	yKVQVNB2qI.dll
File size:	188'453 bytes
MD5:	0a3307b04bfc73db7eac08b2821e2032
SHA1:	8b20e683ad19b1fffe5eb08697cb02afb62503b2
SHA256:	791d63cffe80821bf93e3900b117e54826e3f251ec82a9e5621250b90c63da31
SHA512:	b358a42142f58fe26088f28e297e23c7e557086c90ac5a5bf9f3df10b19561a400410cec18e235a62be5492ade708ed998279f4179fb1079073ed976ec189331
SSDEEP:	3072:YXFF+uZRl3zKTG1PZvbnkE8OCtR6kX4nxtR8RtzR6Vj5FwwTl0:Y1FJZDKG1P1zkEDER6kXAtqEVjc4q
TLSH:	280412525B2486B1F8960F74D497243FB66AF1401370029EB3BDA56E9E63DFEA231309
File Content Preview:	MZ.............................................................................................................................................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1005609a
Entrypoint Section:	.lak1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	0
OS Version Minor:	0
File Version Major:	0
File Version Minor:	0
Subsystem Version Major:	0
Subsystem Version Minor:	0
Import Hash:	1cb44e3fd2b456c57ddbbc34a99f6c10

Entrypoint Preview

Instruction
pushfd
jmp 00007F55348E58ECh
add byte ptr [eax], al
pop edi
jnc 00007F55348E6956h
jc 00007F55348E6945h
insd
jo 00007F55348E694Bh
add byte ptr [ebp+0F282464h], cl
sub dword ptr [ecx+11h], 00000000h
add byte ptr [esi-7Bh], ah
int1
cmc
mov ebx, eax
rcl di, cl
not di
shld di, bp, cl
mov edi, eax
inc cx
mov ecx, 00000104h
push F7722B56h
bt ecx, ebp
xor al, al
mov byte ptr [esp], FFFFFF9Bh
call 00007F55348FA89Eh
call 00007F55348E8265h
lea esp, dword ptr [esp+30h]
call 00007F55348E882Ch
jmp 00007F55348E7383h
mov word ptr [esp], 03E5h
lea esp, dword ptr [esp+44h]
jc 00007F55348E8674h
stc
cmp ah, FFFFFFF4h
xor dh, dl
test cl, bl
cmc
clc
test dh, 00000001h
push esp
mov dh, 00000000h
call 00007F55348D7C55h
push 0E7F9EBAh
push 2ADDC6D2h
push 761337ACh
test ebx, ebx
cmp ecx, 07h
push 73BD8DD1h
sbb ecx, ecx
call 00007F55348FF583h
mov ecx, dword ptr [ebp+0Ch]
jmp 00007F55348E7BE9h
shr di, cl
bsf esi, esp
shr ecx, 1
sar di, cl
clc
push dword ptr [esp+04h]
shl di, cl
mov edi, dword ptr [ebx+ecx*4]
movsx esi, al
add edi, eax
not si

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6ac14	0x3b	.lak1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6ef48	0x140	.lak1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73000	0x1000
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0xac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6a5e0	0x3a4	.lak1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20a8a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x40c5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x27000	0x7550	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.lak0	0x2f000	0x17c88	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.lak1	0x47000	0x2ab46	0x2b000	563bf034968bc6df926bd301bf5dff1e	False	0.9641056504360465	data	7.931946564058133	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x72000	0xac	0x1000	b7e279d14828db6e3bb40c2b686d68ac	False	0.04150390625	data	0.312365931687807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x73000	0xa56	0x1000	e7f74a459c4e30d04099fe36f135a2f1	False	0.12890625	data	1.2724055194039676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x73470	0x528	data	English	United States	0.015151515151515152
RT_STRING	0x73998	0xbe	data	English	United States	0.06315789473684211
RT_VERSION	0x730e8	0x388	data	English	United States	0.46238938053097345

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	rand, strchr, strncpy, sscanf, __CxxFrameHandler, wcscat, memcpy, malloc, free, _strnicmp, strcpy, srand, memcmp, _stricmp, strrchr, strcat, time, localtime, strftime, vsprintf, sprintf, strlen, memset, atoi, strcspn, strstr, _except_handler3, _CxxThrowException, tolower, toupper, strcmp, wcscpy, strncat, calloc, _mbsstr, _mbsnbcpy, _strcmpi, wcslen, _mbsicmp, __dllonexit, _onexit, ??1type_info@@UAE@XZ, _initterm, _adjust_fdiv, _memicmp
KERNEL32.dll	CreateToolhelp32Snapshot, UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, GetFileInformationByHandle, FileTimeToSystemTime, SetFileTime, GetFileAttributesA, LocalFileTimeToFileTime, GetCurrentDirectoryA, SystemTimeToFileTime, FormatMessageA, CreateProcessA, GetLocalTime, VirtualQuery, lstrcatA, DeviceIoControl, SetFileAttributesA, MoveFileA, LocalFree, Process32First, lstrcmpiA, DebugActiveProcess, Process32Next, ExpandEnvironmentStringsA, GetModuleHandleA, InterlockedIncrement, CopyFileA, InterlockedExchange, CreateMutexA, ReleaseMutex, SetLastError, WinExec, lstrcpyA, LoadLibraryA, GetProcAddress, CloseHandle, WriteFile, SetFilePointer, CreateFileA, GetModuleFileNameA, GetCurrentProcess, HeapFree, HeapAlloc, GetProcessHeap, WideCharToMultiByte, TerminateThread, WaitForSingleObject, CreateThread, GetCurrentProcessId, TerminateProcess, OpenProcess, GetTickCount, MoveFileExA, DeleteFileA, Sleep, lstrlenA, DuplicateHandle, FreeLibrary, FindClose, FindNextFileA, FindFirstFileA, ReadFile, GetFileSize, InterlockedDecrement, GetSystemInfo, WriteProcessMemory, CreateDirectoryA, ReadProcessMemory, VirtualQueryEx, GlobalFree, GlobalAlloc, GetVersionExA, GetSystemDefaultUILanguage, GlobalMemoryStatusEx, MultiByteToWideChar, GetLastError, GetSystemDirectoryA
USER32.dll	GetDesktopWindow, wsprintfA
ADVAPI32.dll	QueryServiceStatus, LookupPrivilegeValueA, RegQueryInfoKeyA, RegEnumValueA, CreateServiceA, RegCreateKeyA, OpenSCManagerA, OpenServiceA, ChangeServiceConfigA, StartServiceA, CloseServiceHandle, AdjustTokenPrivileges, RegOpenKeyA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, OpenProcessToken
WS2_32.dll	inet_addr, htonl, sendto, closesocket, WSACleanup, send, __WSAFDIsSet, recv, connect, setsockopt, WSAIoctl, WSAStartup, socket, htons, ntohs, bind, ioctlsocket, select, recvfrom, WSAGetLastError
SHLWAPI.dll	PathIsDirectoryA, PathFileExistsA, StrStrIA
ntdll.dll	NtQueryInformationFile, NtQuerySystemInformation
PSAPI.DLL	GetModuleFileNameExA
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitializeEx, CoInitialize, CoSetProxyBlanket, CoCreateInstance
OLEAUT32.dll	SafeArrayGetVartype, SafeArrayAccessData, SafeArrayUnaccessData, VariantChangeType, SysAllocStringByteLen, SafeArrayCreate, SafeArrayDestroy, SysFreeString, SysAllocString, VariantInit, SysStringLen, VariantClear
MSVCP60.dll	??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z, ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z, ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
NETAPI32.dll	Netbios
KERNEL32.dll	GetModuleFileNameW
KERNEL32.dll	GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

Exports

Name	Ordinal	Address
inflate	1	0x1000fff3

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:14:44.414063931 CET	49705	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:14:44.414242029 CET	49706	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:14:45.420943022 CET	49705	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:14:45.421195984 CET	49706	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:14:47.420958042 CET	49705	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:14:47.421072006 CET	49706	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:14:51.420933008 CET	49705	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:14:51.421061993 CET	49706	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:14:59.420922041 CET	49705	18530	192.168.2.6	107.163.56.241
Nov 19, 2024 14:14:59.420945883 CET	49706	12388	192.168.2.6	107.163.43.143
Nov 19, 2024 14:15:06.572160959 CET	49716	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:15:07.577229977 CET	49716	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:15:09.577199936 CET	49716	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:15:09.587192059 CET	49718	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:09.587205887 CET	49717	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:10.577195883 CET	49718	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:10.592793941 CET	49717	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:12.577229023 CET	49718	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:12.608462095 CET	49717	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:13.307543993 CET	49719	80	192.168.2.6	202.108.0.52
Nov 19, 2024 14:15:13.577176094 CET	49716	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:15:14.311660051 CET	49719	80	192.168.2.6	202.108.0.52
Nov 19, 2024 14:15:16.311568022 CET	49719	80	192.168.2.6	202.108.0.52
Nov 19, 2024 14:15:16.592816114 CET	49718	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:16.624058008 CET	49717	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:20.311589003 CET	49719	80	192.168.2.6	202.108.0.52
Nov 19, 2024 14:15:21.577306032 CET	49716	6658	192.168.2.6	107.163.56.251
Nov 19, 2024 14:15:24.608556032 CET	49718	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:24.639719963 CET	49717	18963	192.168.2.6	107.163.56.240
Nov 19, 2024 14:15:28.311563015 CET	49719	80	192.168.2.6	202.108.0.52
Nov 19, 2024 14:18:29.452955961 CET	49745	18963	192.168.2.6	107.163.56.240

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:15:12.982425928 CET	55980	53	192.168.2.6	1.1.1.1
Nov 19, 2024 14:15:13.306052923 CET	53	55980	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 14:15:12.982425928 CET	192.168.2.6	1.1.1.1	0x90b2	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 14:15:13.306052923 CET	1.1.1.1	192.168.2.6	0x90b2	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:15:13.306052923 CET	1.1.1.1	192.168.2.6	0x90b2	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	08:14:39
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll"
Imagebase:	0x8e0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:14:39
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:14:40
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:14:40
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",#1
Imagebase:	0x750000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:14:40
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\yKVQVNB2qI.dll,inflate
Imagebase:	0x750000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:14:40
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:14:41
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:14:41
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x5a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:14:43
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate
Imagebase:	0x750000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:14:43
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 776, Parent PID: 5236

General

Target ID:	12
Start time:	08:14:43
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:14:43
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x5a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:15:12
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1784
Imagebase:	0x120000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:15:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate
Imagebase:	0x750000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:15:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1924, Parent PID: 6884

General

Target ID:	21
Start time:	08:15:15
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:15:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x5a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:15:23
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\yKVQVNB2qI.dll",inflate
Imagebase:	0x750000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 6456, Parent PID: 3084

General

Target ID:	24
Start time:	08:15:23
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5432, Parent PID: 6456

General

Target ID:	25
Start time:	08:15:24
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:15:24
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x5a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.5%
Total number of Nodes:	739
Total number of Limit Nodes:	18

Executed Functions

Function 10007225 Relevance: 96.6, APIs: 46, Strings: 9, Instructions: 387
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000729A
socket.WS2_32(00000002,00000002,00000000), ref: 100072A6
socket.WS2_32(00000002,00000002,00000000), ref: 100072B8
htons.WS2_32(00000035), ref: 100072CF
inet_addr.WS2_32(127.0.0.1), ref: 100072E1
htons.WS2_32(00000035), ref: 100072F8
inet_addr.WS2_32(?), ref: 1000730C
bind.WS2_32(?,00000002,00000010), ref: 10007328
ioctlsocket.WS2_32(?,8004667E,00000001), ref: 1000734B
select.WS2_32(00000000,00000000,00000000,00000000,000003E8), ref: 1000741B
WSAGetLastError.WS2_32 ref: 10007430
Sleep.KERNEL32(000003E8), ref: 10007441
memset.MSVCRT ref: 10007464
recvfrom.WS2_32(?,00000000,00000200,00000000,?,00000010), ref: 1000748F
memset.MSVCRT ref: 100074C2

Part of subcall function 1000713B: memset.MSVCRT ref: 10007157
Part of subcall function 1000713B: memcpy.MSVCRT(?,-0000000C,-00000010), ref: 10007171
Part of subcall function 1000713B: strlen.MSVCRT ref: 1000717D

wsprintfA.USER32 ref: 10007513
StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,00000000), ref: 10007528
StrStrIA.SHLWAPI(00000000,alyac), ref: 10007553
StrStrIA.SHLWAPI(00000000,ahnlab), ref: 10007569
StrStrIA.SHLWAPI(00000000,v3lite), ref: 1000757F
malloc.MSVCRT ref: 10007595
memcpy.MSVCRT(?,00000000,00000002), ref: 100075B4
memcpy.MSVCRT(00000000,00000000,00000000), ref: 100075D1
htons.WS2_32(00008180), ref: 100075DE
htons.WS2_32(00008182), ref: 10007602
memcpy.MSVCRT(?,?,00000002), ref: 1000761F
htons.WS2_32(00000001), ref: 10007629
memcpy.MSVCRT(?,?,00000002), ref: 10007646
htons.WS2_32(0000C00C), ref: 10007685
memcpy.MSVCRT(00000000,?,00000002), ref: 100076A2
htons.WS2_32(00000001), ref: 100076BB
memcpy.MSVCRT(00000000,?,00000002), ref: 100076DF
htons.WS2_32(00000001), ref: 100076F8
memcpy.MSVCRT(00000000,?,00000002), ref: 1000771C
htonl.WS2_32(0000007B), ref: 10007735
memcpy.MSVCRT(00000000,?,00000004), ref: 10007758
htons.WS2_32(00000004), ref: 10007771
memcpy.MSVCRT(00000000,?,00000002), ref: 10007795
inet_addr.WS2_32(1002D030), ref: 100077C4
inet_addr.WS2_32(127.0.0.1), ref: 100077D7
memcpy.MSVCRT(00000000,00000000,00000004), ref: 100077FA
memcpy.MSVCRT(00000000,00000000,00000000), ref: 1000783F
sendto.WS2_32(?,00000000,00000000,00000000,?,00000010), ref: 10007867
closesocket.WS2_32(?), ref: 10007898
closesocket.WS2_32(?), ref: 100078A5
WSACleanup.WS2_32 ref: 100078AB

Strings

v3lite, xrefs: 10007573
127.0.0.1, xrefs: 100077D2
127.0.0.1, xrefs: 100072DC
ahnlab, xrefs: 1000755D
%s|, xrefs: 10007507
@, xrefs: 100073BE
8.8.8.8, xrefs: 10007261
alyac, xrefs: 10007547
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007523

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$htons$inet_addr$memset$closesocketsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtostrlenwsprintf
String ID: %s|$127.0.0.1$127.0.0.1$8.8.8.8$@$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 3038323916-584143555
Opcode ID: 845f32fe3648e56a57e23b03ede1d36942d354f1ff75db94071abf654bfa1e24
Instruction ID: 3390842cec86af49ff68c52d0698ecfc573ce0de94bd3180ff3bf18654662f0a
Opcode Fuzzy Hash: 845f32fe3648e56a57e23b03ede1d36942d354f1ff75db94071abf654bfa1e24
Instruction Fuzzy Hash: B1025E75D04229ABEB64CB54CC89BE9B7B4FF48300F0045E9E60DA6295D7786B84CF91

Function 10009FAB Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 335
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 1000A00F
wsprintfA.USER32 ref: 1000A027
#823.MFC42(0007D000), ref: 1000A035
memset.MSVCRT ref: 1000A063

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 1000A0C6

Strings

title, xrefs: 1000A2BA
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000A07D
http://blog.sina.com.cn/u/%s, xrefs: 1000A01B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823FormatInternetOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$http://blog.sina.com.cn/u/%s$title
API String ID: 242236092-1204782975
Opcode ID: 7786ccd1f8cf3dfb92443655f82326389980e03e857cbdab4bc944acf8979b61
Instruction ID: e515f712fb1f60d133b8907fa9568e81727eaea72b4f5efa335cc261a660f667
Opcode Fuzzy Hash: 7786ccd1f8cf3dfb92443655f82326389980e03e857cbdab4bc944acf8979b61
Instruction Fuzzy Hash: F4E117B4D00268EFEB24CB58CC85BDEB7B0EB59300F1042D9EA09A7280DB756E85CF51

Function 1000E763 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 233
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,1000EBC9), ref: 1000E791
lstrcatA.KERNEL32(00000000,1002B328), ref: 1000E7A3
lstrcatA.KERNEL32(00000000,*.*), ref: 1000E7B5
FindFirstFileA.KERNEL32(00000000,?), ref: 1000E7C9
FindNextFileA.KERNEL32(000000FF,?), ref: 1000E7F3
lstrcpyA.KERNEL32(00000000,1000EBC9), ref: 1000E844
lstrcatA.KERNEL32(00000000,1002B330), ref: 1000E856
lstrcatA.KERNEL32(00000000,?), ref: 1000E86A
_stricmp.MSVCRT(NPKI,?), ref: 1000E87C
PathIsDirectoryA.SHLWAPI(00000000), ref: 1000E8CD
#823.MFC42(00A00000), ref: 1000E906

Strings

%s\%s, xrefs: 1000E8B2
P, xrefs: 1000E975
/image.php, xrefs: 1000EA75
107.163.56.240:18963/main.php, xrefs: 1000E9C8
*.*, xrefs: 1000E7A9
11251252, xrefs: 1000E8A6
NPKI, xrefs: 1000E877

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: lstrcat$FileFindlstrcpy$#823DirectoryFirstNextPath_stricmp
String ID: %s\%s$*.*$/image.php$107.163.56.240:18963/main.php$11251252$NPKI$P
API String ID: 1962140201-1679207125
Opcode ID: 326138d7d6b907ca393dbe3dc7c40a9eb630edcfe0782a620cf22def4cc8d22f
Instruction ID: 19444b947d153ba7138296ce0e6c54724dfe7cb5038b80b89ac979f494543493
Opcode Fuzzy Hash: 326138d7d6b907ca393dbe3dc7c40a9eb630edcfe0782a620cf22def4cc8d22f
Instruction Fuzzy Hash: 6991A6B59002A8AFEB64CBA4CC84BDE77B9EB58341F0044E5E30DA6141DB75AF98CF51

Function 10011C72 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 140
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 10011C8E
CreateFileA.KERNEL32(1002A58C,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4
DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,10029F4C,00000018,%s\version.txt,00000000), ref: 10011CF0
GetLastError.KERNEL32(00000400,10029F64,00000000,00000000), ref: 10011D0C
FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10011D1A

Strings

\\.\PHYSICALDRIVE%d, xrefs: 10011C85
%s\version.txt, xrefs: 10011CD6, 10011D75

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ControlCreateDeviceErrorFileFormatLastMessagesprintf
String ID: %s\version.txt$\\.\PHYSICALDRIVE%d
API String ID: 1111953355-1258372184
Opcode ID: 3c7729a733258b6e0b37361d0833c90b24978351350e765fd2cad2df9285a42c
Instruction ID: ac9daaf844bbbce85607c204d6ced58bc456b83f5b99ea7e7b7fe265a51f8282
Opcode Fuzzy Hash: 3c7729a733258b6e0b37361d0833c90b24978351350e765fd2cad2df9285a42c
Instruction Fuzzy Hash: C351A6B5A00218ABEB24CF54CC41BDD7775EF85704F148294F6096A2C1DB729A94CF55

