Edit tour

Windows Analysis Report
MYuRWuVXzX.dll

Overview

General Information

Sample name:	MYuRWuVXzX.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	9bb9978d1c6507e3368f7b8f48041fc8a5ddfc02.dll.exe
Analysis ID:	1558483
MD5:	7b857fe6c2149e304d6866602fef9d6f
SHA1:	9bb9978d1c6507e3368f7b8f48041fc8a5ddfc02
SHA256:	78bc725cae147ff1836bedaf04336e7652dbaf9d7a25aae66322edd83f9dcb20
Tags:	dllexeuser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Queries disk data (e.g. SMART data)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to communicate with device drivers

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7564 cmdline: loaddll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7616 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7696 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7768 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7624 cmdline: rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,Cache MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7896 cmdline: rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7924 cmdline: rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 8004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 8132 cmdline: rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7192 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3284 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 8140 cmdline: rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 8152 cmdline: rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8152 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4248 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7536 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7548 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 7700 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 7744 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1108 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MYuRWuVXzX.dll	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x1a473:$x1: cracked by ximo 0x1c0f8:$x1: cracked by ximo

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x397e4:$x1: cracked by ximo 0x3989e:$x1: cracked by ximo 0x39958:$x1: cracked by ximo 0x39a12:$x1: cracked by ximo 0x39acc:$x1: cracked by ximo 0x39b86:$x1: cracked by ximo 0x39c40:$x1: cracked by ximo 0x39cfa:$x1: cracked by ximo 0x553e6:$x1: cracked by ximo 0x5706b:$x1: cracked by ximo
11.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x397e4:$x1: cracked by ximo 0x3989e:$x1: cracked by ximo 0x39958:$x1: cracked by ximo 0x39a12:$x1: cracked by ximo 0x39acc:$x1: cracked by ximo 0x39b86:$x1: cracked by ximo 0x39c40:$x1: cracked by ximo 0x39cfa:$x1: cracked by ximo 0x553e6:$x1: cracked by ximo 0x5706b:$x1: cracked by ximo
3.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x397e4:$x1: cracked by ximo 0x3989e:$x1: cracked by ximo 0x39958:$x1: cracked by ximo 0x39a12:$x1: cracked by ximo 0x39acc:$x1: cracked by ximo 0x39b86:$x1: cracked by ximo 0x39c40:$x1: cracked by ximo 0x39cfa:$x1: cracked by ximo 0x553e6:$x1: cracked by ximo 0x5706b:$x1: cracked by ximo

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7624, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cache

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MYuRWuVXzX.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: MYuRWuVXzX.dll

ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: MYuRWuVXzX.dll

Joe Sandbox ML: detected

Source: MYuRWuVXzX.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.*"sv"s source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.* source: rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.cation Data\App source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\.e source: rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\. source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.44 803	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.43 805	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.42 3204	Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic	TCP traffic: 192.168.2.7:49701 -> 174.139.6.44:803
Source: global traffic	TCP traffic: 192.168.2.7:49702 -> 107.163.56.110:18530
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 174.139.6.42:3204
Source: global traffic	TCP traffic: 192.168.2.7:49711 -> 174.139.6.43:805

Source: Joe Sandbox View

IP Address: 202.108.0.52 202.108.0.52

Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: VPLSNETUS VPLSNETUS
Source: Joe Sandbox View	ASN Name: VPLSNETUS VPLSNETUS

Source: global traffic

TCP traffic: 192.168.2.7:49713 -> 202.108.0.52:80

Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.6.42

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003F41 InternetReadFile,

3_2_10003F41

Source: global traffic

DNS traffic detected: DNS query: blog.sina.com.cn

Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.html)B
Source: rundll32.exe, rundll32.exe, 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php
Source: rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php.
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php/
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php2
Source: rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php2M-
Source: rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php5
Source: rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php6
Source: rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93&M9
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php938BN
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93DN
Source: rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93NN
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93m
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php93te
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpA
Source: rundll32.exe, 00000003.00000002.2952368053.0000000005EFD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2952493586.000000000611A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpC:
Source: rundll32.exe, 00000003.00000002.2952304361.0000000005E7D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpH
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpJ
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpK
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpNN
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpP
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpPN
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpQ
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2901638420.0000000003003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpSettings
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpU
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpUs
Source: rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2560983622.0000000003003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.php_
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpentVersion
Source: rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpet
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764732142.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2560983622.0000000003003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpi
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpiA
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpiK
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpiU
Source: rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpie
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpis
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpl
Source: rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phplState
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpli
Source: rundll32.exe, 00000003.00000003.2014385703.0000000003003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpm
Source: rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpng
Source: rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phppD
Source: rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phps
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpta
Source: rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.43:805/index.phpy
Source: rundll32.exe, rundll32.exe, 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://174.139.6.44:803/
Source: rundll32.exe, 00000003.00000003.2602900581.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://174.139.6.44:803//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWmtaXmta
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2952623924.000000000666E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s(cj&
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s-cw&
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%sDc
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%sRc
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%skc-&
Source: rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%szc
Source: rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093$
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093(M#
Source: rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/57624790931
Source: rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093:805/index.php
Source: rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093?
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093C
Source: rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093PN
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093Ty
Source: rundll32.exe, 00000003.00000003.2764732142.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093esk
Source: rundll32.exe, 00000003.00000003.2764785465.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093f
Source: rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2014468571.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093i
Source: rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ix
Source: rundll32.exe, 00000003.00000003.2480844680.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093m
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ni
Source: rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ni$
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093nicy
Source: rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ookies
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093te
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: MYuRWuVXzX.dll, type: SAMPLE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 18.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 70430000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 71400000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 723D0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 778A0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 733A0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 73DD0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74580000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 70160000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 73B90000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74350000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75490000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75690000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76220000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 70260000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 73C90000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74450000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74EA0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75590000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75890000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77620000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 702E0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 70350000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 73D10000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 741D0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 742F0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 759B0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76320000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76480000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75764000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74F20000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 703F0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 744D0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74780000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75370000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75420000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75910000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76370000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 703A0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 70410000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 73D60000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74220000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 744F0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74DF0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 74E10000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75930000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75A00000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75D80000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 764D0000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 77100000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 776A0000 page read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10008AAD: DeviceIoControl,

3_2_10008AAD

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10003F63 ExitWindowsEx,	3_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10003F63 ExitWindowsEx,	11_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_10003F63 ExitWindowsEx,	18_2_10003F63

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003D000	3_2_1003D000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B224	3_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000B70D	3_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000AEC0	3_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003CFE9	3_2_1003CFE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1000B224	11_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1000B70D	11_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1000AEC0	11_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000B224	18_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000B70D	18_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000AEC0	18_2_1000AEC0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10001000 appears 893 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10009125 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1000CD90 appears 49 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672

Source: MYuRWuVXzX.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: MYuRWuVXzX.dll, type: SAMPLE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winDLL@42/10@3/6

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100042A2 LookupPrivilegeValueA,AdjustTokenPrivileges,	3_2_100042A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000404F AdjustTokenPrivileges,	3_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1000404F AdjustTokenPrivileges,	11_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000404F AdjustTokenPrivileges,	18_2_1000404F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003FB7 CreateToolhelp32Snapshot,

3_2_10003FB7

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\12010110

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\174.139.6.42:3204
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8152
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\M174.139.6.42:3204
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\10356e32-6909-488b-bf28-dc66d20c8f18

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,Cache

Source: MYuRWuVXzX.dll

ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,Cache
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8152 -s 668
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,Cache	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,PrintFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",PrintFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.*"sv"s source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\.* source: rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\.cation Data\App source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\.e source: rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\. source: rundll32.exe, 00000003.00000003.2602900581.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .est1

Source: MYuRWuVXzX.dll	Static PE information: section name: .est0
Source: MYuRWuVXzX.dll	Static PE information: section name: .est1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10026BEA push dword ptr [esp+38h]; retn 003Ch	3_2_10026C0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10038CEC push ebx; mov dword ptr [esp], 6AC703F9h	3_2_10038D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025000 push dword ptr [esp+48h]; retn 004Ch	3_2_10033DDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10029004 push dword ptr [esp+14h]; retn 0018h	3_2_10029011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021009 push dword ptr [esp+50h]; retn 0054h	3_2_1002CDC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1003700D push dword ptr [esp+50h]; retn 0054h	3_2_10039A4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B012 push dword ptr [esp+54h]; retn 0058h	3_2_1002D942
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027010 push dword ptr [esp+3Ch]; retn 0040h	3_2_1003796A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10039015 push dword ptr [esp+34h]; retn 0038h	3_2_10039030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002301B push dword ptr [esp+58h]; retn 005Ch	3_2_1002302F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002501B push dword ptr [esp+2Ch]; retn 0030h	3_2_1003A0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B01E push dword ptr [esp+4Ch]; retn 0050h	3_2_1002B034
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025020 push dword ptr [esp+2Ch]; retn 0030h	3_2_1003A0F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021024 pushfd ; mov dword ptr [esp], ebx	3_2_10021025
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10021024 push dword ptr [esp+50h]; retn 0054h	3_2_1002104B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002F02B push dword ptr [esp+4Ch]; retn 0050h	3_2_1002F039
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10023032 push dword ptr [esp+3Ch]; retn 0040h	3_2_1002303E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10031032 push dword ptr [esp+44h]; retn 0048h	3_2_1003104A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10037036 push dword ptr [esp+44h]; retn 0048h	3_2_10037046
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10035035 push dword ptr [esp+40h]; retn 0044h	3_2_1003504C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10029034 pushfd ; mov dword ptr [esp], FEC6FEE5h	3_2_10029035
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025046 push dword ptr [esp+2Ch]; retn 0030h	3_2_10030345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10027044 push dword ptr [esp+5Ch]; retn 0060h	3_2_100341A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002304B push dword ptr [esp+4Ch]; retn 0050h	3_2_10023056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002104E push dword ptr [esp+48h]; retn 004Ch	3_2_1002105C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002704F push dword ptr [esp+5Ch]; retn 0060h	3_2_100341A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B052 push dword ptr [esp+40h]; retn 0044h	3_2_1002B066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10033053 push dword ptr [esp+38h]; retn 003Ch	3_2_10033073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002105F push dword ptr [esp+2Ch]; retn 0030h	3_2_10021085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10025069 push dword ptr [esp+44h]; retn 0048h	3_2_1002507B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1002B069 push dword ptr [esp+0Ch]; retn 0010h	3_2_1002B08E

Source: MYuRWuVXzX.dll

Static PE information: section name: .est1 entropy: 7.967511124980014

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE%d

3_2_10008B7A

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE%d

3_2_10008B7A

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cache

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cache			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Cache			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_3-22947

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1003D000 rdtsc

3_2_1003D000

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1043			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 6551			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_3-22933

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7836	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7828	Thread sleep count: 1043 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7828	Thread sleep time: -1877400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7628	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6752	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1032	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6312	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4708	Thread sleep time: -2400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7692	Thread sleep count: 148 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7692	Thread sleep time: -44400000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5724	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7828	Thread sleep count: 6551 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7828	Thread sleep time: -11791800000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 00000003.00000002.2951003470.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\Applications\\VMwareHostOpen.exererxB
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: rundll32.exe, 00000003.00000002.2948057638.0000000002E6B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: s\Applications\\VMwareHoP
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1003D000 rdtsc