Function 10006843 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 10006865
GetProcAddress.KERNEL32(?,GetExtendedUdpTable), ref: 1000687D
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 1000689A
malloc.MSVCRT ref: 100068CA
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 10006903

Strings

z, xrefs: 100068AF
iphlpapi.dll, xrefs: 10006860
GetExtendedUdpTable, xrefs: 10006871

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable$AddressLibraryLoadProcmalloc
String ID: GetExtendedUdpTable$iphlpapi.dll$z
API String ID: 2385667234-347336574
Opcode ID: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction ID: e72f5ed3c2909e77353821d2c1bd01ab583724ea6bb6368f571f4905b0ca2030
Opcode Fuzzy Hash: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction Fuzzy Hash: 3541E9F09002289BDB24DB50CD85BD8B7B9EB88304F20C5E9E70967295D7709EC6CF59

Function 1000960F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009674

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 10009631

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: 122b06664d942d7b13a537107bdcdc972565db5a05c74ffa231b28c85dc0b13d
Instruction ID: edbbad18566889c42df8cf001e4eb437ffe5273fdd268d158c28225184eb7580
Opcode Fuzzy Hash: 122b06664d942d7b13a537107bdcdc972565db5a05c74ffa231b28c85dc0b13d
Instruction Fuzzy Hash: F5311DF6D00208EBEB20DB94CC86BCD73B8EB44340F5185A4E70877285E775AB948B99

Function 10005EBA Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
CloseHandle.KERNEL32(?), ref: 10005F29

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction ID: efa5140f03dfd4bc98f9291f5672f447fd415e0b54fcefeffd77d2d0beff28df
Opcode Fuzzy Hash: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction Fuzzy Hash: FB012D70A1020AABFB14CFE4CC85BBF77B8EB88741F208515FA05D6284D6799A42CB60

Function 100055E1 Relevance: 1.5, APIs: 1, Instructions: 9processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 100055EC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: ea1125fc6efff60c22231dd8e74bc2e2f11368403fa6fc4b095aa2b2bc07678f
Instruction ID: 58b8d6dcfabb716e12054e17064c669289570b6e525953e8c0c68f1c4d85f407
Opcode Fuzzy Hash: ea1125fc6efff60c22231dd8e74bc2e2f11368403fa6fc4b095aa2b2bc07678f
Instruction Fuzzy Hash: 0CC0487611020CAB8A44EB98D884C9A77ACAB58621B008006BA0986200CA31E9508BA0

Function 10036CAA Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c53f127b50854b0fbc5a2f1560af346ea09433305b31fd8c87c387f44413597
Instruction ID: 31efd84514d4fc9470a9a95d5ad96b8e6417809c5ce5094f1338bfe36aa86831
Opcode Fuzzy Hash: 4c53f127b50854b0fbc5a2f1560af346ea09433305b31fd8c87c387f44413597
Instruction Fuzzy Hash: F91153AA40C380AFE312DBB5884124BBFC2AB44364F02895EF5C866241D6788C60E712

Function 1000FFF3 Relevance: 63.2, APIs: 29, Strings: 7, Instructions: 200
sleepthreadfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10008A9A: wsprintfA.USER32 ref: 10008ACF
Part of subcall function 10008A9A: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 10008AE4
Part of subcall function 10008A9A: GetModuleFileNameA.KERNEL32(?,C:\Users\user\Desktop\yKVQVNB2qI.dll,00000104), ref: 10008AFA
Part of subcall function 10008A9A: strcpy.MSVCRT(C:\Users\user\Desktop,C:\Users\user\Desktop\yKVQVNB2qI.dll), ref: 10008B0A
Part of subcall function 10008A9A: strrchr.MSVCRT ref: 10008B19
Part of subcall function 10008A9A: wsprintfA.USER32 ref: 10008B39
Part of subcall function 10008A9A: wsprintfA.USER32 ref: 10008B51
Part of subcall function 10008A9A: wsprintfA.USER32 ref: 10008B69
Part of subcall function 10008A9A: #823.MFC42(00000084), ref: 10008B77
Part of subcall function 10008A9A: strcpy.MSVCRT(1002D040,?), ref: 10008BC2

CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658,1002B5F8), ref: 10010016
GetLastError.KERNEL32 ref: 10010022
wsprintfA.USER32 ref: 1001006D
WinExec.KERNEL32(?,00000000), ref: 1001007F
Sleep.KERNEL32(000007D0), ref: 10010090
DeleteFileA.KERNEL32(00000000), ref: 1001009A
PathIsDirectoryA.SHLWAPI(C:\Users\user\Desktop\11251252), ref: 100100C4
CreateDirectoryA.KERNEL32(C:\Users\user\Desktop\11251252,00000000), ref: 10010102
Sleep.KERNEL32(000007D0), ref: 10010113
DeleteFileA.KERNEL32(00000000), ref: 1001011D
CreateThread.KERNEL32(00000000,00000000,1000FEA3,00000000,00000000,00000000), ref: 1001013B
CreateThread.KERNEL32(00000000,00000000,1000C5DD,00000000,00000000,00000000), ref: 10010155
Sleep.KERNEL32(000003E8), ref: 10010160
WSAStartup.WS2_32(00000202,?), ref: 10010172
CreateThread.KERNEL32(00000000,00000000,1000BDDD,107.163.56.251:6658,00000000,00000000), ref: 10010190
CreateThread.KERNEL32(00000000,00000000,1000EAE6,00000000,00000000,00000000), ref: 100101A5
Sleep.KERNEL32(00000BB8), ref: 100101B0
CreateThread.KERNEL32(00000000,00000000,1000CB08,00000000,00000000,00000000), ref: 10010201
CreateThread.KERNEL32(00000000,00000000,1000EF29,00000000,00000000,00000000), ref: 10010216
Sleep.KERNEL32(00000BB8), ref: 10010221
CreateThread.KERNEL32(00000000,00000000,10007225,00000000,00000000,00000000), ref: 10010236
CreateThread.KERNEL32(00000000,00000000,1000C753,00000000,00000000,00000000), ref: 1001024B
Sleep.KERNEL32(000927C0), ref: 10010256
Sleep.KERNEL32(000927C0), ref: 1001026A
CreateThread.KERNEL32(00000000,00000000,1000BA90,00000000,00000000,00000000), ref: 1001027F
Sleep.KERNEL32(0000EA60), ref: 1001028A
CreateThread.KERNEL32(00000000,00000000,1000F9DF,00000000,00000000,00000000), ref: 1001029F
Sleep.KERNEL32(000000FF), ref: 100102A7
Sleep.KERNEL32(0036EE80), ref: 100102BB

Strings

SeDebugPrivilege, xrefs: 100100A7
C:\Users\user\Desktop, xrefs: 1001005C
C:\Users\user\Desktop\11251252, xrefs: 100100BF, 100100FD
cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s", xrefs: 10010061
M107.163.56.251:6658, xrefs: 1001000D
107.163.56.251:6658, xrefs: 10010182
123, xrefs: 100100E7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create$SleepThread$wsprintf$File$DeleteDirectoryModuleNamestrcpy$#823ErrorExecLastMutexPathStartupstrrchr
String ID: 107.163.56.251:6658$123$C:\Users\user\Desktop$C:\Users\user\Desktop\11251252$M107.163.56.251:6658$SeDebugPrivilege$cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s"
API String ID: 1244602917-2968694234
Opcode ID: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
Instruction ID: 202ca25a55749d9caac28ba7abe87623cc4d3d132b78e06582e95a8dd985acec
Opcode Fuzzy Hash: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
Instruction Fuzzy Hash: 31616F30B81324BBF720DBA08C4BF9A7661EB14B42F604594F749BD1D0DBF066928F56

Function 10008A9A Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10008ACF
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 10008AE4
GetModuleFileNameA.KERNEL32(?,C:\Users\user\Desktop\yKVQVNB2qI.dll,00000104), ref: 10008AFA
strcpy.MSVCRT(C:\Users\user\Desktop,C:\Users\user\Desktop\yKVQVNB2qI.dll), ref: 10008B0A
strrchr.MSVCRT ref: 10008B19
wsprintfA.USER32 ref: 10008B39
wsprintfA.USER32 ref: 10008B51
wsprintfA.USER32 ref: 10008B69
#823.MFC42(00000084), ref: 10008B77
strcpy.MSVCRT(1002D040,?), ref: 10008BC2

Part of subcall function 10011A40: memset.MSVCRT ref: 10011A5B

Strings

11251252, xrefs: 10008AC0, 10008B25
C:\Users\user\Desktop, xrefs: 10008B05, 10008B14, 10008B2A, 10008B42
C:\Windows\SysWOW64\rundll32.exe, xrefs: 10008ADD
C:\Users\user\Desktop\11251252, xrefs: 10008B34
C:\Users\user\Desktop\yKVQVNB2qI.dll, xrefs: 10008AEF, 10008B00
M%s, xrefs: 10008B5F
M107.163.56.251:6658, xrefs: 10008B64
11251252, xrefs: 10008ACA
107.163.56.251:6658, xrefs: 10008B5A
%s\%s, xrefs: 10008B2F
%s\version.txt, xrefs: 10008B47

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$FileModuleNamestrcpy$#823memsetstrrchr
String ID: %s\%s$%s\version.txt$107.163.56.251:6658$11251252$11251252$C:\Users\user\Desktop$C:\Users\user\Desktop\11251252$C:\Users\user\Desktop\yKVQVNB2qI.dll$C:\Windows\SysWOW64\rundll32.exe$M%s$M107.163.56.251:6658
API String ID: 3714362057-1941510721
Opcode ID: be461c383ee27442613f73452afdc23c163f868165d983bf5b2a219be10a23e9
Instruction ID: 79703c0d8955a89168bb019a272a90435c4122afe87ac73744c1e10340129ad2
Opcode Fuzzy Hash: be461c383ee27442613f73452afdc23c163f868165d983bf5b2a219be10a23e9
Instruction Fuzzy Hash: E4316CB0C00619ABDB00DFD4ED45FDEBBB0EB08301FA04024FA1976296D7752A458BAA

Function 10009806 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT(00000000,?), ref: 10009834
strstr.MSVCRT ref: 10009894
strstr.MSVCRT ref: 100098C6
strcspn.MSVCRT ref: 100098DF
strstr.MSVCRT ref: 10009904
strcspn.MSVCRT ref: 1000991D
strncpy.MSVCRT ref: 10009935
strcpy.MSVCRT(00000000,?), ref: 1000994E
strcpy.MSVCRT(00000000,00000000), ref: 10009966
strstr.MSVCRT ref: 1000997A
strcspn.MSVCRT ref: 10009993
strncpy.MSVCRT ref: 100099AB
strcspn.MSVCRT ref: 100099C0
atoi.MSVCRT(?), ref: 100099DD

Part of subcall function 1000949C: ___crtGetTimeFormatEx.LIBCMTD ref: 10009517
Part of subcall function 1000949C: memset.MSVCRT ref: 1000953C
Part of subcall function 1000949C: ___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

WSAStartup.WS2_32(00000202,?), ref: 100099F8
htons.WS2_32(00000000), ref: 10009A0C
socket.WS2_32(00000002,00000001,00000000), ref: 10009A2E
connect.WS2_32(?,00000002,00000010), ref: 10009A41
closesocket.WS2_32(?), ref: 10009A50

Strings

http://, xrefs: 10009888

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcspnstrstr$strcpy$___crtstrncpy$FormatInfoLocaleStartupTimeatoiclosesocketconnecthtonsmemsetsocket
String ID: http://
API String ID: 328426387-1121587658
Opcode ID: 95a10ac281a7790da465a19b795ef191dcc1d882c7580565bb57f079f1fd2488
Instruction ID: 328f30d5f0abd543537b81f1a207a30335c7fdbd19ea60133f8a33c6dacf31c1
Opcode Fuzzy Hash: 95a10ac281a7790da465a19b795ef191dcc1d882c7580565bb57f079f1fd2488
Instruction Fuzzy Hash: 4151CF71900218BFEF14DBA4DC89BDA77BCEF45304F1041A8F649A6144EB319B99CFA2

Function 1000EF29 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 189
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF71
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF83
strcat.MSVCRT(00000000,00000000), ref: 1000EF9E
strcat.MSVCRT(00000000,00000000), ref: 1000EFBB
#823.MFC42(00080000), ref: 1000EFDE
memset.MSVCRT ref: 1000F08F
Sleep.KERNEL32(000927C0), ref: 1000F0CC
strlen.MSVCRT ref: 1000F168
strcmp.MSVCRT ref: 1000F181
wsprintfA.USER32 ref: 1000F19E
WinExec.KERNEL32(cmd.exe /c ipconfig /flushdns,00000000), ref: 1000F1C2
Sleep.KERNEL32(000927C0), ref: 1000F1CF
#825.MFC42(?), ref: 1000F1EA

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000EFA6
http://107.163.56.240:18963/main.php, xrefs: 1000F069
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000EF89
127.0.0.1, xrefs: 1000F1AC
cmd.exe /c ipconfig /flushdns, xrefs: 1000F1BD
8.8.8.8, xrefs: 1000F1A7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectorySleepSystemstrcat$#823#825Execmemsetstrcmpstrlenwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$cmd.exe /c ipconfig /flushdns$http://107.163.56.240:18963/main.php
API String ID: 3591502829-3520984710
Opcode ID: 9aa9357ac9c217c228a3672c1b78ea6a79737a45ba864647a5ac78da939c1638
Instruction ID: 1b7d056821bea9ffcc31071dd2aa98b9aaa464bf06ce50bac68d0a223335520a
Opcode Fuzzy Hash: 9aa9357ac9c217c228a3672c1b78ea6a79737a45ba864647a5ac78da939c1638
Instruction Fuzzy Hash: 1571A1B5D04218ABEB60CB68DCC5BD9B3B5EB58340F1041E8E60CA7281DB75AF858F91

Function 10008FF9 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 134
stringregistrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,?), ref: 10009030
___crtGetTimeFormatEx.LIBCMTD ref: 10009071

Part of subcall function 10005AF9: RegQueryValueExA.KERNEL32(?,?,?,?,?,?), ref: 10005B14

Part of subcall function 10005ABC: RegCloseKey.KERNEL32(?), ref: 10005AC3

strcpy.MSVCRT(?,?), ref: 10009093
strcpy.MSVCRT(?,Find CPU Error), ref: 100090A6
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
__aulldiv.LIBCMT ref: 100090F5
__aulldiv.LIBCMT ref: 10009103
strcpy.MSVCRT(?,11251252,?,?,00000400,00000000), ref: 1000914A
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,00000400,00000000), ref: 10009152
strcpy.MSVCRT(?,00000000,?,?,?,?,?,?,00000400,00000000), ref: 100091B5

Strings

11251252, xrefs: 1000913C
http://107.163.56.240:18963/main.php, xrefs: 100091BF
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10009009
%u MB, xrefs: 10009128
Find CPU Error, xrefs: 1000909D
ProcessorNameString, xrefs: 10009065
@, xrefs: 100090C9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcpy$__aulldiv$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
String ID: %u MB$11251252$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.240:18963/main.php
API String ID: 1131083606-3901107066
Opcode ID: a9f9c81e1f5e2bf042818b082de5461d57493066105c7df1614c22055faf70c2
Instruction ID: cefe20e9956c0aeb191ec147d5f548dd9efc5a21e1516fd84fccf84d5fb5ed44
Opcode Fuzzy Hash: a9f9c81e1f5e2bf042818b082de5461d57493066105c7df1614c22055faf70c2
Instruction Fuzzy Hash: B941D8F99012186BEB10DB54DC89FDA7379EF54340F4482A8F608A7285EB74AA84CB95

Function 1000F9DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000), ref: 1000FA4E
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000FA9C
memset.MSVCRT ref: 1000FAE5
memset.MSVCRT ref: 1000FAFB
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 1000FB54
StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000FB6F
RegDeleteValueA.ADVAPI32(?,?), ref: 1000FB87
RegCloseKey.ADVAPI32(00000000), ref: 1000FB99
Sleep.KERNEL32(000493E0), ref: 1000FBA4

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000FA44
svchsot.exe, xrefs: 1000FB63

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$svchsot.exe
API String ID: 1121228644-2172464104
Opcode ID: 1de66b49b57b20e7b30ee5cf9281676ebde425205f07ecffcb68b93b72a40747
Instruction ID: c6f70cebfc850f900d70c9a4584eddebb96ea2d54561a80a661612636b8fad89
Opcode Fuzzy Hash: 1de66b49b57b20e7b30ee5cf9281676ebde425205f07ecffcb68b93b72a40747
Instruction Fuzzy Hash: 87416475A40168ABEB24CB54CD45FD9B3B8FB48740F1081D9E349A6180DBF4AEC8DFA4

Function 1000BA90 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#823.MFC42(00001218), ref: 1000BA9E
WSAStartup.WS2_32(00000202,?), ref: 1000BAC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

memset.MSVCRT ref: 1000BB06

Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A00F
Part of subcall function 10009FAB: wsprintfA.USER32 ref: 1000A027
Part of subcall function 10009FAB: #823.MFC42(0007D000), ref: 1000A035
Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A063

Sleep.KERNEL32(0002BF20), ref: 1000BB28
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BB4E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BB5D
CloseHandle.KERNEL32(?), ref: 1000BB67
Sleep.KERNEL32(0002BF20), ref: 1000BB72
CloseHandle.KERNEL32(?), ref: 1000BB84

Strings

5762479093, xrefs: 1000BB12
0x5d65r455f, xrefs: 1000BAC7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$5762479093
API String ID: 1869492179-2446933972
Opcode ID: 48c69e241c5798b29b8255a489638e25f8b8fa6308a3ca890d82071bfec04006
Instruction ID: ee4fe3ff80eea35deae1171875856fc337cdd1930f9e5ee3871eb6d0d01d88b9
Opcode Fuzzy Hash: 48c69e241c5798b29b8255a489638e25f8b8fa6308a3ca890d82071bfec04006
Instruction Fuzzy Hash: 922184B5A40214BBF710DBE0CD8BFDD7774EB55741F2041A4FA09962C8DB706A508B96

Function 10011E80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 10011E9A
memset.MSVCRT ref: 10011EB0
Netbios.NETAPI32(00000037), ref: 10011EDB
Netbios.NETAPI32(00000032), ref: 10011F55

Strings

3, xrefs: 10011FA7
%02X%02X%02X%02X%02X%02X, xrefs: 1001205E

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Netbiosmemset
String ID: %02X%02X%02X%02X%02X%02X$3
API String ID: 1915571530-847158874
Opcode ID: 2e676db7342fd70eb5ea567224f90399c59005863cf04410c083d71630d5426a
Instruction ID: 995f6e05dfeb694b0f45a1fd62118eef7e3e694447b149082da1e2005757cfe0
Opcode Fuzzy Hash: 2e676db7342fd70eb5ea567224f90399c59005863cf04410c083d71630d5426a
Instruction Fuzzy Hash: 2D518F7592065A8BDB36CB14CC42BE9B3B8EF95300F4441F8A44CAA242EBB49BD4DF45