3_2_1003D000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 11_2_1000CCF2 LdrInitializeThunk,

11_2_1000CCF2

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.108.0.52 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.44 803	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.43 805	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 174.139.6.42 3204	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Device IO: \Device\Harddisk0\DR0	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	111 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	111 Process Injection	1 Software Packing	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
MYuRWuVXzX.dll	84%	ReversingLabs	Win32.Backdoor.Zegost
MYuRWuVXzX.dll	100%	Avira	TR/ATRAPS.Gen
MYuRWuVXzX.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://174.139.6.43:805/index.phpi	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpng	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpl	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpU	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpUs	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpm	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.html	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpQ	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpP	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93te	0%	Avira URL Cloud	safe
http://174.139.6.44:803//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWmtaXmta	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93&M9	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpie	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpA	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpNN	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpentVersion	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpH	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php_	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpJ	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpK	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php2M-	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php5	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93NN	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpis	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php6	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpli	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpet	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php2	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpiA	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpPN	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.html)B	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php.	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php938BN	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php/	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93m	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpSettings	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpiK	0%	Avira URL Cloud	safe
http://174.139.6.44:803/	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpiU	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phppD	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpC:	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phps	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phplState	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php93DN	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpta	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.php	0%	Avira URL Cloud	safe
http://174.139.6.43:805/index.phpy	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blogx.sina.com.cn	202.108.0.52	true	false		high
blog.sina.com.cn	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://174.139.6.43:805/index.php93te	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093.	rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpng	rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpUs	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpl	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpm	rundll32.exe, 00000003.00000003.2014385703.0000000003003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093Ty	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpi	rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764732142.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2560983622.0000000003003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/57624790931	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.163.56.110:18530/u1129.html	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpU	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpP	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpQ	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.44:803//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWmtaXmta	rundll32.exe, 00000003.00000003.2602900581.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2948140851.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F8B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2952623924.000000000666E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093	rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php93&M9	rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpNN	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093$	rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php_	rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602876723.0000000003002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2560983622.0000000003003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpentVersion	rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093:805/index.php	rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093ni$	rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php93	rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpie	rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpA	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093ni	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpH	rundll32.exe, 00000003.00000002.2952304361.0000000005E7D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpJ	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpK	rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php2M-	rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php5	rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php93NN	rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php6	rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpis	rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093ix	rundll32.exe, 00000003.00000003.1813800892.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/%sRc	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php2	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpet	rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s(cj&	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpiA	rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s-cw&	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093m	rundll32.exe, 00000003.00000003.2480844680.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpli	rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpPN	rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093i	rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2014468571.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php.	rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php938BN	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.110:18530/u1129.html)B	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php/	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpSettings	rundll32.exe, 00000003.00000002.2948140851.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2901638420.0000000003003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php93m	rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%skc-&	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.14.dr	false		high
http://174.139.6.43:805/index.phpiU	rundll32.exe, 00000003.00000002.2948140851.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093(M#	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093f	rundll32.exe, 00000003.00000003.2764785465.0000000002FD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpiK	rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2764785465.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093nicy	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/%sDc	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093PN	rundll32.exe, 00000003.00000003.2603093395.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.44:803/	rundll32.exe, rundll32.exe, 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phppD	rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%szc	rundll32.exe, 00000003.00000002.3196216571.0000000028FE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.php93DN	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpC:	rundll32.exe, 00000003.00000002.2952368053.0000000005EFD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2952493586.000000000611A000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093?	rundll32.exe, 00000003.00000003.2175025275.0000000002FE9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phplState	rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093esk	rundll32.exe, 00000003.00000003.2764732142.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093ookies	rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false		high
http://174.139.6.43:805/index.phpta	rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phps	rundll32.exe, 00000003.00000003.2480812794.0000000003000000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2561407468.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2602900581.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480720015.0000000002FF7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2480844680.0000000002F92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.php	rundll32.exe, rundll32.exe, 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://174.139.6.43:805/index.phpy	rundll32.exe, 00000003.00000003.2175025275.0000000003005000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093C	rundll32.exe, 00000003.00000002.2948140851.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.sina.com.cn/u/5762479093te	rundll32.exe, 00000003.00000003.2561407468.0000000002F73000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
202.108.0.52	blogx.sina.com.cn	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
107.163.56.110	unknown	United States	20248	TAKE2US	true
174.139.6.44	unknown	United States	35908	VPLSNETUS	true
174.139.6.43	unknown	United States	35908	VPLSNETUS	true
174.139.6.42	unknown	United States	35908	VPLSNETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558483
Start date and time:	2024-11-19 14:14:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MYuRWuVXzX.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	9bb9978d1c6507e3368f7b8f48041fc8a5ddfc02.dll.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winDLL@42/10@3/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 37 Number of non-executed functions: 51
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.21
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com
Execution Graph export aborted for target rundll32.exe, PID 7924 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 8152 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: MYuRWuVXzX.dll

Simulations

Behavior and APIs

Time	Type	Description
08:15:23	API Interceptor	1478863x Sleep call for process: rundll32.exe modified
08:15:30	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:18:10	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
202.108.0.52	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	blog.sina.com.cn/u/5655029807
107.163.56.110	81mieek02V.dll	Get hash	malicious	Unknown	Browse
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse
	abc.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
blogx.sina.com.cn	yKVQVNB2qI.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	k4F4uRTZZR.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	http://zeuso.cc	Get hash	malicious	Unknown	Browse	202.108.0.52
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	5jme4p7u76.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	abc.dll	Get hash	malicious	Unknown	Browse	123.126.45.92

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	yKVQVNB2qI.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	202.108.0.52
	owari.mips.elf	Get hash	malicious	Unknown	Browse	111.193.177.206
	owari.x86.elf	Get hash	malicious	Unknown	Browse	60.194.199.155
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	202.108.0.52
	hmips.elf	Get hash	malicious	Mirai	Browse	111.196.123.227
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	123.112.202.42
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	113.45.119.194
VPLSNETUS	JwLT3elUtn.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	FaIJ2e7ZM4.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	8cv7XxmqSG.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	32YBHccuG9.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	xX1k6Ghe8s.elf	Get hash	malicious	Mirai	Browse	98.126.6.62
	i486.elf	Get hash	malicious	Mirai	Browse	174.139.206.64
	NoERE2024000013833.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	bin.sh.elf	Get hash	malicious	Mirai	Browse	174.139.206.51
	arm7.elf	Get hash	malicious	Unknown	Browse	98.126.6.24
	mpsl.elf	Get hash	malicious	Unknown	Browse	174.139.231.14
VPLSNETUS	JwLT3elUtn.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	FaIJ2e7ZM4.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	8cv7XxmqSG.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	32YBHccuG9.dll	Get hash	malicious	Unknown	Browse	98.126.40.18
	xX1k6Ghe8s.elf	Get hash	malicious	Mirai	Browse	98.126.6.62
	i486.elf	Get hash	malicious	Mirai	Browse	174.139.206.64
	NoERE2024000013833.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.7
	bin.sh.elf	Get hash	malicious	Mirai	Browse	174.139.206.51
	arm7.elf	Get hash	malicious	Unknown	Browse	98.126.6.24
	mpsl.elf	Get hash	malicious	Unknown	Browse	174.139.231.14
TAKE2US	JwLT3elUtn.dll	Get hash	malicious	Unknown	Browse	107.163.43.161
	yKVQVNB2qI.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	46PhJ3XpBT.dll	Get hash	malicious	Unknown	Browse	107.163.43.236
	01JkTmNJhe.dll	Get hash	malicious	Unknown	Browse	107.163.43.235
	oQy3XhO4cX.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.293110913986001
Encrypted:	false
SSDEEP:	6:yFOVOf7EazNqz9S0fUxLcF3HZjnjQeI+eeeeeeeeeeeeeeeA:8eOfAaz45S0sx85jnjQeIJpppppppA
MD5:	CB3AD9F834BCA003ECC48361D7870540
SHA1:	8CABD8F9012D53BBF24A57597B31ED0A6F85AA3C
SHA-256:	7EB43DF65CBD527A9E76DE503E012DEC1D64135310BFCAB8F7C3ED2B921A4CDD
SHA-512:	018E8E17FB8817B02B16741E87CD85F5A2A08C3EFF215400B5084649B414E5BED0FDAA45A95FD87D55B5FC4334E9C411079EB984E0D9110C8139DA30F4D7F6AE
Malicious:	false
Preview:	..2024-11-21 11:18..iOffset....2024-11-23 03:04..iOffset....2024-11-24 19:25..iOffset....2024-11-26 13:01..iOffset....2024-11-27 11:54..iOffset....2024-11-29 17:30..iOffset....2024-12-02 19:51..iOffset....2024-12-04 18:24..iOffset....2024-12-10 03:25..iOffset....2024-12-14 17:33..iOffset....2024-12-20 05:36..iOffset....2024-12-31 04:27..iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_5eb2d3d4-e5f5-4c1d-a11d-a7ed1d40f08d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9508546862759144
Encrypted:	false
SSDEEP:	192:WEi1OK+730BU/wjeT93WaZYzuiFMZ24IO8dci:5isJEBU/wjeZbYzuiFMY4IO8dci
MD5:	66763FB1E9794703720698870D56F479
SHA1:	05DA5D5EBEC78D5DAB0CE2CA7E3B3EB9AB94E956
SHA-256:	7B4D2E8B88596F8F60E0361A288813E6F265C0FD2E1ECCC7A9C9FD4A6EDEAEF5
SHA-512:	19DC4A581322E77D11B381B9A6ADD828C3D3C0A4EA12FADF94886004B2A57CEDB641C570128D4A407EBFC0611FE98C88479955A9DACE1AF6E2371D4AC32F8DEF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.5.7.3.1.1.8.8.8.4.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.5.7.3.1.5.9.5.1.0.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.b.2.d.3.d.4.-.e.5.f.5.-.4.c.1.d.-.a.1.1.d.-.a.7.e.d.1.d.4.0.f.0.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.e.f.1.d.0.5.-.7.5.0.c.-.4.0.e.c.-.a.c.d.c.-.8.c.4.6.4.2.e.3.f.e.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.d.8.-.0.0.0.1.-.0.0.1.4.-.d.6.0.5.-.a.0.1.b.8.5.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_04d508df-b13c-449b-9b64-bcd97878548d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9514027808155535
Encrypted:	false
SSDEEP:	192:pRniAOGv0BU/wjeT93W6ZYzuiFnZ24IO8dci:pRixGcBU/wjeZ7YzuiFnY4IO8dci
MD5:	8194A9A24D686570E2B92FD6CB5F8826
SHA1:	81CEDD0FD63904D010CA5BDDA67B6B1979495F37
SHA-256:	39C3E3749E8918DA0A6758B941897D506DE0D233A7D0BED38CAA9C48D8342DB2
SHA-512:	5CA6DE658B5A72737349EE1D52EE2463D62D94473F7D6B69B5A9B8A9A86B2F4DA2BA6323F862BB6CAA8FFD7DB937E3F012892A6509EE110EA78A14DB150F6C19
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.5.7.2.9.0.3.4.9.3.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.5.7.2.9.4.8.8.0.6.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.d.5.0.8.d.f.-.b.1.3.c.-.4.4.9.b.-.9.b.6.4.-.b.c.d.9.7.8.7.8.5.4.8.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.a.1.b.7.0.a.-.0.0.c.8.-.4.f.8.4.-.9.2.d.7.-.1.6.e.a.4.0.3.e.9.d.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.4.-.0.0.0.1.-.0.0.1.4.-.b.d.8.f.-.c.6.1.9.8.5.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 13:15:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46216
Entropy (8bit):	1.9794755714100396
Encrypted:	false
SSDEEP:	192:ssPTy2DtjZJMXtXWmO5H40lr4H9xGwb/yBQUzaf:3bjZJdx5HxF4H9xbaBK
MD5:	9E389B04446927D94D59BFFE9D0A40D4
SHA1:	56A3124A48685653FA75A3B726AA77ADE71B9649
SHA-256:	A319A4AAFCB3166852F5175E51DE84AE81FF36D68D173E6505487A5296288A57