Function 1000C43A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 1000C463
#823.MFC42(00000084), ref: 1000C47A
strcpy.MSVCRT(1002D040,?), ref: 1000C4E3

Strings

11251252, xrefs: 1000C571
http://107.163.56.241:18530/, xrefs: 1000C45E, 1000C5A6
%s|NULL|%s|%s, xrefs: 1000C582
http://, xrefs: 1000C459
%s/joy.asp?sid=%s, xrefs: 1000C5AB

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823strcpystrstr
String ID: %s/joy.asp?sid=%s$%s|NULL|%s|%s$11251252$http://$http://107.163.56.241:18530/
API String ID: 2643025201-732965659
Opcode ID: 9528a80b2e36fce9e62d5d76e704731a06484a4d6a1109cfc5254c4c071dc40f
Instruction ID: 96c4c4460f3670001d58eb54bbc12df5c97e6194365fac138d2a8c86e213b446
Opcode Fuzzy Hash: 9528a80b2e36fce9e62d5d76e704731a06484a4d6a1109cfc5254c4c071dc40f
Instruction Fuzzy Hash: EC4156F5D00218AFEB20CF14DC81B9AB7B4EB85240F4045F9E70967281EB356A898F5A

Function 1000BDDD Relevance: 9.0, APIs: 6, Instructions: 49
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000BDF8

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BE47
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BE56
CloseHandle.KERNEL32(?), ref: 1000BE60
Sleep.KERNEL32(00002710), ref: 1000BE6B
CloseHandle.KERNEL32(?), ref: 1000BE7A

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
String ID:
API String ID: 3243752880-0
Opcode ID: 6a0ff8178f114081aaf7592776aff84cfed35b2bf825fcab4e17160426ab56ff
Instruction ID: e824f486e2537cd13a86d57df264f215c657a490cf5d40ca5208cd8ad212e3ab
Opcode Fuzzy Hash: 6a0ff8178f114081aaf7592776aff84cfed35b2bf825fcab4e17160426ab56ff
Instruction Fuzzy Hash: 0411AD74A44208FBFB14DFE0CC9AFEDB774EB44711F204594FB0A9A2D0CA705A918B95

Function 1000CB08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97sleepCOMMON

Download Yara Rule

APIs

#823.MFC42(00080000), ref: 1000CB24
memset.MSVCRT ref: 1000CBD2
Sleep.KERNEL32(000927C0), ref: 1000CC09
#825.MFC42(?), ref: 1000CD04

Strings

http://107.163.56.240:18963/main.php, xrefs: 1000CBAF

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823#825Sleepmemset
String ID: http://107.163.56.240:18963/main.php
API String ID: 2572778719-1318255662
Opcode ID: acbbfa64ae11711acb8ff895134c0af02f270cb241f4b5795af60caf59695e56
Instruction ID: 429b0773a4c3d1b02e34b297521fc6122dc1132d314c56436c72c70d9b7a86b4
Opcode Fuzzy Hash: acbbfa64ae11711acb8ff895134c0af02f270cb241f4b5795af60caf59695e56
Instruction Fuzzy Hash: E33194B5D00618ABEB14CB94CC91BDEB7B5EB58301F1045E8E508A7280EB756B848F91

Function 10008F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008F76

Strings

C:\Users\user\Desktop, xrefs: 10008F23
search, xrefs: 10008FD6
%s\lang.ini, xrefs: 10008F28
http://, xrefs: 10008FBD

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-4017829776
Opcode ID: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
Instruction ID: 60212f5056ad82ff0ae5ea45a156ac378cfaaf25f5a26cee64a353fcc168191f
Opcode Fuzzy Hash: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
Instruction Fuzzy Hash: 9D21C8759042097BEB60C674DC02FDB7369EB24380F5045B4BB88E6185EBB5FB848B95

Function 10008E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008E96

Strings

%s\lang.ini, xrefs: 10008E48
C:\Users\user\Desktop, xrefs: 10008E43
http://, xrefs: 10008EDD

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-989879249
Opcode ID: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
Instruction ID: 524591cf8a4eee935b205e257a8c60c4d1d170a2f2a088a70314005468ca3b98
Opcode Fuzzy Hash: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
Instruction Fuzzy Hash: CD21DAB5D04248B7EB20C664DC41FCB7368DB54790F1045A4FB89A61C5EBB1BBC48F95

Function 1002132A Relevance: 3.8, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10021358
_initterm.MSVCRT ref: 10021383
free.MSVCRT ref: 100213C0

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _inittermfreemalloc
String ID:
API String ID: 1678931842-0
Opcode ID: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction ID: a13e4d924212a13dcf2931888b3098d0df1cffd824a8125765e678fcc9b3a535
Opcode Fuzzy Hash: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction Fuzzy Hash: 4D114C366646B1EBF314DF61EC84AC937E6FB64359BB14019E804D65A0F731AD828B50

Function 10009751 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 100097B3

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10009773

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 483802873-1918919809
Opcode ID: eb5feb71ccd3ee4712878d6671d16c7788954ce60b86c6be03ef3b7bbb10802f
Instruction ID: aa3042b00974eb3661dab9a980acd1570a60d3873d689b260169291dcc9804a7
Opcode Fuzzy Hash: eb5feb71ccd3ee4712878d6671d16c7788954ce60b86c6be03ef3b7bbb10802f
Instruction Fuzzy Hash: 271121F9D00208EBEB20DB50CC46B8D73B4DB44380F2181A5F6087B285EA75BA948B99

Function 100043BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76910000,00000000), ref: 100043D4

Strings

Q2xvc2VXaW5kb3c=, xrefs: 100043C0

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: Q2xvc2VXaW5kb3c=
API String ID: 190572456-2652562148
Opcode ID: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
Instruction ID: 86b06878a34977032f00de5cded76d8bf0c7f73d773c853c7e08730fcfccc261
Opcode Fuzzy Hash: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
Instruction Fuzzy Hash: 50C08CF580021C6FF600EBE4ADCAE423BACE70C2997100022FB0DC2216EB32A05186A2

Function 100024A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E890000,00000000), ref: 100024BE

Strings

TmV0TG9jYWxHcm91cEVudW0=, xrefs: 100024AA

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEVudW0=
API String ID: 190572456-980335172
Opcode ID: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction ID: 94a68914744b6255420893e6e3bedd0a82bd00ad7f141df6458ff9631ea00634
Opcode Fuzzy Hash: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction Fuzzy Hash: 1EC080F540061C6FF200D7D8ACC5E41379CD3482997100011F60DC2211D53160414652

Function 100024D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E890000,00000000), ref: 100024EC

Strings

TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 100024D8

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
API String ID: 190572456-3430808999
Opcode ID: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction ID: 0e6cf0e7949062256b1582b677e2dc4b335822ba4defa2ba0336d22a514f21fc
Opcode Fuzzy Hash: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction Fuzzy Hash: 38C080F5C0061C6FF300D7D4ACC9D4137DCD3081997100011F70DC2211D73160414652

Function 1000255F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(6E890000,00000000), ref: 10002576

Strings

TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 10002562

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0QXBpQnVmZmVyRnJlZQ==
API String ID: 190572456-3244026974
Opcode ID: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction ID: ff91b108fad4cc851aac3f9e389e9e2a63f3c8257eb8f5e683f791925ec63412
Opcode Fuzzy Hash: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction Fuzzy Hash: 21C08CF680161CAFF200DBE4ACCAE823BACD3082A97110022F60EC3212E631B041C662

Function 1000258D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76210000,00000000), ref: 100025A4

Strings

R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==, xrefs: 10002590

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==
API String ID: 190572456-3292411561
Opcode ID: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
Instruction ID: c4aeed86ffe8b449379c60583828ab32e035c01f2a5dfc01b8ce5ea512c12cf6
Opcode Fuzzy Hash: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
Instruction Fuzzy Hash: A5C08CF580026CAFF700DBE4ACCAE4237ACF30829D7100022FA0AC3212E721A44186A2

Function 1000172D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76210000,00000000), ref: 10001744

Strings

U2V0RXJyb3JNb2Rl, xrefs: 10001730

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: U2V0RXJyb3JNb2Rl
API String ID: 190572456-495186574
Opcode ID: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction ID: b616446aa3eae8f0e246bd7a0e97171c4ab2d65e5c8aa983a289ca1212d1c33e
Opcode Fuzzy Hash: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction Fuzzy Hash: A6C08CF980021CABF300DBE4ACC6E46379CF30C19D7A00423F60AC2612EB31B40287A3

Function 1000EAE6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0036EE80), ref: 1000EBD3

Strings

C:\Program Files, xrefs: 1000EAF9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
Instruction ID: c4e0b3600881029edc50d20150f75f5e2cc0ea145c3db068fc966fb5d715c26f
Opcode Fuzzy Hash: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
Instruction Fuzzy Hash: DB314BB4D04298DBEB10CFA4C9816DEBBB0FB08344F248499D806B7346D37AAE46DB55

Function 1000C850 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

#823.MFC42(00080000), ref: 1000C876
#825.MFC42(?), ref: 1000CAF2

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 7b8ac957c4a45fc797a56a2677b6c3882f9c60299251e7c3e3f2cf62597eda0c
Instruction ID: 685721609b17bb59bb0200793409624f877a09b7d039660f7f8e8104571038be
Opcode Fuzzy Hash: 7b8ac957c4a45fc797a56a2677b6c3882f9c60299251e7c3e3f2cf62597eda0c
Instruction Fuzzy Hash: BE019AF4908208DBDB21DF25D9417CDB7B0FB54301F2081E9E84CA6240D739AA418F82

Function 100086C0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 100086CA
inet_addr.WS2_32(?), ref: 100086D7

Part of subcall function 10004733: gethostbyname.WS2_32(?), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: inet_addr$gethostbyname
String ID:
API String ID: 2998999989-0
Opcode ID: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction ID: 7e645cfb302764e8d8533147197651d5e6009befd3d72f555b77b30a82d9c00f
Opcode Fuzzy Hash: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction Fuzzy Hash: 93F0D0B9A14208EFDB10DFA4C48898DBBB4FB48251F208595ED4997309D735EB51DF50

Function 1000CADC Relevance: 2.6, APIs: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000CBD2
Sleep.KERNEL32(000927C0), ref: 1000CC09

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepmemset
String ID:
API String ID: 372663169-0
Opcode ID: 0ab38272a91549f576ac17ab2c512e6e9acd47cd8a03a98e8a59e12e5518c522
Instruction ID: 949e9c8c70bcfcc1ed46dff2bccf33c34e7ffbed40eb94d20269bd04a1ee5497
Opcode Fuzzy Hash: 0ab38272a91549f576ac17ab2c512e6e9acd47cd8a03a98e8a59e12e5518c522
Instruction Fuzzy Hash: 4A21F972D0020CABEB14C7A4CC95BEF7375EB44340F144AE8E61496185EBB16F84CF90

Function 10005A8D Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10005AB4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction ID: 4cfd926ed5ee4b74160d84ed1ccf0fcb76e3c9c35cbabeff5299be230ac46b6e
Opcode Fuzzy Hash: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction Fuzzy Hash: 5CE0FEB6214109AB8B44CF8DD890DEB77EDAB8C654B158248BA1DD3254D634E8518BA4

Function 10005B51 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction ID: 003bc1bca6d8c776606440d32dd4298a63b416cb58658e6586ac9de98fafa826
Opcode Fuzzy Hash: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction Fuzzy Hash: 20D092B221420DAB8B04CF88D880CDB37EDAB8C610B008108FA0DC3200C630E9518BA0

Function 10004D54 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction ID: 01f520d78d0293c333997eaa499525b6bf33e0a14dea869d1b4eebbdcbea7866
Opcode Fuzzy Hash: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction Fuzzy Hash: E4D092B221020DAB8B04CF88D884C9B77ADAB8C600B008108BA0DC3210C630E951CBA0

Function 10005784 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10005793

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction ID: ceb44158fe26a4df53ddd6796a7450bcc70568043160c05e16c1b80753528501
Opcode Fuzzy Hash: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction Fuzzy Hash: 64C04C7A11420CABCB04DFD8DC84CAB77EDAB8C610B14C508FA1D87200DA31F9118BA4

Function 10004CAD Relevance: 1.5, APIs: 1, Instructions: 11synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction ID: 7a9713bbb07ef6c8d943612d259fbcec43348370ec0d3c79817316860ce7ebf9
Opcode Fuzzy Hash: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction Fuzzy Hash: ABC04C7611424CABCB04DFD8DC84CAB37ADFB8C610B148548FA1D87200C730F9119BA4

Function 10005C20 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(?,?), ref: 10005C2B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: c79bdcad5e10c768a08032ba641c64ddcb979c0910df32a7b8fa983ae43e6ce7
Instruction ID: 0bb13c6bd5e1f785d1e646858d06fe0d6ff5ed3b3de7d82a9b6b4d9c5b6da0f5
Opcode Fuzzy Hash: c79bdcad5e10c768a08032ba641c64ddcb979c0910df32a7b8fa983ae43e6ce7
Instruction Fuzzy Hash: A9C0927611420CAFCB44EFD8D884C9A7BACEB5C610B008015FA098B200CB32F910CBA0

Function 10005C35 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(?,?), ref: 10005C40

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 5719e2930ea7f0706ad915643aa64af8f4188bc628acbc2e8ca6497f3c28941c
Instruction ID: 73a06e9c4e2301444ffdfcdd7f424da4889f6d9468e2cbe3174ce95ed40330bc
Opcode Fuzzy Hash: 5719e2930ea7f0706ad915643aa64af8f4188bc628acbc2e8ca6497f3c28941c
Instruction Fuzzy Hash: B4C0927611420CAFCB44EFD8D884C9A77ACFB5C610B408405FA0A87200CB31F910CBA0

Function 100015AD Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(04E61050,?,100015AB), ref: 100015B6

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction ID: aa9e6f373e50f86635e89be718cfcb74191758a12ce1f5a61408757a6cf1a103
Opcode Fuzzy Hash: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction Fuzzy Hash: C4B0927240432C9FE600DBE89CC9C1237ACB3086093A00452E90AC3A21D730A402CA96

Function 100015ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035BD160,?,100015EB), ref: 100015F6

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction ID: 29f41251ce689b307b62650387fb13a5c84ed48d826cf923518eb1e266bdb45f
Opcode Fuzzy Hash: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction Fuzzy Hash: EAB0927240432D9BE700DBE89CCAC0137ACA7086087604412E909C3A21D630A4428B52

Function 1000164D Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035BA148,?,1000164B), ref: 10001656

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction ID: ba1e3f7c76a82d39c198cdf2c2322580641102d8f53e3edecd95e5ced58cbd87
Opcode Fuzzy Hash: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction Fuzzy Hash: B8B0927244432C9BE600DBE99CC8C0137ACE608A083604412E90A83A21D630A4428F92

Function 100016ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035B5120,?,100016EB), ref: 100016F6

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction ID: ceafc5a161691708641d67a93fab1652c5b609e1f825db1f72d2572ab5d16a00
Opcode Fuzzy Hash: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction Fuzzy Hash: DDB0927240432C9BF600DBE89CC8D1677ACB6086083604822E909D3A21D630A4428B92

Function 10005304 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 8fbd92a01ea9a44224101bdf60dc518226490cae3da14b9b4e0f38dd0ac429c9
Instruction ID: 6f4f072259eb8095dc5d08f605961f37381177791d3a9d26a151bb050024273c
Opcode Fuzzy Hash: 8fbd92a01ea9a44224101bdf60dc518226490cae3da14b9b4e0f38dd0ac429c9
Instruction Fuzzy Hash: 87B0123100030C97CA005BD8D848CC537DC964C5007004001F50CC3100CA30F4004690

Function 10004733 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(?), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction ID: ed7e62d2018f1f5fe489a5e2af283e66eb16d0056b782be615d6e68807e7cafe
Opcode Fuzzy Hash: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction Fuzzy Hash: 1EB0123140030C97CA005BE8D84CC95779CD6085047000400F50C83500C631F4004A90

Function 10005812 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(1000EBB8,?,1000EBB8,1002B35C), ref: 10005819

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction ID: 70a1fadde607be084ccef56658dda61e356474f6f706b475b9c53b19a0d7fe5b
Opcode Fuzzy Hash: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction Fuzzy Hash: 0FB0123100030C97CA005BD8D848C8577DC970C6407408000F60C83101CA70F4004AD0

Function 10005ABC Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 10005AC3

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction ID: d309ecb02fbcf521f446e64dffd2c407881538d3ff2428412e6fd22df4654e57
Opcode Fuzzy Hash: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction Fuzzy Hash: A5B0123200430C97CA005BD8D848CC5379CD60C5007000051F50CC3100C730F4004A90

Function 10011A40 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10011A5B

Part of subcall function 10011C72: sprintf.MSVCRT ref: 10011C8E
Part of subcall function 10011C72: CreateFileA.KERNEL32(1002A58C,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4

Part of subcall function 10011E80: memset.MSVCRT ref: 10011E9A
Part of subcall function 10011E80: memset.MSVCRT ref: 10011EB0
Part of subcall function 10011E80: Netbios.NETAPI32(00000037), ref: 10011EDB

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CreateFileNetbiossprintf
String ID:
API String ID: 2265170204-0
Opcode ID: c2146fda8afad930eb0fbb96289ca3ab1943110991f6b43724a83040010b82d0
Instruction ID: dceb83b943926abd5faf33fd0d5094280e9a27f0c6a434b0c500408138b30427
Opcode Fuzzy Hash: c2146fda8afad930eb0fbb96289ca3ab1943110991f6b43724a83040010b82d0
Instruction Fuzzy Hash: 99E09A74A04208FBCB08DBD4ED52B9EB7B8DF00340F1000A9F9056B381DAB2EF009AD4

Non-executed Functions

Function 1000D7E3 Relevance: 94.9, APIs: 40, Strings: 14, Instructions: 414stringsleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D856
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D86A
strrchr.MSVCRT ref: 1000D879
strcat.MSVCRT(00000000,\ReadMe.txt), ref: 1000D891
strrchr.MSVCRT ref: 1000D8A2

Part of subcall function 10005EBA: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
Part of subcall function 10005EBA: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
Part of subcall function 10005EBA: CloseHandle.KERNEL32(?), ref: 10005F29

CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658), ref: 1000D8E2
GetLastError.KERNEL32 ref: 1000D8EE
ReleaseMutex.KERNEL32(?), ref: 1000D916
CloseHandle.KERNEL32(?), ref: 1000D923
ReleaseMutex.KERNEL32(?), ref: 1000D952
CloseHandle.KERNEL32(?), ref: 1000D95F
GetTickCount.KERNEL32 ref: 1000DA2C
srand.MSVCRT ref: 1000DA33
rand.MSVCRT ref: 1000DA3C
rand.MSVCRT ref: 1000DAAA
Sleep.KERNEL32(00000064), ref: 1000DAE5
SetFileAttributesA.KERNEL32(c:\,00000002), ref: 1000DAF4
wsprintfA.USER32 ref: 1000DB0D
strcpy.MSVCRT(00000000,c:\), ref: 1000DB24