SHA-512:	15CF2900F8632A4356FC0C6EEEB184490916B7908630777BB6739C59008BC9DCAEADCFC6AFC9D526D69C1D049D72823D825F1DC4AC6FADF3F5961DEF96FD87E8
Malicious:	false
Preview:	MDMP..a..... .......q.<g........................................V/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T...........o.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BD4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8274
Entropy (8bit):	3.6940569434549695
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9a6SXCWUX6YSs65icgmfTxPprr89brLsfiZm:R6lXJA6iY6Yp6ocgmfTxOrQfV
MD5:	D20F02B26842ECD11FDE3304B191796E
SHA1:	FB9290ABEB980E35625B39222AED0BB2217CA385
SHA-256:	1BB1040ADEFE6051AD013B9F9AF84ADB17FEF59DCA0611BADE28A3574CD99A34
SHA-512:	8526B006F93AC78437E8C5EA3CE2346C59276DD3907529C8636AAA9F041AA7E2F2BDEF2D85C88858F89364BE5AEC65DB1BF85B82AAE61A918C760E639D353B12
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C04.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.460320859358136
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuNJg77aI9ojWpW8VYFYm8M4JCdPOFvK+q8/A8GScSUd:uIjfunI72S7VlJWEJ3Ud
MD5:	B0F66A1DCD7B3FC16FA4861704DE4867
SHA1:	D081775A758D35BF1A0C332769B3C6056E183254
SHA-256:	E9AD80C33C481A321A5E4981C20C275485024B341B5540BD9E0071FFA7688960
SHA-512:	B06C74A086F84FDA0578181F662243B72AE7FE9FBC07C05212A5763129468F6CFE6EBA1E29C63897CDFCFBEFE74D82FFFF6F3DB6C6158F4C784B4316FD4C1BB5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594978" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3355.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 13:15:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45442
Entropy (8bit):	1.996063253461622
Encrypted:	false
SSDEEP:	192:JwPHVvZ53MXtX2JYOO5H4svr/5XNEmYy9VATcrJS:wRZ53jWJ5HJvr/pNEmYy9VrJ
MD5:	A68BC57EB8F28ABC95A8A5DC46F4D8D1
SHA1:	20CE03308B78EE84743042F9649154968CC0971F
SHA-256:	783D22EEE56DE0184D935EB041E734BB988B95B3A9FFB4C68BAD04B1E4BCD80C
SHA-512:	5560525BF803AF04ABC662BA166721CC95C1D47E3C938502FEBE2C1E79AA6171FB59690F69866F170886E6B244286DFCCD90322DF24ED79F0EBBF930403EF491
Malicious:	false
Preview:	MDMP..a..... .......s.<g........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T...........r.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33F2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8266
Entropy (8bit):	3.688748163809048
Encrypted:	false
SSDEEP:	192:R6l7wVeJr56rU6YiQi6n9gmfTZPprr89bC6sfi2m:R6lXJ16rU6Yni69gmfTZuCZfa
MD5:	DCCC096D4F25E71833D3DF9A0469130F
SHA1:	D431BBEAC8991D49A09D49A06EF5C85A828A1280
SHA-256:	4670D56AC167F4F3D3E86EBDC2C24D70F0C3BDF1A7798F38C8FC5B883F7D2836
SHA-512:	CAB6BC848E3204B896845B9761DBC9B4453E21CC064A782AB06C8C5DBA3C1B10C69946F065593085EDB4E2C9CB56C43B40DB62A8BFE5E77D2834864848CF1C38
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3412.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.458297620235706
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuNJg77aI9ojWpW8VY6Ym8M4JCdPSFZ+q8/ABGScSeMd:uIjfunI72S7VOJxJJ37d
MD5:	06C6C47ABBF7CED9B220D5E9F0762ADA
SHA1:	8189DA923AD2234F7086FDBF239D8422E8E446E4
SHA-256:	296CEAC8FC92030E2387DE3AB242FF4BFC4F4391A93918ABA0F16362CEEE69CF
SHA-512:	02F239B5B9194F51C8CF57CB3DFCDE510FEF6B32CD3F160920CF6DDB14CE3FF8D4B08B044495D17865550C3DC0B3B02F5456DD62A01F817F7E90E5938497DF56
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594978" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417452535410101
Encrypted:	false
SSDEEP:	6144:mcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:Di58oSWIZBk2MM6AFBWo
MD5:	0A4195C8889E1B492EEC138DFAF4B2AD
SHA1:	D50A1153DC2E4A370E5F05BE3A3DF056C27DF248
SHA-256:	125DD136ADCB9354A1C78293A553F2E39994DDEE54A85175B56EE8401219636E
SHA-512:	54BC4752F1D1C86E5F5E7948271BE516D70FC54BD406F25EF6C2385027FEBE7DF7E2CAAB9C11F9ECF1A9D5DC2F7A3942FF0C3956A8EBB6E590C481338FEADED6
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..c..:................................................................................................................................................................................................................................................................................................................................................t.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.761135825722674
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.38% DOS Executable Borland Pascal 7.0x (2037/25) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Lumena CEL bitmap (63/63) 0.01%
File name:	MYuRWuVXzX.dll
File size:	192'575 bytes
MD5:	7b857fe6c2149e304d6866602fef9d6f
SHA1:	9bb9978d1c6507e3368f7b8f48041fc8a5ddfc02
SHA256:	78bc725cae147ff1836bedaf04336e7652dbaf9d7a25aae66322edd83f9dcb20
SHA512:	23868f3914706486db398338a49fb6e8e2a327bd071b2fc318587926ff98c854a0f76a619d9c09743c76305cb3f1a95dc020d9c302c876cbce82394f24dafdee
SSDEEP:	3072:Cri0+utSCXQJdqByftkViecNemfh0N5Wlu/gX6ASMqsCAn+/B87CVKrNyGTbd:CyrJdqByftkVbgQen+p7obTbd
TLSH:	241412D0D913A0B1D84BB7B825DBCB1EF1243017A695CEB1E384B138BD6B66770B2761
File Content Preview:	MZ.............................................................................................................................................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10065589
Entrypoint Section:	.est1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	0
OS Version Minor:	0
File Version Major:	0
File Version Minor:	0
Subsystem Version Major:	0
Subsystem Version Minor:	0
Import Hash:	2215f9a3d2de2463fea5e14bd0dbd9a7

Entrypoint Preview

Instruction
pushad
mov dword ptr [esp+1Ch], 4EC6F962h
pushad
jmp 00007FAE594B1286h
cmc
clc
neg al
call 00007FAE594B0D39h
and dl, ch
jnle 00007FAE594B150Bh
mov esi, AE5C2D87h
sbb eax, F47CA4D3h
mov esp, BC147CE4h
les edi, fword ptr [esp+eax*8+6Ch]
mov bh, 46h
in al, AAh
push ecx
dec edi
scasd
cmp dword ptr [ecx-17h], C6C226C7h
popad
sbb al, DEh
jne 00007FAE594B14EAh
stc
inc esi
popad
sbb eax, 7A8F1291h
into
ret
xchg eax, edi
or esi, A7E6ED61h
iretd
idiv dword ptr [esi+7Eh]
add eax, AC42FF13h
dec eax
jmp far 6F15h : CE0A2E88h
lodsb
and al, C7h
jns 00007FAE594B1510h
js 00007FAE594B15CBh
enter CA11h, F9h
add dword ptr [ecx-4A688F27h], esp
mov edi, 44BCA10Bh
outsb
xlatb
sbb al, E5h
pop ecx
jmp far 1C03h : 0A56CBCCh
inc ebp
push cs
xchg eax, esi
jmp 00007FADE5DE6EA7h
mov dword ptr [ebx+ebp*4-30h], ebp
jmp far CC57h : 9DD5F69Dh
movsb
test edi, esi
xchg eax, edi
pop ecx
or bh, byte ptr [eax]
lea esi, ebp
fst st(5)
sub eax, 1DA52D55h
pop ds
xchg eax, esp
lodsd
dec edi
call 00007FAE6632515Ch
aad 15h
mov ebp, 55A3F043h
and byte ptr [ecx-7F2CCA25h], ah
stc
xchg eax, ecx
retn 5028h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x58c5c	0x61	.est1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58f74	0x118	.est1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x1000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x98	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3e1c8	0x7c	.est1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc4ec	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x356b	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x5fc8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.est0	0x18000	0x25554	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.est1	0x3e000	0x2bf7d	0x2c000	697364de1b5d873f98e514072c7a652b	False	0.9808127663352273	data	7.967511124980014	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6a000	0x98	0x1000	7f96a42c0ef6f25a1abe09ff6cc3a351	False	0.0361328125	data	0.2595957251572465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6b000	0x3ada	0x1000	733a9747d76ee70ba08fe167216cb9e0	False	0.072998046875	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 1701670722, imaginary	0.5998326230273214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0x6b230	0xe00	data	English	United States	0.007352941176470588
AVI	0x6c030	0xe00	empty	English	United States	0
AVI	0x6ce30	0x1caa	empty	English	United States	0
MUI	0x6b110	0x120	data	English	United States	0.5763888888888888

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	malloc
KERNEL32.dll	GetSystemDirectoryA
USER32.dll	wsprintfA
ADVAPI32.dll	OpenProcessToken
WS2_32.dll	closesocket
SHLWAPI.dll	PathIsDirectoryA
ole32.dll	CoInitializeEx
OLEAUT32.dll	VariantChangeType
MSVCP60.dll	?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
NETAPI32.dll	Netbios
KERNEL32.dll	GetModuleFileNameW
KERNEL32.dll	GetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

Exports

Name	Ordinal	Address
Cache	1	0x10008645
InputFile	2	0x1000678b
PrintFile	3	0x1000443d