Part of subcall function 1000D747: GetTickCount.KERNEL32 ref: 1000D75F
Part of subcall function 1000D747: srand.MSVCRT ref: 1000D766
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D76F
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D7BA

strcat.MSVCRT(00000000,1002B1A8), ref: 1000DB71
strcat.MSVCRT(00000000,00000000), ref: 1000DB87

Part of subcall function 10004DC0: CreateDirectoryA.KERNEL32(?,?), ref: 10004DCB

Sleep.KERNEL32(00000064), ref: 1000DBA2
memset.MSVCRT ref: 1000DBB3
strcat.MSVCRT(00000000,1002B1AC), ref: 1000DBD8
strcat.MSVCRT(00000000,00000000), ref: 1000DBEE
strcat.MSVCRT(00000000,.txt), ref: 1000DC02
MoveFileA.KERNEL32(00000000,00000000), ref: 1000DC18
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000DC41

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

___crtGetLocaleInfoEx.LIBCMTD ref: 1000DC5C

Part of subcall function 1000556F: SetFilePointer.KERNEL32(?,?,?,?), ref: 10005582

Part of subcall function 10005434: CloseHandle.KERNEL32(10008EDA,?,10008EDA,000000FF), ref: 1000543B

Part of subcall function 10005558: GetModuleFileNameA.KERNEL32(?,?,?), ref: 10005567

rand.MSVCRT ref: 1000DC89
rand.MSVCRT ref: 1000DC9B
rand.MSVCRT ref: 1000DCAD
rand.MSVCRT ref: 1000DCBF
rand.MSVCRT ref: 1000DCD1
rand.MSVCRT ref: 1000DCE3
rand.MSVCRT ref: 1000DCF5
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000DD32

Part of subcall function 10005BF2: CopyFileA.KERNEL32(?,?,?), ref: 10005C01

Sleep.KERNEL32(00001388), ref: 1000DD55
memset.MSVCRT ref: 1000DD66

Part of subcall function 10005650: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1000567B

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

___crtGetTimeFormatEx.LIBCMTD ref: 1000DDD2

Part of subcall function 10004FB3: ShellExecuteA.SHELL32(?,?,?,?,?,?), ref: 10004FCE

Strings

123, xrefs: 1000D995
c:\windows\system32, xrefs: 1000DDC2
.txt, xrefs: 1000DBF6
SeDebugPrivilege, xrefs: 1000D8CC
%s\ReadMe.txt, xrefs: 1000DB01
c:\, xrefs: 1000DAD4, 1000DADA
SeDebugPrivilege, xrefs: 1000D7F0
%s\%c%c%c%c%c%c%c.exe, xrefs: 1000DD0E
c:\wiseman.exe, xrefs: 1000DDC9
c:\wiseman.exe, xrefs: 1000DDAF
M107.163.56.251:6658, xrefs: 1000D8D9
launch, xrefs: 1000DD9B
\ReadMe.txt, xrefs: 1000D885
3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000DA1E

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$File$strcat$Create$CloseHandle$ModuleMutexNameProcessSleep$CountMoveReleaseTickTimerToken___crtmemsetsrandstrrchr$AdjustAttributesConcurrency::details::platform::__CopyCurrentDirectoryErrorExecuteExistsFormatInfoLastLocaleLookupOpenPathPointerPrivilegePrivilegesQueueShellTimeValuestrcpywsprintf
String ID: %s\%c%c%c%c%c%c%c.exe$%s\ReadMe.txt$.txt$123$3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6$M107.163.56.251:6658$SeDebugPrivilege$SeDebugPrivilege$\ReadMe.txt$c:\$c:\windows\system32$c:\wiseman.exe$c:\wiseman.exe$launch
API String ID: 3236665404-1954381778
Opcode ID: 0235b30a242fd5ab16e1043b2bc7538f144aa901745be82676132c2d51d67447
Instruction ID: e7302aca530db56d1bf951a45ff3e4a786c1631362df480cdb7b9b2581457961
Opcode Fuzzy Hash: 0235b30a242fd5ab16e1043b2bc7538f144aa901745be82676132c2d51d67447
Instruction Fuzzy Hash: 12F1F5B1D00218ABFB20DB60CC96FDA7775EB54301F4045E9F709A6181EBB66B948F61

Function 1000ABAC Relevance: 63.2, APIs: 30, Strings: 6, Instructions: 244stringserviceCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,%SystemRoot%\System32\svchost.exe -k ), ref: 1000AC15
strcat.MSVCRT(00000000,?), ref: 1000AC28
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AC57
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AC9E
GetLastError.KERNEL32 ref: 1000ACB3
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 1000ACD0

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000AD01
Description, xrefs: 1000AD42
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 1000AD6E
ServiceDll, xrefs: 1000ADD8
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 1000AE3B
%SystemRoot%\System32\svchost.exe -k , xrefs: 1000AC09

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: OpenService$CreateErrorLastManagerstrcatstrcpy
String ID: %SystemRoot%\System32\svchost.exe -k $Description$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
API String ID: 3669142371-1103248599
Opcode ID: 5c13c71c337be80de3d840d7aab63fb83c02d258e9b5f7618cfc789c79587f82
Instruction ID: fc4fc097f2df58436204c54070e46900803d4f9edc1039ca72ef93cdf2176969
Opcode Fuzzy Hash: 5c13c71c337be80de3d840d7aab63fb83c02d258e9b5f7618cfc789c79587f82
Instruction Fuzzy Hash: 51A11EB5900218BBEB25DF90DC89FEE7778EB48740F504598F609A6281D774AA85CFA0

Function 10009A63 Relevance: 59.8, APIs: 31, Strings: 3, Instructions: 328timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10009AC7
wsprintfA.USER32 ref: 10009ADF
#823.MFC42(0007D000), ref: 10009AED
memset.MSVCRT ref: 10009B1B

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009B7E
GetLastError.KERNEL32 ref: 10009BA1

Strings

http://%s.qzone.qq.com/main, xrefs: 10009AD3
title, xrefs: 10009D7E
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)), xrefs: 10009B35

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823ErrorFormatInternetLastOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))$http://%s.qzone.qq.com/main$title
API String ID: 1752605775-1009673476
Opcode ID: df42a7da8a064cd1591ccfeb0502388bbfbf0244ee67ec4934a2b18df466e76d
Instruction ID: 75add62b751d2a89d33563ab18894b4b61e0b6b77b5213ad1a6e48b09e06675d
Opcode Fuzzy Hash: df42a7da8a064cd1591ccfeb0502388bbfbf0244ee67ec4934a2b18df466e76d
Instruction Fuzzy Hash: 6DE106B4D04268EFEB24CB64CC85BEEB7B4EB59300F1041D9E609A7280DB716E85CF91

Function 10006322 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 299memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100060BF: CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE

Part of subcall function 10005F3C: GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
Part of subcall function 10005F3C: HeapAlloc.KERNEL32(00000000), ref: 10005F56

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 100063BB

Strings

Handle: %d .... FileName: %s, xrefs: 100065A3
Process:%d Handle: %d ..%s.. FileName: %s, xrefs: 100066A1
c:\am.log, xrefs: 100066A6
c:\am.log, xrefs: 10006748
Not found File: %s , xrefs: 10006796
Not found File %s , xrefs: 100063C5
Close Files Handle....Failure, xrefs: 10006743
c:\am.log, xrefs: 10006734
Close Files Handle....Success, xrefs: 1000672F

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocCreateFileFree
String ID: Close Files Handle....Failure$Close Files Handle....Success$Handle: %d .... FileName: %s$Not found File %s $Not found File: %s $Process:%d Handle: %d ..%s.. FileName: %s$c:\am.log$c:\am.log$c:\am.log
API String ID: 372207633-2461064422
Opcode ID: 6ce44b6b33b4ed7e152c2d812be646d406dbd63e22057cdadb93f1818757c89b
Instruction ID: 645c5e70bbac33feba3ad968f02ee579f9001a7514e99284e2577437101ece5e
Opcode Fuzzy Hash: 6ce44b6b33b4ed7e152c2d812be646d406dbd63e22057cdadb93f1818757c89b
Instruction Fuzzy Hash: 63C141B4900228AFEB24CB54CC86FD9B3B5EB58344F2085D8F609A7245DB75AED5CF90

Function 1000949C Relevance: 52.6, APIs: 3, Strings: 27, Instructions: 95timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009517

Part of subcall function 10004D73: InternetOpenUrlA.WININET(80000100,00000000,00000000,1000C5CB,00000000,100097B8), ref: 10004D8E

memset.MSVCRT ref: 1000953C
___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

Part of subcall function 10004D96: InternetReadFile.WININET(00000400,?,00000000,100096E3), ref: 10004DA9

Part of subcall function 10004DB1: InternetCloseHandle.WININET(100097ED), ref: 10004DB8

Strings

y, xrefs: 100095F0
g, xrefs: 100095A0
e, xrefs: 100095F4
, xrefs: 100095C8
s, xrefs: 100095E0
t, xrefs: 100095C4
l, xrefs: 100095E8
, xrefs: 100095A8
p, xrefs: 100095E4
o, xrefs: 100095C0
P, xrefs: 10009598
c, xrefs: 100095AC
, xrefs: 100095B8
b, xrefs: 100095CC
i, xrefs: 100095DC
a, xrefs: 100095B0
d, xrefs: 100095F8
n, xrefs: 100095B4
d, xrefs: 100095D8
, xrefs: 100095D4
!, xrefs: 100095FC
http, xrefs: 100094E1
e, xrefs: 100095D0
a, xrefs: 100095EC
e, xrefs: 100095A4
n, xrefs: 100095BC
a, xrefs: 1000959C

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$Open___crt$CloseFileFormatHandleInfoLocaleReadTimememset
String ID: $ $ $ $!$P$a$a$a$b$c$d$d$e$e$e$g$http$i$l$n$n$o$p$s$t$y
API String ID: 484075888-3281237192
Opcode ID: 0a9ca274ce27384664171720c3d0a0c8cf77017a6a307f0792e7257b5eaf6b42
Instruction ID: 2007758cba872cfcd8f6e98331750ef100b8103267b94e19ec89753a2b5b510a
Opcode Fuzzy Hash: 0a9ca274ce27384664171720c3d0a0c8cf77017a6a307f0792e7257b5eaf6b42
Instruction Fuzzy Hash: 10413174D043C8EAFB11C6A8CC097DEBEB55B15744F0440D9D5882A282D7FA5798CBB6

Function 1000F200 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 277sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 1000F281
GetTickCount.KERNEL32 ref: 1000F2A2
GetTickCount.KERNEL32 ref: 1000F2B5
GetTickCount.KERNEL32 ref: 1000F2C8
GetTickCount.KERNEL32 ref: 1000F2DB
GetTickCount.KERNEL32 ref: 1000F2EE
GetTickCount.KERNEL32 ref: 1000F301
GetTickCount.KERNEL32 ref: 1000F314
Sleep.KERNEL32(000003E8), ref: 1000F345
GetTickCount.KERNEL32 ref: 1000F373
GetTickCount.KERNEL32 ref: 1000F386
GetTickCount.KERNEL32 ref: 1000F399
GetTickCount.KERNEL32 ref: 1000F3AC
GetTickCount.KERNEL32 ref: 1000F3BF
DeleteFileA.KERNEL32(?), ref: 1000F44E
DeleteFileA.KERNEL32(?), ref: 1000F4C1
Sleep.KERNEL32(000493E0), ref: 1000F5B8

Strings

%s\%c%c%c%c.%c%c%c, xrefs: 1000F32C
C:\Users\user\Desktop, xrefs: 1000F327, 1000F3D2
QVlSVFNydi5heWU=, xrefs: 1000F243
InstallPath, xrefs: 1000F524
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F529
QVNEU3ZjLmV4ZQ==, xrefs: 1000F230
RootDir, xrefs: 1000F556
U09GVFdBUkVcRVNUc29mdFxBTFlhYw==, xrefs: 1000F55B
%c%c%c%c%c, xrefs: 1000F3D7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$Sleep$DeleteFile
String ID: %c%c%c%c%c$%s\%c%c%c%c.%c%c%c$C:\Users\user\Desktop$InstallPath$QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$RootDir$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==$U09GVFdBUkVcRVNUc29mdFxBTFlhYw==
API String ID: 1805227871-1336997999
Opcode ID: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
Instruction ID: 6bdac8f9476eec08e9e208a458106ac04ec5b4e33c9511cad80c78820eb665b7
Opcode Fuzzy Hash: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
Instruction Fuzzy Hash: 5FA1E9F1D00218ABFB15DB60CC85FEE76B6EB88311F4481A9F709B6285DB786B41CB51

Function 1000D49E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000D4E0

Strings

.txt, xrefs: 1000D689

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: .txt
API String ID: 39653677-2195685702
Opcode ID: 4158fc3c552c573925d56d904931f4c6c622d20769b94d695b61d8a0ceb33920
Instruction ID: da2023ba958a437e8159f0edfaac4ee8086fbd0d10ec377c4abfad880adb4c2a
Opcode Fuzzy Hash: 4158fc3c552c573925d56d904931f4c6c622d20769b94d695b61d8a0ceb33920
Instruction Fuzzy Hash: AD71B3B5C04218EBDB25EFA0DC85BEEB7B8FB18341F408599F91996144E735AB84CF60

Function 10007DDE Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

#823.MFC42(00000004), ref: 10007E36
#823.MFC42(00000000), ref: 10007E5A
#823.MFC42(00000000), ref: 10007E8B
strrchr.MSVCRT ref: 10007EA5
strncpy.MSVCRT ref: 10007EBF
strncpy.MSVCRT ref: 10007ED3
GetSystemInfo.KERNEL32(?), ref: 10007EE0
GetCurrentProcess.KERNEL32(00000020,?), ref: 10007EFE
OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 10007F16
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
CloseHandle.KERNEL32(?), ref: 10007F50
strlen.MSVCRT ref: 10007F5B
sscanf.MSVCRT ref: 10007F7C

Strings

C:\Users\user\Desktop, xrefs: 10007EA0
SeDebugPrivilege, xrefs: 10007F0F
%[^, xrefs: 10007F72
etc\hosts, xrefs: 10007F56, 10007F77

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
String ID: %[^$C:\Users\user\Desktop$SeDebugPrivilege$etc\hosts
API String ID: 1460262115-236331588
Opcode ID: 287b0fb3bef6307d023093b803194b5ad108c20d71a950418e2c80ed23f0cce9
Instruction ID: 328226fcebd27085c81d03e9fdf447683c520cb5a300c2c2c943bb7813867aca
Opcode Fuzzy Hash: 287b0fb3bef6307d023093b803194b5ad108c20d71a950418e2c80ed23f0cce9
Instruction Fuzzy Hash: ED4118B5900628AFE704DFD4DDC9F9A7BB4FB48304F244119EA04A7290E7B5B586CF91

Function 10008C6A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10008CA2
GetVersionExA.KERNEL32(0000009C), ref: 10008CBB
strcpy.MSVCRT(00000000,1002A5F8), ref: 10008CDD
strcpy.MSVCRT(00000000,2000), ref: 10008D0A
strcpy.MSVCRT(00000000,1002A604), ref: 10008D37
strcpy.MSVCRT(00000000,2003), ref: 10008D64
strcpy.MSVCRT(00000000,Vista), ref: 10008D91
strcpy.MSVCRT(00000000,2008), ref: 10008DBE
strcpy.MSVCRT(00000000,1002A620), ref: 10008DEB
sprintf.MSVCRT ref: 10008E0F

Strings

Win %s SP%d, xrefs: 10008E06
Vista, xrefs: 10008D85
2000, xrefs: 10008CFE
2003, xrefs: 10008D58
2008, xrefs: 10008DB2

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcpy$Versionmemsetsprintf
String ID: 2000$2003$2008$Vista$Win %s SP%d
API String ID: 313931894-2264339393
Opcode ID: c871da8b4224639a2c4a07db153a9c7c04906b4bc4e0741e778789702d27a4ab
Instruction ID: 77eacedbfa7f7fe8781faf61d33db6b13d9c70aa213e0c00e07d5b6916aea476
Opcode Fuzzy Hash: c871da8b4224639a2c4a07db153a9c7c04906b4bc4e0741e778789702d27a4ab
Instruction Fuzzy Hash: 5F414CB5C00259EBEF24CB50EC4ABCDB7B4FB25345F4085EAE28862185DB755BC88F91

Function 10018642 Relevance: 23.4, APIs: 9, Strings: 4, Instructions: 609COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C), ref: 100186C5

Strings

/..\, xrefs: 100189AF
\..\, xrefs: 1001891F
\../, xrefs: 1001894D
/../, xrefs: 1001897E

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 54254cec3bb9aa7e4e6a4f77c432ff3cd13cf8b070c93ffbfd037efda66e7047
Instruction ID: 9a1aa32fb16f76f9e15c91fcc0f4f4f6e0de75efd59efe9036ad9dbbfd9191c7
Opcode Fuzzy Hash: 54254cec3bb9aa7e4e6a4f77c432ff3cd13cf8b070c93ffbfd037efda66e7047
Instruction Fuzzy Hash: 84521C74E042199FDB29CF68C895BDDB7B1FF49304F2481A9E959AB342D731AA81CF40

Function 1000EBE4 Relevance: 22.7, APIs: 15, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000EC22

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 959cc762f21d2a06c3fc1de09b52fc154b51132b7a62251b0838f0261efc5cde
Instruction ID: 926a6b6b4829fdad5a48eee5d06f223062afaab11e92024be4e075249e096e26
Opcode Fuzzy Hash: 959cc762f21d2a06c3fc1de09b52fc154b51132b7a62251b0838f0261efc5cde
Instruction Fuzzy Hash: B5619EB2C00298ABEB24CFA0DC85BEEB7B8FB04341F108599F519A2154D7359F84CFA0

Function 10006DB7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,?,?), ref: 10006DFE
strcat.MSVCRT(00000000,\*.*,?,?), ref: 10006E12
FindFirstFileA.KERNEL32(00000000,?,?,?,?,?), ref: 10006E28
wsprintfA.USER32 ref: 10006E79
strlen.MSVCRT ref: 10006E86
FindNextFileA.KERNEL32(000000FF,?), ref: 10006F72
FindClose.KERNEL32(000000FF,?,?,?,?), ref: 10006F87

Strings

%s\%s, xrefs: 10006E6D
\*.*, xrefs: 10006E06

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNextstrcatstrcpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 29064205-3247893053
Opcode ID: 724d9eb00308eec8e311615ed7ca1ac577e4ae592cab6987b02540fa00e8feca
Instruction ID: 2440652bd15ff8e6eaa9a308958dcc277bfe13f4e468759e469709181464b455
Opcode Fuzzy Hash: 724d9eb00308eec8e311615ed7ca1ac577e4ae592cab6987b02540fa00e8feca
Instruction Fuzzy Hash: 9E51AAF6900258ABDB14CB94DC84BEE73B9EB58301F1045E9F609A7245DB35AB88CF54

Function 1000AAC4 Relevance: 16.6, APIs: 11, Instructions: 78servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AAD3
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 1000AAF3
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AB1E
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000AB2C
GetLastError.KERNEL32 ref: 1000AB36
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB4C
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB56
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1000AB6B
Sleep.KERNEL32(00000064), ref: 1000AB7D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB8D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB97