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:15:25.968750000 CET	49701	803	192.168.2.7	174.139.6.44
Nov 19, 2024 14:15:25.969182014 CET	49702	18530	192.168.2.7	107.163.56.110
Nov 19, 2024 14:15:26.976711035 CET	49701	803	192.168.2.7	174.139.6.44
Nov 19, 2024 14:15:26.976927042 CET	49702	18530	192.168.2.7	107.163.56.110
Nov 19, 2024 14:15:28.976762056 CET	49701	803	192.168.2.7	174.139.6.44
Nov 19, 2024 14:15:28.976844072 CET	49702	18530	192.168.2.7	107.163.56.110
Nov 19, 2024 14:15:32.976731062 CET	49701	803	192.168.2.7	174.139.6.44
Nov 19, 2024 14:15:32.976795912 CET	49702	18530	192.168.2.7	107.163.56.110
Nov 19, 2024 14:15:40.976735115 CET	49701	803	192.168.2.7	174.139.6.44
Nov 19, 2024 14:15:40.976824999 CET	49702	18530	192.168.2.7	107.163.56.110
Nov 19, 2024 14:15:47.994514942 CET	49710	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:15:49.008049011 CET	49710	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:15:51.008029938 CET	49710	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:15:51.015655994 CET	49711	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:51.016565084 CET	49712	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:52.008070946 CET	49712	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:52.023653030 CET	49711	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:54.008048058 CET	49712	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:54.023658037 CET	49711	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:54.683537960 CET	49713	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:15:55.008105040 CET	49710	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:15:55.032968044 CET	49714	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:55.404696941 CET	49715	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:55.581991911 CET	49716	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:15:56.039271116 CET	49714	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:56.414303064 CET	49715	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:56.586164951 CET	49716	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:15:58.039310932 CET	49714	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:58.429919004 CET	49715	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:58.586230040 CET	49716	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:15:59.042355061 CET	49717	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:15:59.157358885 CET	49719	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:15:59.157592058 CET	49720	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:00.039288044 CET	49717	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:00.164335012 CET	49719	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:00.164355040 CET	49720	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:02.133084059 CET	49717	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:02.179982901 CET	49719	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:02.336194038 CET	49720	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:03.008105040 CET	49710	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:03.110068083 CET	49721	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:03.258155107 CET	49723	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:03.358597994 CET	49724	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:04.133162022 CET	49721	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:04.273722887 CET	49723	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:04.367456913 CET	49724	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:06.133085012 CET	49721	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:06.273768902 CET	49723	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:06.383131981 CET	49724	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:07.102595091 CET	49730	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:07.215215921 CET	49731	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:07.218239069 CET	49732	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:08.117464066 CET	49730	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:08.211256981 CET	49732	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:08.226841927 CET	49731	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:09.145294905 CET	49733	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:10.133111954 CET	49730	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:10.133110046 CET	49733	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:10.211252928 CET	49732	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:10.242486954 CET	49731	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:11.216938972 CET	49734	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:11.314013004 CET	49735	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:11.324549913 CET	49736	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:12.148925066 CET	49733	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:12.226866007 CET	49734	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:12.320612907 CET	49735	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:12.336213112 CET	49736	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:14.242480993 CET	49734	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:14.323225975 CET	49735	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:14.336210012 CET	49736	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:15.217668056 CET	49737	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:15.347918987 CET	49738	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:15.349728107 CET	49739	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:16.215356112 CET	49733	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:16.226849079 CET	49737	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:16.414339066 CET	49738	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:16.414340019 CET	49739	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:18.242537975 CET	49737	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:18.508137941 CET	49738	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:18.509224892 CET	49739	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:19.228382111 CET	49740	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:19.341869116 CET	49741	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:19.342580080 CET	49742	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:20.351897001 CET	49742	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:20.398864985 CET	49741	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:20.398885965 CET	49740	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:22.367520094 CET	49742	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:22.398752928 CET	49740	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:22.398897886 CET	49741	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:23.243558884 CET	49744	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:23.357207060 CET	49745	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:23.357634068 CET	49746	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:24.211360931 CET	49733	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:24.258100986 CET	49744	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:24.351857901 CET	49745	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:24.367505074 CET	49746	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:26.258138895 CET	49744	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:26.351895094 CET	49745	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:26.383184910 CET	49746	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:27.258985043 CET	49747	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:27.372498989 CET	49748	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:27.372843981 CET	49749	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:28.258151054 CET	49747	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:28.383174896 CET	49748	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:28.383291960 CET	49749	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:30.258200884 CET	49747	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:30.322020054 CET	49750	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:30.383160114 CET	49748	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:30.385229111 CET	49749	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:31.258882999 CET	49751	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:31.336324930 CET	49750	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:31.381665945 CET	49752	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:31.383624077 CET	49753	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:32.273811102 CET	49751	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:32.383204937 CET	49752	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:32.385230064 CET	49753	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:33.336302996 CET	49750	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:34.289419889 CET	49751	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:34.383210897 CET	49752	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:34.383210897 CET	49753	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:35.277220011 CET	49755	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:35.387283087 CET	49756	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:35.388334036 CET	49757	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:36.273857117 CET	49755	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:36.398802042 CET	49756	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:36.399250984 CET	49757	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:37.336349964 CET	49750	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:38.273777962 CET	49755	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:38.400945902 CET	49756	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:38.401220083 CET	49757	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:39.274810076 CET	49758	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:39.393409014 CET	49759	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:39.394593954 CET	49760	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:40.273822069 CET	49758	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:40.383203983 CET	49759	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:40.398803949 CET	49760	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:42.273825884 CET	49758	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:42.383193970 CET	49759	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:42.399281025 CET	49760	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:43.290503979 CET	49762	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:43.403106928 CET	49763	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:43.404423952 CET	49764	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:44.305049896 CET	49762	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:44.414460897 CET	49763	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:44.415229082 CET	49764	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:45.336319923 CET	49750	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:46.305093050 CET	49762	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:46.430093050 CET	49763	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:46.433228016 CET	49764	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:47.311919928 CET	49765	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:47.419796944 CET	49766	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:47.420892954 CET	49767	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:48.320710897 CET	49765	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:48.430053949 CET	49766	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:48.432255983 CET	49767	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:50.336322069 CET	49765	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:50.430130959 CET	49766	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:50.432528973 CET	49767	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:51.306488037 CET	49768	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:51.419017076 CET	49769	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:51.420368910 CET	49770	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:51.453625917 CET	49771	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:52.305115938 CET	49768	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:52.430090904 CET	49769	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:52.430090904 CET	49770	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:52.461335897 CET	49771	