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigErrorLastManagerQuerySleepStartStatus
String ID:
API String ID: 3874167810-0
Opcode ID: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction ID: f423053ba5e51ed5b3dfd7871e9b23df293113642488d2f777d942f78633b468
Opcode Fuzzy Hash: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction Fuzzy Hash: 56214A78A00218FBFB10DBE4CCC8F9D77BAEB09761F200345EA05A6186C7749A81DB24

Function 100069DD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,?), ref: 10006A24
strcat.MSVCRT(00000000,\*.*), ref: 10006A38
FindFirstFileA.KERNEL32(00000000,?), ref: 10006A4E
wsprintfA.USER32 ref: 10006A9F
strlen.MSVCRT ref: 10006AAC
FindNextFileA.KERNEL32(000000FF,?), ref: 10006B2B
FindClose.KERNEL32(000000FF), ref: 10006B40

Strings

\*.*, xrefs: 10006A2C
%s\%s, xrefs: 10006A93

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNextstrcatstrcpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 29064205-3247893053
Opcode ID: e9db2eea1e01d55add302331b1645ede4c934fc5659324ea6fc0bb331de21106
Instruction ID: b1425089a467f23f8ccf7f8da9b04ec626d8d48fdd8cc5af3b7584fd2f615a50
Opcode Fuzzy Hash: e9db2eea1e01d55add302331b1645ede4c934fc5659324ea6fc0bb331de21106
Instruction Fuzzy Hash: 0A41A9F6900118ABDB14CB94DC80BDE77B9EB58301F2485E9F60997245EB35AB88CF50

Function 10005F3C Relevance: 10.6, APIs: 7, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
HeapAlloc.KERNEL32(00000000), ref: 10005F56
NtQuerySystemInformation.NTDLL ref: 10005F79
GetProcessHeap.KERNEL32(00000000,00000000), ref: 10005F91
HeapFree.KERNEL32(00000000), ref: 10005F98

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreeInformationQuerySystem
String ID:
API String ID: 722747020-0
Opcode ID: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction ID: 6c64949c2fda0a623aee8140e43d1c032e6d4005dbe1664f83852c3263ea8444
Opcode Fuzzy Hash: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction Fuzzy Hash: 6B110675D04219FFEB00DBE4C948BAEB7B8FB58342F108968EA1693250D7799A81CB50

Function 1000C295 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C2A3
memset.MSVCRT ref: 1000C2DF

Strings

D, xrefs: 1000C3AD

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memsetstrlen
String ID: D
API String ID: 841943882-2746444292
Opcode ID: f150872c957941af90c0fd00824fb1bd501354eaae683e75d774a85db0926a37
Instruction ID: 9d13b316d50dd73b30fc64fb160f47868d1605c9bd796a93d971f2c642a19c96
Opcode Fuzzy Hash: f150872c957941af90c0fd00824fb1bd501354eaae683e75d774a85db0926a37
Instruction Fuzzy Hash: 54415DB190025CABEB50CF50CC56BEB73B8EB45341F404588E60967281EBB66B89CF91

Function 1001F343 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,?,?,?,?,?,1001FCA6), ref: 1001F3BB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 1001F40D

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction ID: 48a290c9093e3f11dd492f44913f2ca40d6bf3ce9a607d2c265816181fa2b1c7
Opcode Fuzzy Hash: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction Fuzzy Hash: 4E5194759002099FDB14CFA8C494BDEBBB5BB48304F24C259E825AB391D775E945CFA0

Function 1001C850 Relevance: 5.3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

no future, xrefs: 1001C93E
wild scan, xrefs: 1001CB1E
insufficient lookahead, xrefs: 1001C911
Code too clever, xrefs: 1001C8B4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Code too clever$insufficient lookahead$no future$wild scan
API String ID: 0-1205821253
Opcode ID: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
Instruction ID: 833f2951eaadcd835606261b93df60c7d4ef739d43d3d893d275862163d02827
Opcode Fuzzy Hash: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
Instruction Fuzzy Hash: F7D10B74E0414A9FCB08CFA8C8949EEBBF2FF89348F1481A8D459AB345D735AA41CF44

Function 1004650D Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

>,>, xrefs: 10046651
3=I=, xrefs: 10046647

Memory Dump Source

Source File: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: >,>$3=I=
API String ID: 0-852727702
Opcode ID: 9ad7fba8db05adb9f1344d643d0d05d40988877c60eaf14e00f53d08940391df
Instruction ID: 6884223eaf920f3fd3e967624f389c183da44054347198388d68b0caf436ab05
Opcode Fuzzy Hash: 9ad7fba8db05adb9f1344d643d0d05d40988877c60eaf14e00f53d08940391df
Instruction Fuzzy Hash: 1551D43545E7D29FC7138F3488A5685BFB1AE1711839A45EFC4C08F863D326949BCB92

Function 1001DD4D Relevance: 1.8, Strings: 1, Instructions: 584COMMON

Download Yara Rule

Strings

K, xrefs: 1001DD67

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction ID: be64ce4ea56ae2ff729ee4095f2c16fd9afa4c64b7be4d3cfcffd6d849276ff5
Opcode Fuzzy Hash: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction Fuzzy Hash: FD325C71A00249AFCB04CF98DC95EEE7B75FF88300F088568F9199F281D675DA68CB95

Function 1001D748 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

K, xrefs: 1001D762

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction ID: 13cd30b145176b83a50ea1d93efe1898842d2fb191c5ff5e9592714297f69bd4
Opcode Fuzzy Hash: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction Fuzzy Hash: 16F15B71A00249AFCB04CF98DC95EEE7B75EF88300F08C568F9199F281D675DA64CBA5

Function 10004804 Relevance: 1.5, APIs: 1, Instructions: 27processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004833

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction ID: dada26caca61fb62188d8dac9e18892904bbd52ffffd674216947e8ac7d19412
Opcode Fuzzy Hash: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction Fuzzy Hash: 3FF048B2214109AF8B48CF8DDC90DEB77EEBB8C614B158208FA1DD3250D630E851CBA4

Function 10004925 Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004954

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateInitialize
String ID:
API String ID: 220217950-0
Opcode ID: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction ID: 90eb217eefec1c1fdc0b769d8b89dca4f8ae21869411f64d3a2a456763029fa7
Opcode Fuzzy Hash: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction Fuzzy Hash: 72F04EB2214149AF8B48CF9DDC90DEB77EDAF8C614B159248FA1DD3250D630E851CBA4

Function 10005FD3 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 10005FFD

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction ID: 577e262fd81ac71086ec76a3c5116955c632cb2abf2027a79d8cb05fcdf68b55
Opcode Fuzzy Hash: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction Fuzzy Hash: F0E01A75A00208BFDB04DF98C881EAFB7B8EB98300F008659FA159B344D670AA10CBD4

Function 100114B0 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000000,10024578,1000FC00,1002B6A0,00000017,?,?,1000FC00,10024578,00000000,00000017), ref: 100114CC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
Instruction ID: b63ec98ceaf2e436dc9e91b5981eb5a547416335e9ba9d76a1a5ab58316722bb
Opcode Fuzzy Hash: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
Instruction Fuzzy Hash: 7BD067B651410CBB8B04CFC9ED44CABB7ACEB4C310B50814DBA0897200D635AA109BA5

Function 10004E1F Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

mouse_event.USER32(?,?,?,?,?), ref: 10004E36

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction ID: cd64bc9c04189baa85cc60a7def0010568bcfbf044096a859e3bd7374a512153
Opcode Fuzzy Hash: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction Fuzzy Hash: 0DD092B221020DAF8B04CF88D884CDB37ADAB8C610B008108BA0DC3200C630E8518BA5

Function 10004E04 Relevance: 1.5, APIs: 1, Instructions: 13keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(?,?,?,?), ref: 10004E17

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction ID: f831d9c8cafff6064600b4124d045f46117a7ffc6ffe7c2727ae22ba67f01528
Opcode Fuzzy Hash: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction Fuzzy Hash: 93D0127600428D7BCF00CFD89C54CEB7BAC5A4C600B048044FA5CC7201C531E410C771

Function 10005238 Relevance: 1.5, APIs: 1, Instructions: 9shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(?,?), ref: 10005243

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction ID: 9a2dd19b8ecf135439890cac36e4a679dfc02a0ed1c5e43b286b51b805b47a2f
Opcode Fuzzy Hash: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction Fuzzy Hash: 52B0927611030CABCB04DFD8DC88CAA37ACAB8CA10B108004FA0D87240CA31F9408BA0

Function 100057EC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(?,?), ref: 100057F7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction ID: 3f99846e5fc03f1cd515f911f6ea334dcbd29f04822414012a5ac230d652ecea
Opcode Fuzzy Hash: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction Fuzzy Hash: A9B0927611030CABCB04DFD9DC84C9A37ECAB8CA10B108004FA0D87200CA31F9008BA0

Function 100058AC Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 100058B7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction ID: 1268fd6e3a6fee96902ddf7f8e53f7d66be35c16e869bb3695433d0dc63322dc
Opcode Fuzzy Hash: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction Fuzzy Hash: 9EB0927611020CABCB18DFDCD884C9A37ECAB8C610B008104FA0D87200CA31F9008BA0

Function 10005BDF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ClearEventLogA.ADVAPI32(?,?), ref: 10005BEA

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClearEvent
String ID:
API String ID: 3812438431-0
Opcode ID: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction ID: 7434daefe77f6d47902705726ab8f34eda02ab0099602c090bfecb55a22fb0ef
Opcode Fuzzy Hash: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction Fuzzy Hash: B2B092B611420CABCB04DFD8D894C9A37ACFB4C614B008005FA0D87200CB31F9008BA0

Function 10004E8E Relevance: 1.5, APIs: 1, Instructions: 9clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 10004E99

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction ID: 00ad4f47f5e7d0ee9b57b808d9b7f0335e52eb5749179ceb83dcd797ee5f95d7
Opcode Fuzzy Hash: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction Fuzzy Hash: DFB092B612160CABEB04DFE8D888C9AB7ACAB4C610B008004FA1D87201CA32F940CBA0

Function 10005000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

LockResource.KERNEL32(?), ref: 10005007

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LockResource
String ID:
API String ID: 1236514755-0
Opcode ID: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction ID: 29e56bc91a9f9482983e27dc0ed5834eb45bd4535224dddbaac4bf5a93215658
Opcode Fuzzy Hash: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction Fuzzy Hash: EBB0123100030C97CA009BD8DC4CC95379C96089007100000F50C83500C634F4004690

Function 100052CF Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 100052D6

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction ID: 7efb55d811d09cfa6076e2c53c0765dc55be4d0596901329b8c6f4113f5758ef
Opcode Fuzzy Hash: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction Fuzzy Hash: 75B0123140030C9BCB006BD8D848C8537DCA6085007404000F50C83500CB30F40046D4

Function 1000558A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 10005591

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction ID: 3446f4351d0fb0315f265c1257496f9b218a963c1e1e8a386bbfb0b0138b3b89
Opcode Fuzzy Hash: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction Fuzzy Hash: EEB0123100030C97DA005BD8D848C8577DC96086047008001F60CC3101CA30F8014690

Function 10004788 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(?), ref: 1000478F

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction ID: 941f2af9b74db5ebe652a3bc5d90ee6d32c6752af74bb884e1b1cde712639612
Opcode Fuzzy Hash: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction Fuzzy Hash: 80B0123100030C97CF005FE8D84CC85379CA6085007100500F50C83100C630F40046D0

Function 100059A0 Relevance: 1.5, APIs: 1, Instructions: 7serviceCOMMON

Download Yara Rule

APIs

DeleteService.ADVAPI32(?), ref: 100059A7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteService
String ID:
API String ID: 700001626-0
Opcode ID: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction ID: f211721f13ae4b958aaaf00c1e1ea3e1c88187a953ac96f05739ed6fd255fc66
Opcode Fuzzy Hash: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction Fuzzy Hash: 37B0123100030C97CA005BD8D848C8537DC96485407048010F50C83100CA70F40146A1

Function 10004DF5 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(?), ref: 10004DFC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction ID: 3baf6831cd208484881523ebff87dae9b7360ad4edd65dec015b26fc2e4f2711
Opcode Fuzzy Hash: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction Fuzzy Hash: 86B0127100030CA7CB009BD8E84CC85379CB6086047000001F50C83100C730F84046D0

Function 10004F4C Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(?), ref: 10004F53

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction ID: 954e834f1d5633d9c78c7ea24322f83793bd12d053b1b78d752a87b4747b0001
Opcode Fuzzy Hash: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction Fuzzy Hash: 06B0123100030C97CB00DBD8D849C85379CA608544B040400F50D93500C670F40046D1

Function 1001DB5D Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

K, xrefs: 1001DB77

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction ID: 4821ffda97bad3917eb01a0464c429c8a6cf820fb574935c82d8a63edae2efce
Opcode Fuzzy Hash: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction Fuzzy Hash: 25715D31900249AFDB04CF98DC95FEE7B75FF88300F088568FA199B281D675D668CBA5

Function 1001BD60 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad d_code, xrefs: 1001BED4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: bad d_code
API String ID: 0-2582332627
Opcode ID: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
Instruction ID: 2f6b2f45191638f2ae3ba07ee8899200e8ad8888839ee98c0dc0e920f83f02b8
Opcode Fuzzy Hash: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
Instruction Fuzzy Hash: 9B71CE75E00549DBCB04CF99C895AEEBBB2FF8C304F148168E909AB345D735AA91CB94

Function 100150F3 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
Instruction ID: 088faa1eed008bce60876dcdc8d515551ea8ecd5600a09dd07154e6a01506fcf
Opcode Fuzzy Hash: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
Instruction Fuzzy Hash: 60628F74E0520ADFCB08CF98C5909EEBBB2FF88314F248259D815AB355D735AA91CF94

Function 100122E4 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
Instruction ID: 343714719a1f4e9367ad39c9344e86e2aeab645b661284dda1b7cf89b2300665
Opcode Fuzzy Hash: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
Instruction Fuzzy Hash: 815254B8A04209DFCB08CF98C59099DBBB2FF8C314B25C599E819AB355D731EA51CF94

Function 10015B40 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction ID: 34f3d6fbe751ec779d85210cdb32b2997779c4aff4a46c926cb419fb41892b26
Opcode Fuzzy Hash: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction Fuzzy Hash: 06A15F74E05148EFCB08CF99C590A9DFBF2EF88304F28C1A9E859AB355D631AB51DB44

Function 1001E5EC Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction ID: 9283f13a6b71ff4d28867ba0371fcc3830cb864e567d112fffee3ea95ca30d3f
Opcode Fuzzy Hash: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction Fuzzy Hash: 8261F230614549ABDB08CF2DC8916A97BE2EF8D358F55C128E829CF250D739EA91CF80

Function 10015883 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction ID: 3e186bd40632953d342a1ca4b5c669cc8258e70e124af2b7e38ac243e047a4b5
Opcode Fuzzy Hash: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction Fuzzy Hash: 35610331610549AFDB08CF2DC891AA97BE2FF8D354F55C128E929CF350D639EA81CB40

Function 1001A67B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction ID: b646244c15df26bb11706b77c13e2002d061b3e9df5792a36ac078930f46edd7
Opcode Fuzzy Hash: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction Fuzzy Hash: FB51EF38A04149ABCB15CF58C4908EDB7F2FF8C354F25C199E9599B345C630AA92CB80

Function 1000DDEE Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 399COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000DE30
memset.MSVCRT ref: 1000DE46
memset.MSVCRT ref: 1000DE5C

Part of subcall function 10005B51: RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68

Strings

REG_DWORD, xrefs: 1000E2CA
JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E265
[%s], xrefs: 1000E138
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E32C
JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E29A
REG_BINARY, xrefs: 1000E320
JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==, xrefs: 1000E2D6
REG_MULTI_SZ, xrefs: 1000E2F5
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E301
REG_EXPAND_SZ, xrefs: 1000E28E
REG_SZ, xrefs: 1000E259
, xrefs: 1000E1BC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$Open
String ID: $JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 276825008-1418283934
Opcode ID: ec98ebade1561f1425c1c8f5a4c3685ac848fac2ca47b9c19ad8ce6442119a05
Instruction ID: 113f87ce97fe6d344733f2fe9a47c20ccde4d7fba6159d7e819c2bc1bb10b482
Opcode Fuzzy Hash: ec98ebade1561f1425c1c8f5a4c3685ac848fac2ca47b9c19ad8ce6442119a05
Instruction Fuzzy Hash: C5E153B6D002589BEB14DF90DC85FDE77B8EB48340F404199F609B6284E775AE988FA1

Function 1000805F Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD
memcmp.MSVCRT(00000000,00000000,-00000002), ref: 1000834E

Strings

c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$Filestrcatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryProcessSleepsrandstrcpystrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 809949283-1917988604
Opcode ID: 9029433574a9aa2a1565b1974826fb6086cd3bd462bf571b07ed2398adb41b5d
Instruction ID: 1fc89b949b869141e7d21f023f72e52535fd7918e05709aa5f44e13cd79eb387
Opcode Fuzzy Hash: 9029433574a9aa2a1565b1974826fb6086cd3bd462bf571b07ed2398adb41b5d
Instruction Fuzzy Hash: 8B81A370900218FFEB14CBA8CC85FD9777AFB88304F1485A8E609A7255DB75AB85CF51

Function 1000793B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 308stringcomCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000797B
CoInitializeEx.OLE32(00000000,00000000), ref: 10007987
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,00000000,?,?,1002174C,000000FF), ref: 100079BE

Part of subcall function 10010360: #823.MFC42(0000000C,00000000,00000000,00000000,?), ref: 10010380

CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
wcscat.MSVCRT ref: 10007A97

Part of subcall function 100102D0: #823.MFC42(0000000C,00000000,00000000,00000000,?), ref: 100102F0

VariantInit.OLEAUT32(?), ref: 10007BAD
VariantInit.OLEAUT32(?), ref: 10007BB7
VariantInit.OLEAUT32(?), ref: 10007BC4
strcpy.MSVCRT(00000000,00000000,?), ref: 10007CA5
_stricmp.MSVCRT(?,svchost.exe), ref: 10007CCB
strcpy.MSVCRT(00000000,00000000,?), ref: 10007D31
StrStrIA.SHLWAPI(?,svchost.exe -k NetworkService), ref: 10007D57
VariantClear.OLEAUT32(?), ref: 10007D76
VariantClear.OLEAUT32(?), ref: 10007D80
CoUninitialize.OLE32 ref: 10007DC2

Strings

Name, xrefs: 10007BDB
svchost.exe, xrefs: 10007CBF
ProcessID, xrefs: 10007C20
WQL, xrefs: 10007ADF
svchost.exe -k NetworkService, xrefs: 10007D4B
SELECT * FROM , xrefs: 10007A6C
CommandLine, xrefs: 10007BFC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$Init$#823ClearInitializestrcpy$BlanketCreateInstanceProxySecurityUninitialize_stricmpmemsetwcscat
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 2580003999-2685825574
Opcode ID: a27bdcd29b8065c43141ce8a458b6b03a60445c7ce070d23bb63bce4bbebcc6b
Instruction ID: 189a79c95d12f2324ed77b7531e52b51722813dc0f720325a82f4d3d448fa42a
Opcode Fuzzy Hash: a27bdcd29b8065c43141ce8a458b6b03a60445c7ce070d23bb63bce4bbebcc6b
Instruction Fuzzy Hash: D7D11879A01228ABDB24DB64CC89BDDB7F4FB48700F1081D9E119A7290DF75AB85CF90

Function 100080A0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 168filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD

Strings

c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$Filestrcatwsprintf$Create$CloseHandleWritestrchr$DeleteDirectoryMemoryProcessSleepmemcmpsrandstrcpystrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 691396304-1917988604
Opcode ID: 4020c037d5262e72b5114483934564467d3fb651bcb7bf740619452c7b2aa732
Instruction ID: 9b1f3f05a2db119796ee803a315ca48c205a346098eddc4b2f03f44ea683e2e5
Opcode Fuzzy Hash: 4020c037d5262e72b5114483934564467d3fb651bcb7bf740619452c7b2aa732
Instruction Fuzzy Hash: 9C51C370900218BFEB14CBA4CC89FD9777AFB88305F1484A8F309A6291DF796B498F51

Function 1000622A Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 71COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,cmd.exe), ref: 1000623D
GetCurrentProcessId.KERNEL32 ref: 1000625B

Part of subcall function 10005CE2: strcpy.MSVCRT(00000000,00000000), ref: 10005D1A
Part of subcall function 10005CE2: CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95

Strings

%s.%d, xrefs: 100062F5
C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 10006291
cmd.exe, xrefs: 10006247
cmd.exe, xrefs: 10006234
self, xrefs: 10006266
C:\Windows\6C4DA6FB\svchsot.vir, xrefs: 1000629E
C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 100062A3

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateCurrentFileProcessstrcpy
String ID: %s.%d$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.vir$cmd.exe$cmd.exe$self
API String ID: 300836412-3617494418
Opcode ID: 2cd0d02b9790060a8ae0d77817feb3be9d08b7b95a69bdfdf9f3c30ea61bf2ee
Instruction ID: 11dda13007a575690e2789da7b2ac66cc1117108efdf45987319c1011c6ab237
Opcode Fuzzy Hash: 2cd0d02b9790060a8ae0d77817feb3be9d08b7b95a69bdfdf9f3c30ea61bf2ee
Instruction Fuzzy Hash: 9F21D275900214FBFB00EFF4DC8AF9A3769EF1A351F208054FB0996180DF7296A58BA1

Function 1000A948 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 104registryprocessstringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 1000A9C6
_CxxThrowException.MSVCRT(?,10024C88), ref: 1000A9EB
RegQueryValueExA.ADVAPI32(00000000,DLLPath,00000000,00000002,00000000,00000080), ref: 1000AA0A
_CxxThrowException.MSVCRT(1002E0FC,10024C88), ref: 1000AA2F
StrStrIA.SHLWAPI(00000000,mp3), ref: 1000AA40
lstrlenA.KERNEL32(?,00000000), ref: 1000AA50
WinExec.KERNEL32(sc stop RemoteAccess,00000000), ref: 1000AA7A
WinExec.KERNEL32(sc config RemoteAccess start= auto,00000000), ref: 1000AA87
WinExec.KERNEL32(net start RemoteAccess,00000000), ref: 1000AA94
RegCloseKey.ADVAPI32(00000000), ref: 1000AAAD

Strings

DLLPath, xrefs: 1000AA01
DLLPath, xrefs: 1000AA5D
net start RemoteAccess, xrefs: 1000AA8F
mp3, xrefs: 1000AA34
sc config RemoteAccess start= auto, xrefs: 1000AA82
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==, xrefs: 1000A982
sc stop RemoteAccess, xrefs: 1000AA75

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Exec$ExceptionThrow$CloseOpenQueryValuelstrlen
String ID: DLLPath$DLLPath$U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==$mp3$net start RemoteAccess$sc config RemoteAccess start= auto$sc stop RemoteAccess
API String ID: 3413174891-3685978068
Opcode ID: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
Instruction ID: 43c9b28ce93485f090b6302de8d1e2f99a1725c96703827c3c982aa9faeb6eb3
Opcode Fuzzy Hash: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
Instruction Fuzzy Hash: BA418FB5900218BFEB10DFD4DD89FEEBB78EB49740F504158F205B6281DB785A85CBA1

Function 10005CE2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 130stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,00000000), ref: 10005D1A
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005D32
strrchr.MSVCRT ref: 10005D41
CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 10005DBC
time.MSVCRT(00000000), ref: 10005DC4
localtime.MSVCRT(?), ref: 10005DDA
strftime.MSVCRT ref: 10005DF2
vsprintf.MSVCRT ref: 10005E48
sprintf.MSVCRT ref: 10005E75
strlen.MSVCRT ref: 10005E8B
WriteFile.KERNEL32(?,?,00000000,00000000), ref: 10005EA2
CloseHandle.KERNEL32(?), ref: 10005EAF

Strings

%s%s, xrefs: 10005E69
log.txt, xrefs: 10005D68

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerWritelocaltimesprintfstrcpystrftimestrlenstrrchrtimevsprintf
String ID: %s%s$log.txt
API String ID: 1265290787-1489102009
Opcode ID: d61748b6b5bdcbe339032a198d9886948902ba6617b812ff3fefa5a6d07792f4
Instruction ID: 4248ec1d1ae275c58dfadc2bb918cf7de6159c9ba061f12476aacb7595d00ccb
Opcode Fuzzy Hash: d61748b6b5bdcbe339032a198d9886948902ba6617b812ff3fefa5a6d07792f4
Instruction Fuzzy Hash: 29519375D00268EBEB25CB94CC8DBDA7778EB68301F0045D5E709A6280DBB55AC9CF91

Function 1000CD1A Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 209stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10010880: CoInitializeEx.OLE32(00000000,00000000,1000CD40,?,1000CD40), ref: 100108CD

Part of subcall function 10010940: strlen.MSVCRT ref: 10010968

strlen.MSVCRT ref: 1000CE07
SafeArrayCreate.OLEAUT32(00000008,00000001,00000001), ref: 1000CE6D
VariantInit.OLEAUT32(?), ref: 1000CE83
SafeArrayCreate.OLEAUT32(00000003,00000001,00000001), ref: 1000CEA4
VariantInit.OLEAUT32(?), ref: 1000CEBA

Part of subcall function 10010D30: VariantClear.OLEAUT32(100219AB), ref: 10010E5C
Part of subcall function 10010D30: LockFreeStack.LIBCMTD ref: 10010E69
Part of subcall function 10010D30: refcount_ptr.LIBCPMTD ref: 10010E75

Part of subcall function 10010650: Concurrency::cancellation_token_source::~cancellation_token_source.LIBCPMTD ref: 1001065A

Part of subcall function 100102D0: #823.MFC42(0000000C,00000000,00000000,00000000,?), ref: 100102F0

SafeArrayDestroy.OLEAUT32(?), ref: 1000CFE1
SafeArrayDestroy.OLEAUT32(?), ref: 1000CFEB

Strings

IPEnabled=TRUE, xrefs: 1000CD47
Index, xrefs: 1000CD86
GatewayCostMetric, xrefs: 1000CF29
Win32_NetworkAdapterConfiguration.Index=, xrefs: 1000CDCE
Win32_NetworkAdapterConfiguration, xrefs: 1000CD4C
SetGateways, xrefs: 1000CE1B
DefaultIPGateway, xrefs: 1000CED4
SetGateways, xrefs: 1000CF84

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ArraySafe$Variant$CreateDestroyInitstrlen$#823ClearConcurrency::cancellation_token_source::~cancellation_token_sourceFreeInitializeLockStackrefcount_ptr
String ID: DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetGateways$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 840877428-3516154804
Opcode ID: 02058d390dc2b7fdae002d91f92ce5cb33ce26a5e550108bf0e1dde1224da7f4
Instruction ID: 3227d4db2236a6d6a7f27d70506b96d856a4279fac5a80272e03ff1e3382444e
Opcode Fuzzy Hash: 02058d390dc2b7fdae002d91f92ce5cb33ce26a5e550108bf0e1dde1224da7f4
Instruction Fuzzy Hash: 61911974D00248EFDB14DBA4DD95BDDBBB4EF14300F2081A9F505AB291DBB4AA89CF61

Function 10009337 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 101librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 10009348
LoadLibraryA.KERNEL32(wininet.dll), ref: 10009359
GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 10009391
GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 100093A6
#823.MFC42(00000050), ref: 100093B4
strcat.MSVCRT(00000000,1002A714), ref: 1000941F
strcat.MSVCRT(00000000,?), ref: 10009435
strcat.MSVCRT(00000000,1002A718), ref: 10009449
memset.MSVCRT ref: 10009459

Part of subcall function 10005650: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1000567B

Strings

GetUrlCacheEntryInfoA, xrefs: 1000939D
urlmon.dll, xrefs: 10009343
URLDownloadToCacheFileA, xrefs: 10009385
wininet.dll, xrefs: 10009354

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$AddressLibraryLoadProc$#823CreateProcessmemset
String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
API String ID: 1308283570-2475139894
Opcode ID: 1905727eb2f421511f0012038dfef23a4b07977d075ab523ae7ec6e5654f9fd5
Instruction ID: 81b372d6bc21d2fef04a9a1ddd25012b240df206b743b4629fc927ee19ea9d3e
Opcode Fuzzy Hash: 1905727eb2f421511f0012038dfef23a4b07977d075ab523ae7ec6e5654f9fd5
Instruction Fuzzy Hash: 2031C7B5D042586FEB10CBA0DC85FEFBB74EB18701F5004A5F709A6280DB756A84CF55

Function 1000EE6E Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 1000EE78
_stricmp.MSVCRT(00000000,.dll), ref: 1000EE97
_stricmp.MSVCRT(?,.exe), ref: 1000EEAD
_stricmp.MSVCRT(?,.sys), ref: 1000EEC3
_stricmp.MSVCRT(?,.aye), ref: 1000EED9
strstr.MSVCRT ref: 1000EEEF
strstr.MSVCRT ref: 1000EF05

Strings

.aye, xrefs: 1000EED0
.exe, xrefs: 1000EEA4
AYLaunch.exe, xrefs: 1000EEFC
.sys, xrefs: 1000EEBA
V3Lite.exe, xrefs: 1000EEE6
.dll, xrefs: 1000EE8E

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _stricmp$strstr$strrchr
String ID: .aye$.dll$.exe$.sys$AYLaunch.exe$V3Lite.exe
API String ID: 2699606083-2419393344
Opcode ID: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
Instruction ID: 466c2cd852741ed10da6fcfff3d329652218b2498b962fc8da7131ac82429ea1
Opcode Fuzzy Hash: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
Instruction Fuzzy Hash: 4A1173B4900189F7EB10CBA4ED49AAE37A8EF043C6F544164FD05A6205E733EF24C7A1

Function 1000D3D5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000D3E9
Process32First.KERNEL32(00000000,00000128), ref: 1000D410
lstrcmpiA.KERNEL32(?,ASDsvc.exe), ref: 1000D42A
lstrcmpiA.KERNEL32(?,V3Lite.exe), ref: 1000D440
DebugActiveProcess.KERNEL32(?), ref: 1000D451
GetLastError.KERNEL32 ref: 1000D45B
Process32Next.KERNEL32(00000000,00000128), ref: 1000D486
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1000D494

Strings

V3Lite.exe, xrefs: 1000D434
ASDsvc.exe, xrefs: 1000D41E
c:\11.txt, xrefs: 1000D46E
Name:%s,Err:%d, xrefs: 1000D469

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32lstrcmpi$ActiveCloseCreateDebugErrorFirstHandleLastNextProcessSnapshotToolhelp32
String ID: ASDsvc.exe$Name:%s,Err:%d$V3Lite.exe$c:\11.txt
API String ID: 608465442-3371721576
Opcode ID: 35caabe66487620923f73dc6bcef029880f2a6989d30a686548ce9d832097881
Instruction ID: a3de1c484c0ff0f41d4c4eb311ab122c9ab8193aeb8075ee7d44cccd805fc309
Opcode Fuzzy Hash: 35caabe66487620923f73dc6bcef029880f2a6989d30a686548ce9d832097881
Instruction Fuzzy Hash: 30113D75D00218BBEB10EFA1CC85BDEB7B8EB48344F908999E215A2145D774AA85CF61

Function 100084F9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 10007DDE: #823.MFC42(00000004), ref: 10007E36
Part of subcall function 10007DDE: #823.MFC42(00000000), ref: 10007E5A
Part of subcall function 10007DDE: #823.MFC42(00000000), ref: 10007E8B
Part of subcall function 10007DDE: strrchr.MSVCRT ref: 10007EA5
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007EBF
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007ED3
Part of subcall function 10007DDE: GetSystemInfo.KERNEL32(?), ref: 10007EE0
Part of subcall function 10007DDE: GetCurrentProcess.KERNEL32(00000020,?), ref: 10007EFE
Part of subcall function 10007DDE: OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
Part of subcall function 10007DDE: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 10007F16
Part of subcall function 10007DDE: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
Part of subcall function 10007DDE: CloseHandle.KERNEL32(?), ref: 10007F50
Part of subcall function 10007DDE: strlen.MSVCRT ref: 10007F5B
Part of subcall function 10007DDE: sscanf.MSVCRT ref: 10007F7C

wsprintfA.USER32 ref: 1000853B

Part of subcall function 10007F89: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: strcat.MSVCRT(?,1002D030), ref: 10007FFD
Part of subcall function 10007F89: strcat.MSVCRT(?, ), ref: 1000800E
Part of subcall function 10007F89: strcat.MSVCRT(?,?), ref: 1000801E
Part of subcall function 10007F89: strcat.MSVCRT(?,1002A4A0), ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 100085AF
wsprintfA.USER32 ref: 100085CE
CreateDirectoryA.KERNEL32(?,00000000), ref: 100085E0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

Part of subcall function 1000793B: memset.MSVCRT ref: 1000797B
Part of subcall function 1000793B: CoInitializeEx.OLE32(00000000,00000000), ref: 10007987
Part of subcall function 1000793B: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
Part of subcall function 1000793B: CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,00000000,?,?,1002174C,000000FF), ref: 100079BE
Part of subcall function 1000793B: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
Part of subcall function 1000793B: wcscat.MSVCRT ref: 10007A97

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000863A

Strings

c:\windows\system32\drivers\%s\%s, xrefs: 100085C2
c:\windows\system32\drivers\%s, xrefs: 100085A3
Win32_process, xrefs: 10008606
%s\%s, xrefs: 1000852F
ROOT\CIMv2, xrefs: 1000860B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$#823CreateProcesswsprintf$CloseFileHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryInfoInstanceLookupPrivilegePrivilegesProxySecuritySystemValueWritememsetsscanfstrcpystrrchrwcscat
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 2147377520-1421401311
Opcode ID: 39ebf8f65748dca8e8d63cc54d69ac083fa952e4e19d68f53dd0a92d1cac6a9f
Instruction ID: 0c0eef8aac9374081f6669d655c3be3116369b3939affcc587e91564fd5685db
Opcode Fuzzy Hash: 39ebf8f65748dca8e8d63cc54d69ac083fa952e4e19d68f53dd0a92d1cac6a9f
Instruction Fuzzy Hash: 6F41B771900A6CAFEB20CBA8CC89FDA77B5FB84304F1005E4E609B6245DB766BD58F45

Function 1000BC72 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

#823.MFC42(00001218), ref: 1000BC80
WSAStartup.WS2_32(00000202,?), ref: 1000BCA3

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

memset.MSVCRT ref: 1000BCE8

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: #823.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BD0A
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BD30
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BD3F
CloseHandle.KERNEL32(?), ref: 1000BD49
Sleep.KERNEL32(001B7740), ref: 1000BD54
CloseHandle.KERNEL32(?), ref: 1000BD66

Strings

0x5d65r455f, xrefs: 1000BCA9
2073372682, xrefs: 1000BCF4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$#823CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$2073372682
API String ID: 1869492179-3710683282
Opcode ID: a3c7deccfcd2ede81c1d0f9f396ceec846d476776bd9d4a571c5aba8b8329725
Instruction ID: ec3ba378adc137da86a7fa9cbe3624fdafc09a65b00566f21923adef7c9e2253
Opcode Fuzzy Hash: a3c7deccfcd2ede81c1d0f9f396ceec846d476776bd9d4a571c5aba8b8329725
Instruction Fuzzy Hash: 93218475A40214BBFB10DFE0CC8AFDD7774EB54741F2041A5F6099A2D5EB706A508B92

Function 1000F8F9 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 64fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE30
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE46
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE5C

wsprintfA.USER32 ref: 1000F97A
DeleteFileA.KERNEL32(00000000), ref: 1000F98A
memset.MSVCRT ref: 1000F99E
wsprintfA.USER32 ref: 1000F9B9
DeleteFileA.KERNEL32(00000000), ref: 1000F9C9
DeleteFileA.KERNEL32(C:\1.vbs), ref: 1000F9D4

Strings

%s\ASDSvc.exe, xrefs: 1000F96E
C:\1.vbs, xrefs: 1000F9CF
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F94C
%s\V3Lite.exe, xrefs: 1000F9AD
InstallPath, xrefs: 1000F947

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$DeleteFile$wsprintf
String ID: %s\ASDSvc.exe$%s\V3Lite.exe$C:\1.vbs$InstallPath$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==
API String ID: 1479746147-790033058
Opcode ID: 491bcfaf6f83f197edba52b7f194d51eb256609198c54332247fecbb41f5ae59
Instruction ID: 3f8b95e0ea3bd24813ccbb7ad79f06d8baedde75e715387043a4284ac7343189
Opcode Fuzzy Hash: 491bcfaf6f83f197edba52b7f194d51eb256609198c54332247fecbb41f5ae59
Instruction Fuzzy Hash: A311D6B5810618BBE710D7A4DC89FE6B378EB24300F4001D4F748A6181EBB126D88B91

Function 1001918D Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 100195EB
%s%s, xrefs: 100195A9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s$%s%s%s
API String ID: 0-1506711308
Opcode ID: 5b9eb0c3a395dda510308379acc1b45cfd3c0aaf15be5034ea38f5c58ff39e31
Instruction ID: 7f3d1bd727637aae945e036ecbbf7404439f41d044326d2380a7333964229f50
Opcode Fuzzy Hash: 5b9eb0c3a395dda510308379acc1b45cfd3c0aaf15be5034ea38f5c58ff39e31
Instruction Fuzzy Hash: 7B0215B4904228DBDB26CF54C984BA9B7B9EB49305F1482D9E81DAB291D730EFC5CF50

Function 1001EAC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 1001EAD1
GetFileSize.KERNEL32(?,00000000), ref: 1001EBA0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1001EBBD
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1001EBD3
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1001EBE3
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1001EBF9