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:54.320770979 CET	49768	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:54.430102110 CET	49769	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:54.430102110 CET	49770	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:54.461425066 CET	49771	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:55.321887016 CET	49772	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:55.441435099 CET	49773	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:55.799202919 CET	49774	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:56.336333036 CET	49772	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:56.445744038 CET	49773	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:56.805191040 CET	49774	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:57.502216101 CET	49775	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:57.503593922 CET	49776	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:57.504211903 CET	49777	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:58.461383104 CET	49771	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:16:58.508263111 CET	49777	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:16:58.508263111 CET	49776	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:16:58.508290052 CET	49775	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:00.508305073 CET	49775	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:00.508327961 CET	49777	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:00.508362055 CET	49776	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:01.509066105 CET	49778	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:01.622514009 CET	49779	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:01.623567104 CET	49780	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:02.508234978 CET	49778	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:02.633225918 CET	49779	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:02.633251905 CET	49780	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:04.523968935 CET	49778	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:04.633322954 CET	49779	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:04.635370016 CET	49780	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:05.525218010 CET	49782	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:05.642155886 CET	49783	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:05.643446922 CET	49784	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:06.461383104 CET	49771	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:06.539469957 CET	49782	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:06.648870945 CET	49784	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:06.648871899 CET	49783	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:08.555146933 CET	49782	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:08.648902893 CET	49784	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:08.648909092 CET	49783	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:09.540383101 CET	49786	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:09.654217958 CET	49787	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:09.655111074 CET	49788	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:10.555123091 CET	49786	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:10.664592981 CET	49787	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:10.664593935 CET	49788	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:12.555126905 CET	49786	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:12.578476906 CET	49789	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:12.680113077 CET	49787	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:12.680170059 CET	49788	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:13.540435076 CET	49790	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:13.570775986 CET	49789	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:13.657846928 CET	49791	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:13.658763885 CET	49792	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:14.680155993 CET	49792	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:14.680157900 CET	49791	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:14.680166960 CET	49790	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:15.573442936 CET	49789	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:16.680160999 CET	49790	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:16.680301905 CET	49792	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:16.680424929 CET	49791	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:17.863663912 CET	49793	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:17.988631964 CET	49794	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:18.039454937 CET	49795	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:18.939928055 CET	49793	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:19.039531946 CET	49794	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:19.039531946 CET	49795	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:19.586390972 CET	49789	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:20.992650986 CET	49793	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:21.133296013 CET	49794	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:21.133405924 CET	49795	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:21.859607935 CET	49796	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:21.975028038 CET	49797	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:21.977174997 CET	49798	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:22.953454971 CET	49796	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:22.997248888 CET	49798	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:23.133389950 CET	49797	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:24.992670059 CET	49798	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:25.039592981 CET	49796	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:25.242681980 CET	49797	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:26.112729073 CET	49800	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:26.113234997 CET	49801	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:26.113771915 CET	49802	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:27.133280993 CET	49800	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:27.133337975 CET	49801	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:27.156802893 CET	49802	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:27.680174112 CET	49789	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:29.133358955 CET	49800	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:29.133477926 CET	49801	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:29.195808887 CET	49802	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:30.250857115 CET	49803	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:30.252608061 CET	49804	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:30.255140066 CET	49805	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:31.289576054 CET	49804	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:31.289613008 CET	49803	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:31.289772034 CET	49805	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:33.289580107 CET	49804	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:33.289628983 CET	49805	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:33.289737940 CET	49803	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:33.830959082 CET	49806	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:34.278074980 CET	49807	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:34.389992952 CET	49808	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:34.390203953 CET	49809	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:34.992691994 CET	49806	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:35.400424004 CET	49808	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:35.400490046 CET	49809	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:35.445812941 CET	49807	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:37.180212021 CET	49806	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:37.445929050 CET	49807	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:37.492712975 CET	49808	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:37.492712975 CET	49809	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:38.290735006 CET	49810	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:38.408442974 CET	49811	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:38.411551952 CET	49812	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:39.449084044 CET	49810	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:39.449269056 CET	49811	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:39.449278116 CET	49812	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:41.289585114 CET	49806	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:41.539618969 CET	49810	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:41.543308020 CET	49811	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:41.543431044 CET	49812	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:42.293278933 CET	49815	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:42.405395031 CET	49816	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:42.406645060 CET	49817	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:43.445847988 CET	49816	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:43.446382046 CET	49817	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:43.453305006 CET	49815	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:45.459029913 CET	49815	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:45.539634943 CET	49816	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:45.543498993 CET	49817	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:46.469209909 CET	49820	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:46.470593929 CET	49821	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:46.472385883 CET	49822	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:47.492729902 CET	49820	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:47.495062113 CET	49821	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:47.633727074 CET	49822	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:49.383380890 CET	49806	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:49.492743015 CET	49820	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:49.492765903 CET	49821	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:49.742875099 CET	49822	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:50.616060019 CET	49823	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:50.616261005 CET	49824	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:50.618333101 CET	49825	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:51.633356094 CET	49823	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:51.680252075 CET	49824	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:51.680345058 CET	49825	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:53.633372068 CET	49823	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:53.790070057 CET	49824	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:53.790070057 CET	49825	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:54.618798971 CET	49826	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:54.776606083 CET	49828	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:54.776616096 CET	49827	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:55.588099003 CET	49829	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:55.742784977 CET	49826	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:55.945934057 CET	49827	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:55.945935011 CET	49828	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:56.695947886 CET	49829	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:57.742788076 CET	49826	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:57.945914030 CET	49827	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:57.947057962 CET	49828	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:58.695930958 CET	49829	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:17:58.733944893 CET	49830	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:58.734498024 CET	49831	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:59.306345940 CET	49832	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:17:59.789691925 CET	49830	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:17:59.789789915 CET	49831	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:00.445918083 CET	49832	