Strings

PE, xrefs: 1001EC5E
(, xrefs: 1001EBA9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID: ($PE
API String ID: 2979504256-3347799738
Opcode ID: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction ID: a2f518cc74f5bf6d3c6c6775fd81b0518a7a4a596ada43fd48c2c3d5df82ea48
Opcode Fuzzy Hash: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction Fuzzy Hash: 27810D71E00248ABEB08CFD4D895BAEB7B5FF88340F148129F515AB294D734E886CF94

Function 1000C668 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10006322: GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(?), ref: 100067F6

CloseHandle.KERNEL32 ref: 1000C6D1
Sleep.KERNEL32(00001388), ref: 1000C6DC
MoveFileExA.KERNEL32(00000000,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000C6EF
CopyFileA.KERNEL32(00000000,?,00000000), ref: 1000C702
DeleteFileA.KERNEL32(00000000), ref: 1000C70F
Sleep.KERNEL32(000003E8), ref: 1000C71A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 1000C736

Strings

hosts, xrefs: 1000C677
C:\Users\user\Desktop, xrefs: 1000C69F
%s\data.db, xrefs: 1000C6A4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleSleep$CopyDeleteHeapMoveProcessWritestrlen
String ID: %s\data.db$C:\Users\user\Desktop$hosts
API String ID: 3797919734-1156305087
Opcode ID: 6069aba424641b955cbde5a8c771504f27c4f3c0b68c8c1a0aa8a6989794aa0e
Instruction ID: f5900b32a1c57befda946730cab26c328d09066f7718e655d8f69fd7b70c79ee
Opcode Fuzzy Hash: 6069aba424641b955cbde5a8c771504f27c4f3c0b68c8c1a0aa8a6989794aa0e
Instruction Fuzzy Hash: A421B0B6A00218BBEB14CFA4DC85FCA3769FB58710F104294FB199B1C0DBB1AA85CB50

Function 1000BB90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

#823.MFC42(00001218), ref: 1000BB9E
WSAStartup.WS2_32(00000202,?), ref: 1000BBC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

CloseHandle.KERNEL32(?), ref: 1000BC66

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: #823.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BC0D
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BC33
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BC42
CloseHandle.KERNEL32(?), ref: 1000BC4C
Sleep.KERNEL32(0002BF20), ref: 1000BC57

Strings

0x555dasfas, xrefs: 1000BBC7
2963854030, xrefs: 1000BBF7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823CloseCreateHandleSleepmemset$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x555dasfas$2963854030
API String ID: 2513000192-3075894505
Opcode ID: 44dd402188ac6d3b7afbe79d39589ed243b30a272ae3c6fbaaeeb9753b6d9d2b
Instruction ID: d84f95eccd45cc1831ea6bca91d576b8e54f65b4ebe8b4c65b06786423185a31
Opcode Fuzzy Hash: 44dd402188ac6d3b7afbe79d39589ed243b30a272ae3c6fbaaeeb9753b6d9d2b
Instruction Fuzzy Hash: DB21B1B5A40214BBFB10DFE0CD8AFDD7775EB55341F2041A4FA099A284DB706A91CB52

Function 1000E56F Relevance: 16.7, APIs: 11, Instructions: 155COMMON

Download Yara Rule

APIs

#389.MFC42(00000000,00000001,00000000,00000000,00000000,00000000,1002B318,?), ref: 1000E5CF

Part of subcall function 10011260: #6059.MFC42(0000001A,00000018,00000004,?,?,?,1000E5F7,00000002,00001388,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 10011278

#3229.MFC42(?,?,00000000,00000000,00000003,00000001,00000000,00000002,00001388,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1000E615
#5204.MFC42(00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000,00000003,00000001,00000000,00000002,00001388), ref: 1000E639
#5808.MFC42(00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000,00000003), ref: 1000E656
#825.MFC42(?,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000), ref: 1000E66E
#1988.MFC42 ref: 1000E696
#690.MFC42 ref: 1000E6A9
#5356.MFC42(00000000,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000,00000000), ref: 1000E6C4
#825.MFC42(?,00000000,00000000,00000000,00000000,00000000,00000000,00000050,00000000,00000001,00000000,00000000,20000000,?,?,00000000), ref: 1000E707
#1988.MFC42 ref: 1000E72F
#690.MFC42 ref: 1000E74A

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #1988#690#825$#3229#389#5204#5356#5808#6059
String ID:
API String ID: 750444078-0
Opcode ID: e2e7a70758480c92a74563c3fadc5c33962f963444ecfa1a01d13de9a0ffe87a
Instruction ID: 9f34c4b996e227fffa6c219d231fd462b3d3f725e80ae3a7b750b4ec26083f88
Opcode Fuzzy Hash: e2e7a70758480c92a74563c3fadc5c33962f963444ecfa1a01d13de9a0ffe87a
Instruction Fuzzy Hash: A951F678E00289EBEB14CF94E996BDEBBB1EF54700F204118F5017B2D0DBB56A45CBA5

Function 10010940 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248comstringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10010968
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1001098D
CoCreateInstance.OLE32(100246B0,00000000,00000001,100245E0,?), ref: 100109A8

Part of subcall function 10010360: #823.MFC42(0000000C,00000000,00000000,00000000,?), ref: 10010380

CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,00000000,ROOT\CIMV2,00000000,00000000,00000000,00000000,00000000), ref: 10010A3B

Strings

WQL, xrefs: 10010B6B
ROOT\CIMV2, xrefs: 100109D1
SELECT * FROM , xrefs: 10010AB4
WHERE , xrefs: 10010B06

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823BlanketCreateInitializeInstanceProxySecuritystrlen
String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
API String ID: 868409568-2582412207
Opcode ID: f4f6692fb1d844ca11876b0b2c8fa795d2da857fa16750406fa5aa8b5286bef8
Instruction ID: 5cbe6ac5fde7eb26dc338a514e816c495378dc4111dc2c4ddae531228331e323
Opcode Fuzzy Hash: f4f6692fb1d844ca11876b0b2c8fa795d2da857fa16750406fa5aa8b5286bef8
Instruction Fuzzy Hash: 0EA10874A00249EBDB04CFA4CD95BEEB7B4FF14314F208258F5516B2D2D7B4AA86CB91

Function 1000D232 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(%systemroot%\system32\csrss.exe,?,00000104), ref: 1000D24F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000208), ref: 1000D288
GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 1000D298
GetProcAddress.KERNEL32(00000000), ref: 1000D29F
GetCurrentProcess.KERNEL32(00000000,00000000,00000018,?), ref: 1000D2D6
wcscpy.MSVCRT ref: 1000D312

Strings

ntdll.dll, xrefs: 1000D293
NtQueryInformationProcess, xrefs: 1000D28E
%systemroot%\system32\csrss.exe, xrefs: 1000D24A

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressByteCharCurrentEnvironmentExpandHandleModuleMultiProcProcessStringsWidewcscpy
String ID: %systemroot%\system32\csrss.exe$NtQueryInformationProcess$ntdll.dll
API String ID: 703503636-1587409518
Opcode ID: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
Instruction ID: d4a10707df85f749384b0f406625ba1c85e5810cd389dcc908323d6700f8676c
Opcode Fuzzy Hash: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
Instruction Fuzzy Hash: 04212F71910218BFEB65CBA4CC89FDABBB8EB48310F50419AE609E6291DB705B45CF61

Function 10006F92 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006FAA
strlen.MSVCRT ref: 10006FC3
strlen.MSVCRT ref: 10006FDC
strlen.MSVCRT ref: 10006FF5
strrchr.MSVCRT ref: 1000700D
strcpy.MSVCRT(00000000,?), ref: 10007068
strrchr.MSVCRT ref: 10007079

Strings

123, xrefs: 1000701C

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPathstrcpy
String ID: 123
API String ID: 2937644721-2286445522
Opcode ID: eb2c4fbfce8c30056790c9b65ba9ad4c9ff02870410164222b091072b2abaf8f
Instruction ID: b10010325145a17280ae543c62f60846424ed8c502da58d9684bb6765ff15b86
Opcode Fuzzy Hash: eb2c4fbfce8c30056790c9b65ba9ad4c9ff02870410164222b091072b2abaf8f
Instruction Fuzzy Hash: 634173FAD00248BBEB14CBA4DC42BDE77B5EF58340F1445A4F9099B241E636EB84CB91

Function 10006B4B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006B59
strlen.MSVCRT ref: 10006B6E
strlen.MSVCRT ref: 10006B87
strlen.MSVCRT ref: 10006BA0
strrchr.MSVCRT ref: 10006BCC
strcpy.MSVCRT(00000000,?), ref: 10006C0F
strrchr.MSVCRT ref: 10006C20

Strings

123, xrefs: 10006BB2

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPathstrcpy
String ID: 123
API String ID: 2937644721-2286445522
Opcode ID: 09722b82a4a2bfdb22794a4e9fa18a9412bb6527b81269910637317bd28d1fbb
Instruction ID: 79c25a0058445eb4a21c39191d2c2c99bec266b48e571f529a8f3a9425a03f32
Opcode Fuzzy Hash: 09722b82a4a2bfdb22794a4e9fa18a9412bb6527b81269910637317bd28d1fbb
Instruction Fuzzy Hash: E531B8FAD00248BBEB10CBA4DC81ADE77B5EF58340F1445A4F9499B241E776EB848BD1

Function 100060BF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE
CloseHandle.KERNEL32(000000FF), ref: 1000610B

Strings

NUL, xrefs: 100060D9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: NUL
API String ID: 3498533004-1038343538
Opcode ID: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction ID: e9d1fb6442f0c914e32f04b904cbdd2044a8a5df72d57b902c957921bdc8d841
Opcode Fuzzy Hash: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction Fuzzy Hash: 7C313D7090022AEBEB10CBE4CC85BEEB7B6FF49344F344554EA117B286C730AA55DB91

Function 1000AF61 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

CreateMutexA.KERNEL32(00000000,00000001,Global\98012trt8-d8dfsf), ref: 1000AF86
GetLastError.KERNEL32 ref: 1000AF8F
ReleaseMutex.KERNEL32(?), ref: 1000AFC4
CloseHandle.KERNEL32(?), ref: 1000AFCE

Strings

Global\98012trt8-d8dfsf, xrefs: 1000AF7D
SeDebugPrivilege, xrefs: 1000AF69
c:\11.txt, xrefs: 1000AFAC
ERROR_ALREADY_EXISTS, xrefs: 1000AFA7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MutexProcess$CloseCreateCurrentErrorHandleLastOpenReleaseToken
String ID: ERROR_ALREADY_EXISTS$Global\98012trt8-d8dfsf$SeDebugPrivilege$c:\11.txt
API String ID: 1194210303-4205529783
Opcode ID: 33d6c9e2637d354fe1692b1cfc5d348cc65f7f4e25ac4b6de4792443762265fe
Instruction ID: bda5bf97716bd855d7aa97815c2b0071a65dd76f9c377fc55d067d3e89c7e2b6
Opcode Fuzzy Hash: 33d6c9e2637d354fe1692b1cfc5d348cc65f7f4e25ac4b6de4792443762265fe
Instruction Fuzzy Hash: 8AF0FF74D01309FBEB10DBE0DC89F8D7BB5EB15342F504155F90562251DB755684CB51

Function 1000A780 Relevance: 13.6, APIs: 9, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 1000A7E8
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A80A
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8A2
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8DC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open$Create
String ID:
API String ID: 161609438-0
Opcode ID: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
Instruction ID: e3d78695a21ea1c89d74b4d509c2f3cee1bcccb682452cc6d6267459aaa28678
Opcode Fuzzy Hash: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
Instruction Fuzzy Hash: 83512F75A04209EFEB14CF95CC85FEE77B8EB49780F208219FA15A7284D775E981CB60

Function 10007F89 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 10007FBC
strchr.MSVCRT ref: 10007FD3
strcat.MSVCRT(?,1002D030), ref: 10007FFD
strcat.MSVCRT(?, ), ref: 1000800E
strcat.MSVCRT(?,?), ref: 1000801E
strcat.MSVCRT(?,1002A4A0), ref: 1000802F
strchr.MSVCRT ref: 10008049

Strings

, xrefs: 10008005
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007FB0

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcat$strchr$strcpy
String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 1601127630-230412946
Opcode ID: 1623917ca2c09340c41669969c6cf545fce248b8b788c83adf94a1b98f44ca3a
Instruction ID: 2bc11947cdbfdc4e0e0399083b1b6a46f6613d3c1d050bc1cbc246461a669991
Opcode Fuzzy Hash: 1623917ca2c09340c41669969c6cf545fce248b8b788c83adf94a1b98f44ca3a
Instruction Fuzzy Hash: 91219379D00158ABDB11CFA8ED81BDD7774FB68302F5084A5EA0CA7244D6B5ABD48BA0

Function 1000F6C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F6DA
Process32First.KERNEL32(00000000,00000128), ref: 1000F701
Process32Next.KERNEL32(00000000,00000128), ref: 1000F716
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F733
wsprintfA.USER32 ref: 1000F77C
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F7F2

Strings

pid_%d, xrefs: 1000F770

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpiwsprintf
String ID: pid_%d
API String ID: 4001055788-1598735649
Opcode ID: 2aa5c24c09c0c7920b2168c1d3eb21d9af395b2587bffe16ded94feffb8d1a77
Instruction ID: c9d53c2518a1c93e9c5bb71c043409e6e03239473161a3a160f8e14674c82ed7
Opcode Fuzzy Hash: 2aa5c24c09c0c7920b2168c1d3eb21d9af395b2587bffe16ded94feffb8d1a77
Instruction Fuzzy Hash: 68314AB5C05218EBEB60DFA4CC85BEDB7B4EF08340F1044EAE50DA6255E6746B84DF52

Function 1001E8B0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001E8B8

Part of subcall function 10020E70: _mbsicmp.MSVCRT ref: 10020E7B

Strings

.gz, xrefs: 1001E99C
.arc, xrefs: 1001E951
.tgz, xrefs: 1001E9B5
.zoo, xrefs: 1001E938
.zip, xrefs: 1001E91C
.lzh, xrefs: 1001E96A
.arj, xrefs: 1001E983

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbsicmpstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 374816253-51310709
Opcode ID: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
Instruction ID: a7750ba6201be3bd96256ed1aa53058d6e7dfdb32adcc3c4209802cf8e7f6fb8
Opcode Fuzzy Hash: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
Instruction Fuzzy Hash: D3317579D04289F7CF44CAE0AD8199D73A6EB12385F604865FD049F201E632FF80BBA5

Function 1000FBB6 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1000FBDA

Part of subcall function 100114B0: CoCreateInstance.OLE32(00000000,10024578,1000FC00,1002B6A0,00000017,?,?,1000FC00,10024578,00000000,00000017), ref: 100114CC

Strings

HTTP, xrefs: 1000FDC8
kbstar, xrefs: 1000FE07

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: HTTP$kbstar
API String ID: 3519745914-2680672251
Opcode ID: aac7b279a52fe98734fe81adf4fdc1abfefbd2005a5e1d3ba9591edfe0447b17
Instruction ID: c3a8321b607e1ec655a761ab1389a6ee785db716c21e47efde926ca263a9be4b
Opcode Fuzzy Hash: aac7b279a52fe98734fe81adf4fdc1abfefbd2005a5e1d3ba9591edfe0447b17
Instruction Fuzzy Hash: 63A11574D00648DFDB08DFA4C995BEDBBB1FF58344F20815CE412AB292EB34AA45DB91

Function 10008377 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

#823.MFC42(00000001), ref: 100083C5
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 10008408
#825.MFC42(?), ref: 1000845B
#823.MFC42(00000001), ref: 1000846D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 10008493
#825.MFC42(?), ref: 100084D5
CloseHandle.KERNEL32(00000000), ref: 100084EA

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #823#825$CloseHandleMemoryProcessQueryReadVirtual
String ID:
API String ID: 2613863258-0
Opcode ID: 305ed1c15194823d856f98b977b62591590cfed0765165237a3ed488ed182224
Instruction ID: 4ce35375b4bad31ba0a910ff1afeab1654858517ab5a746a47daf2776de4f8ea
Opcode Fuzzy Hash: 305ed1c15194823d856f98b977b62591590cfed0765165237a3ed488ed182224
Instruction Fuzzy Hash: 8B51E3B5E00219AFEB14CFD8D981AAEB7B5FF88340F208129E945A7354D774AA81CF50

Function 1001904F Relevance: 10.6, APIs: 7, Instructions: 94stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 10019062
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019073
memcpy.MSVCRT(?,?,?), ref: 100190FA
strcpy.MSVCRT(00000000,00000000), ref: 1001914D
strcat.MSVCRT(00000000,?), ref: 10019160
GetFileAttributesA.KERNEL32(00000000), ref: 1001916F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019183

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: c1c4fc46a3719df00d0bb2b044b383e03e2524b35646e2ea9c5d43cf2d3ba447
Instruction ID: 9d745a1a41eb4a7a2a12bfbab4145b738384b9807def3fcce6aed419c037e121
Opcode Fuzzy Hash: c1c4fc46a3719df00d0bb2b044b383e03e2524b35646e2ea9c5d43cf2d3ba447
Instruction Fuzzy Hash: C7413579D04118ABCB19CFA4D894AEDBBB5EF59310F208699E9599B240D770EFC0CF90

Function 1000A617 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A65F
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A671
strcat.MSVCRT(00000000,00000000), ref: 1000A68C
strcat.MSVCRT(00000000,00000000), ref: 1000A6A9

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Part of subcall function 1000A519: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000A694
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000A677

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryFileSystemstrcat$CreateExistsPath
String ID: XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==
API String ID: 2901936783-2249354660
Opcode ID: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
Instruction ID: 12b72cb5e04ffb9a7e9ac27504f08d15284b6b879465d20345e618696946c61d
Opcode Fuzzy Hash: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
Instruction Fuzzy Hash: 9021F8FAC04208BBFB10D7A0DC45BCE7378DB14380F1086A5FB0996145EEB5ABC88B91

Function 10006C88 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10006CC5
GetFileSize.KERNEL32(?,00000000), ref: 10006CEA
#823.MFC42(00000000), ref: 10006CF7
memset.MSVCRT ref: 10006D35
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?,?,00000000), ref: 10006D59
CloseHandle.KERNEL32(?,00000000), ref: 10006DA7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$#823CloseCreateHandleReadSizememset
String ID:
API String ID: 1555946038-0
Opcode ID: 28604f97c3951391ffacc56cdf69ebb5e4bd2b96d0f2f0613a8988e40837d2c1
Instruction ID: 20d629e5142875753669a35d1e811c0194670abf32d4287b49ac12e2b780f710
Opcode Fuzzy Hash: 28604f97c3951391ffacc56cdf69ebb5e4bd2b96d0f2f0613a8988e40837d2c1
Instruction Fuzzy Hash: DA316179A00294ABEB25CF54CC85BCAB375FB4C341F1085D5FA49A7284D6B4AAD4CF50

Function 1000600B Relevance: 10.6, APIs: 7, Instructions: 63memorythreadsynchronizationCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000008,00000214), ref: 1000601E
CreateThread.KERNEL32(00000000,00000000,Function_00005FD3,?,00000000,00000000), ref: 10006040
WaitForSingleObject.KERNEL32(?,00000064), ref: 1000604F
TerminateThread.KERNEL32(?,00000000), ref: 10006067
CloseHandle.KERNEL32(?), ref: 10006071
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 100060A0
HeapFree.KERNEL32(00000000,00000000,?), ref: 100060B3

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: HeapThread$AllocByteCharCloseCreateFreeHandleMultiObjectSingleTerminateWaitWide
String ID:
API String ID: 3981182571-0
Opcode ID: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction ID: 97dbfb0626745b3a13ce99f142d6799707a3ad8bdba7c53ac94dcc1e3c2afbb3
Opcode Fuzzy Hash: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction Fuzzy Hash: 3B21BAB4A40218BFFB04DBD4CC8AF6E7775EB48701F208558FB15AB2D0C671AA51CB54

Function 10021563 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10021576
#823.MFC42(00000002,?,?,SELECT * FROM ,?,?,100105BB,?,?,?,100112AB), ref: 10021580
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,SELECT * FROM ,?,?,100105BB,?,?), ref: 100215A2
GetLastError.KERNEL32(?,?,100105BB,?,?,?,100112AB), ref: 100215B2
GetLastError.KERNEL32(?,?,100105BB,?,?,?,100112AB), ref: 100215B8

Strings

SELECT * FROM , xrefs: 10021573

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$#823ByteCharMultiWidewcslen
String ID: SELECT * FROM
API String ID: 902154227-3303663155
Opcode ID: 535be1c00c74b4252f7a708f373728373532073ad4246fcc369e3bfbabe45a2c
Instruction ID: f102809e0f6523f15fafc923be23898a7ca290de0f5e000ccec9650aaf4368e9
Opcode Fuzzy Hash: 535be1c00c74b4252f7a708f373728373532073ad4246fcc369e3bfbabe45a2c
Instruction Fuzzy Hash: 4FF0286A20427ABD9210A6726C84DBBBACCDEE12F47E2467AF515D2041D815AC0181F0

Function 1000883B Relevance: 8.8, APIs: 7, Instructions: 67stringmemoryCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000885E
GlobalAlloc.KERNEL32(00000040,-00000001), ref: 1000887C
memset.MSVCRT ref: 10008892
strcpy.MSVCRT(00000000,00000000), ref: 100088A2
memset.MSVCRT ref: 100088D6
strcpy.MSVCRT(00000000,00000001), ref: 100088E9
GlobalFree.KERNEL32(00000000), ref: 100088F5

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Globalmemsetstrcpy$AllocFreestrlen
String ID:
API String ID: 1071719858-0
Opcode ID: 34b18f0cfa94c3ff5c7f066692647ea25e407ce26ee9c36b5c3d170eba73ebf6
Instruction ID: 371cdc15c4be44a3cd0437dc71fa5aaac8cd8a0fdcd6f9490a1cbaeabdbd2086
Opcode Fuzzy Hash: 34b18f0cfa94c3ff5c7f066692647ea25e407ce26ee9c36b5c3d170eba73ebf6
Instruction Fuzzy Hash: A3219DB9D00208FBEB04CFD4D885B9DBBB4FF44304F50C158EA046B345D671AB948B95

Function 1000D747 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1000D75F
srand.MSVCRT ref: 1000D766
rand.MSVCRT ref: 1000D76F
rand.MSVCRT ref: 1000D7BA

Strings

3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000D754

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$CountTicksrand
String ID: 3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6
API String ID: 3923125369-3761970555
Opcode ID: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
Instruction ID: 5baca46d6ec9984475ff302e343ac5961955fe47c9a6e1e459158899833a3c7c
Opcode Fuzzy Hash: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
Instruction Fuzzy Hash: 3E11B830815108EFDB00EFA8D894A9EBBB6FF44320F30419AE909E7345D331AA51DB60

Function 1000C5F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37sleepstringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 1000C5F9
memset.MSVCRT ref: 1000C613
Sleep.KERNEL32(0000EA60), ref: 1000C63A
#825.MFC42(?), ref: 1000C652

Strings

found~!, xrefs: 1000C5F0

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: #825Sleepmemsetstrstr
String ID: found~!
API String ID: 1104890065-3563639675
Opcode ID: d913908891cc592e6f855505a8fa8eb0a31dcf74657d833edf71c8244c53dd4e
Instruction ID: 8119cc500c20e04b94a5d0cf1617a111049eef5a0b8ea3278fea11a9d42b8372
Opcode Fuzzy Hash: d913908891cc592e6f855505a8fa8eb0a31dcf74657d833edf71c8244c53dd4e
Instruction Fuzzy Hash: F0F068B6E00108EBEB14CBD4DD86F9FB378EB98201F1045D4FA09A7241EA71AF559F51

Function 1001ED1E Relevance: 7.7, APIs: 5, Instructions: 155fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001ED93
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001EDF5
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 1001EE7C
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1001EEAC
CloseHandle.KERNEL32(00000000), ref: 1001EEC8

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Create$CloseHandleMappingPointerView
String ID:
API String ID: 1737989552-0
Opcode ID: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction ID: 743c727af9f4ebea276fef19f0abd475d21ef0e9be5fc3ab0a1b21c44a59574f
Opcode Fuzzy Hash: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction Fuzzy Hash: 0561C874A0024ADFEB14CF54C545BAEB7F1FB48715F208659E8156B382C771DE81CBA1

Function 1001EF73 Relevance: 7.6, APIs: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

#825.MFC42(?,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFB3
#823.MFC42(000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFD4
memcpy.MSVCRT(00000000,?,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F000
memcpy.MSVCRT(1002B35C,00004000,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F092
WriteFile.KERNEL32(00000000,00004000,000000FF,000000FF,00000000,?,1001FADC,?,000000FF,?,00004000), ref: 1001F0CC

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$#823#825FileWrite
String ID:
API String ID: 3892973715-0
Opcode ID: dcd96ad24b5deabd6ad6734751da6d3ddb320af3399b2d07e3036afd30a7b307
Instruction ID: 4bd6022a4a2ec37f9ae3b9a4e2ff67f1137577e8ba2bc2d6a42e4c9f344f74e1
Opcode Fuzzy Hash: dcd96ad24b5deabd6ad6734751da6d3ddb320af3399b2d07e3036afd30a7b307
Instruction Fuzzy Hash: 4651BAB8E00109DFCB44CF98D491AAEBBB6FF98314F508559E9099B346D771E981CF90

Function 1000A519 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556
memset.MSVCRT ref: 1000A597
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 1000A5BB
CloseHandle.KERNEL32(?), ref: 1000A607

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleReadmemset
String ID:
API String ID: 1934991721-0
Opcode ID: ddb02cf45562d447117a3b03ca3a3f4b2d09cfb980e0b23eab193bf9e0f50665
Instruction ID: 6a49061c0ed4d4591c571688064297fdf5beefa6cff065268dfcbfb052794fb4
Opcode Fuzzy Hash: ddb02cf45562d447117a3b03ca3a3f4b2d09cfb980e0b23eab193bf9e0f50665
Instruction Fuzzy Hash: F2216275A00255ABEB21CB54CC81FDA7374FB4C382F1045A5FB49A7284D6B0AAC48F54

Function 100214EE Relevance: 7.5, APIs: 5, Instructions: 45memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,?,?,10010494,10010314,00000000), ref: 10021500
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,?,10010494,10010314,00000000), ref: 10021527
GetLastError.KERNEL32(?,00000001,?,?,10010494,10010314,00000000), ref: 10021537
GetLastError.KERNEL32(?,00000001,?,?,10010494,10010314,00000000), ref: 1002153D
SysAllocString.OLEAUT32 ref: 10021554

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
Instruction ID: 1fe5ed956030cf47e0064620fe093005c6aabeb1075080af0839e4b43014f2e2
Opcode Fuzzy Hash: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
Instruction Fuzzy Hash: 7501F436500526F7E7209BA1DC85FDA3FA8EF613A1FB18031FD09D1090E730956286A1

Function 1000F63B Relevance: 7.5, APIs: 5, Instructions: 43processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F64F
Process32First.KERNEL32(00000000,00000128), ref: 1000F672
Process32Next.KERNEL32(00000000,00000128), ref: 1000F687
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F6A0
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F6B9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction ID: 6a087116852af621f6414e876448160d89c161c3e2a286ec7096f0195759277d
Opcode Fuzzy Hash: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction Fuzzy Hash: AA014CB5D00208EBEB10EFE0CC85BEDB7B8EB08384F50848CA509A7254D7756B84DF50

Function 1000F85D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

Part of subcall function 100055B0: OpenProcess.KERNEL32(?,?,?), ref: 100055BF

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000F8A3

Strings

SeDebugPrivilege, xrefs: 1000F865

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$OpenTimer$Concurrency::details::platform::__CreateCurrentQueueToken
String ID: SeDebugPrivilege
API String ID: 3835064167-2896544425
Opcode ID: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
Instruction ID: fc672c7b5ca9b149f1a5e930f45fef3a2c969a6d647dd8d1ed25485d67561eb1
Opcode Fuzzy Hash: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
Instruction Fuzzy Hash: 381182B5E40305BBFB10DBA08C46FDE7674EB04741F104568FB04BA2C5EA7166508755

Function 1000E4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100), ref: 1000E4DB
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 1000E525
DeviceIoControl.KERNEL32(000000FF,00222000,00000000,00000400,00000000,00000000,?,00000000), ref: 1000E55F

Strings

\\.\moon, xrefs: 1000E4E7

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharControlCreateDeviceFileMultiWide
String ID: \\.\moon
API String ID: 1446495253-2167628891
Opcode ID: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
Instruction ID: 23935ab2004618820c7cb13d6f81c44a57c65e4e46a841ae29926b98e247d94e
Opcode Fuzzy Hash: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
Instruction Fuzzy Hash: D71136B4550228BAE720DB54CC85FD57778EB44710F1086A9F708B72D0E7B02B86CF99

Function 10009296 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringtimeCOMMON

Download Yara Rule

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 100092DB

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

strlen.MSVCRT ref: 10009303

Strings

C:\Users\user\Desktop, xrefs: 1000929F
%s\lang.ini, xrefs: 100092A4

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3442345488-2560215372
Opcode ID: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
Instruction ID: 5c2cb0c0f0112b76a52748a175c0b0866aa9ac7b40e06f3532cdc33e9dc0b8a8
Opcode Fuzzy Hash: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
Instruction Fuzzy Hash: C40148F9D0021867EB20DB64DC46FCA7378DB14740F4086A4BA88671C5EAB5BBC48FD5

Function 10016729 Relevance: 6.1, APIs: 4, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100167A3
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 100167D0
#823.MFC42(00000020), ref: 100167E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001684C

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pointer$#823Create
String ID:
API String ID: 3407337251-0
Opcode ID: 210e3323cf45e4e45ac76a8794f6ac64e1948e2ff99ced056d7b0a137d796a7c
Instruction ID: f591f9a745d53ad3dfe22ef2f77011fbbab233b3b6c88462e3b6b178e94e5e56
Opcode Fuzzy Hash: 210e3323cf45e4e45ac76a8794f6ac64e1948e2ff99ced056d7b0a137d796a7c
Instruction Fuzzy Hash: C4510B74E0424AEFDB11CF54C895B9EBBB1FB09304F108699EC216B381C7B5DA85CB91

Function 100088FF Relevance: 6.1, APIs: 4, Instructions: 92timeCOMMON

Download Yara Rule

APIs

#823.MFC42(?), ref: 10008909
memcpy.MSVCRT(?,?,?), ref: 10008926
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000899A
#825.MFC42(?), ref: 100089DA

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$#823#825Concurrency::details::platform::__CreateQueuememcpy
String ID:
API String ID: 3300021417-0
Opcode ID: da2fff2ece35e2f709c1a1d94c165bbfb6119083321585ad05990cdf83ca4a90
Instruction ID: 48faa35ba49733c278f9528cd1fa272fbef8b4e165372624ad9d635f7decea62
Opcode Fuzzy Hash: da2fff2ece35e2f709c1a1d94c165bbfb6119083321585ad05990cdf83ca4a90
Instruction Fuzzy Hash: D8318EB4D00249FBDF04DFA8C891BAEB774FF44304F248598E945AB385D671AB40CB91

Function 100184CC Relevance: 6.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100184FF
strlen.MSVCRT ref: 1001850E
strcat.MSVCRT(?,1002B9C8), ref: 10018544
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1001855C

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
Instruction ID: d652d1c918226deb8dbb541e2e319e9dea9985361b2032265780a00324afeef0
Opcode Fuzzy Hash: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
Instruction Fuzzy Hash: 5C318275D0064ADBDB00CF94C881BAE7BB6EF45300F144569F515AB281D330EBD1CB91

Function 1000C063 Relevance: 6.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C06D

Part of subcall function 1000BEF7: malloc.MSVCRT ref: 1000BF0F

strlen.MSVCRT ref: 1000C0A2
toupper.MSVCRT ref: 1000C0F0
tolower.MSVCRT ref: 1000C129

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$malloctolowertoupper
String ID:
API String ID: 1610385915-0
Opcode ID: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
Instruction ID: 7a5db7ae6677982574b2aec189b42e08800268808c8d6061b8b5cfc946dd9c0f
Opcode Fuzzy Hash: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
Instruction Fuzzy Hash: 45317C75D0428CEBDB04CFA8C8D0AAEBBB5EF42245F2441D9D841AB306C635AB90DB45

Function 10011150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(10010E30,?), ref: 10011190
SafeArrayAccessData.OLEAUT32(10010E30,00000000), ref: 100111AD
SafeArrayUnaccessData.OLEAUT32(10010E30), ref: 10011217
refcount_ptr.LIBCPMTD ref: 10011227

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccessVartyperefcount_ptr
String ID:
API String ID: 643252218-0
Opcode ID: e3093405053b5544fa678bf0e23ad48e3c749fcc7eb534a6281602585be818ca
Instruction ID: 2d86a0b6451a645c637edffcb08906b081acf8c9fc1e69a33f2e972db292452b
Opcode Fuzzy Hash: e3093405053b5544fa678bf0e23ad48e3c749fcc7eb534a6281602585be818ca
Instruction Fuzzy Hash: 7231ED75D00109EFCB08CF94C995BEEBBB5FF48310F208159E525AB281DB35AA45CBA1

Function 1000BD79 Relevance: 6.0, APIs: 4, Instructions: 33sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BDAC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BDBB
CloseHandle.KERNEL32(?), ref: 1000BDC5
Sleep.KERNEL32(00000064), ref: 1000BDCD

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleSleepThreadWait
String ID:
API String ID: 422747524-0
Opcode ID: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction ID: b9f77b51fdc0ce5c79c26bcc87bcad786e5d67b6ada7f4622830d9e7383a6a42
Opcode Fuzzy Hash: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction Fuzzy Hash: A8F03074A40208BBF704DFE4CD8AF9D7B75EB54711F208154FB059A2C4D7715A518B61

Function 100067AC Relevance: 6.0, APIs: 4, Instructions: 32filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
strlen.MSVCRT ref: 100067DB
WriteFile.KERNEL32(?,?,00000000,00000000), ref: 100067EC
CloseHandle.KERNEL32(?), ref: 100067F6

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleWritestrlen
String ID:
API String ID: 1350020999-0
Opcode ID: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
Instruction ID: 9091ae99ca244d77819b183989e1c27e630e4a4cabccf0d25adc0486f95204c4
Opcode Fuzzy Hash: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
Instruction Fuzzy Hash: C5F082B9640208BBE710DBE4DCC6F9A777CAB48700F108144FF09A7280DA70A944CBA4

Function 100061D7 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,10006283,?), ref: 100061E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 100061FF
CloseHandle.KERNEL32(00000000), ref: 1000620D

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandleOpenTerminate
String ID:
API String ID: 2026632969-0
Opcode ID: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction ID: c3b055f7a518f1452caa67d907e4e45609d189d3ebd99e836d77498bd3e4c8c9
Opcode Fuzzy Hash: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction Fuzzy Hash: 6AF05875A44218FBE710DBE4DD88B5E7BA8EB0C381F308958FA05D7240D6309A819B50

Function 1000D353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D39D
sprintf.MSVCRT ref: 1000D3B6

Part of subcall function 10004775: WinExec.KERNEL32(?,?), ref: 10004780

Strings

cmd /c ping 127.0.0.1 -n 3&del "%s", xrefs: 1000D3AA

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExecFileModuleNamesprintf
String ID: cmd /c ping 127.0.0.1 -n 3&del "%s"
API String ID: 2282574455-535577241
Opcode ID: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
Instruction ID: a6b8e271a6fb293dd042ad0264e0da81425d7f8170d8075a503821407d4c08d6
Opcode Fuzzy Hash: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
Instruction Fuzzy Hash: A8F0C27291021C7BEB11C7A8CCA5BD6B7BCAB54300F4001E5E70CA6181EFB52B9C8F91

Function 1000F7FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 1000F809
GetLocalTime.KERNEL32(?), ref: 1000F842

Strings

-, xrefs: 1000F81B

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LocalTime
String ID: -
API String ID: 481472006-2547889144
Opcode ID: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction ID: 54c5f6dbd1dfb4096c870d722f7c1ff444cf4a43efea41441fbe41cbc9c571be
Opcode Fuzzy Hash: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction Fuzzy Hash: 47F04471D0120AEBEB14DFA4C6856FDB7B4EF40740F20C1ADD801AB648DA34AB09FB52

Function 1000CCA1 Relevance: 5.0, APIs: 4, Instructions: 24stringsleepCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000CCA5
strcmp.MSVCRT ref: 1000CCBB
wsprintfA.USER32 ref: 1000CCD5

Part of subcall function 100084F9: wsprintfA.USER32 ref: 1000853B
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085AF
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085CE
Part of subcall function 100084F9: CreateDirectoryA.KERNEL32(?,00000000), ref: 100085E0

Sleep.KERNEL32(000927C0), ref: 1000CCE9

Memory Dump Source

Source File: 00000004.00000002.4427345075.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.4427328651.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427367398.0000000010022000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427386367.0000000010027000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427402802.0000000010033000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427422998.0000000010047000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427446361.000000001006A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427461502.000000001006B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427477403.000000001006D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427493896.000000001006E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427512492.000000001006F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427527309.0000000010070000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4427588191.0000000010072000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateDirectorySleepstrcmpstrlen
String ID:
API String ID: 1687963529-0
Opcode ID: f3f71da3bea6c13747bdab595987d3f046ce911cfa72297f7b346c7faf6d1db9
Instruction ID: 8462d54cf2e0c3c508fde98af096e103500cdf59e7942b527e18940fd215594e
Opcode Fuzzy Hash: f3f71da3bea6c13747bdab595987d3f046ce911cfa72297f7b346c7faf6d1db9
Instruction Fuzzy Hash: D2E09AB9D00155ABFB40EBE4EC86EAF3264FB14281B680818FA04C2125DB70A9198B62

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yKVQVNB2qI.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_45b27b9ae4bdc5533369f53128e793cbabf13_7522e4b5_8dc497db-9d37-4dbc-adeb-aac07e38855c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1682.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1857.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1887.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
yKVQVNB2qI.dll

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre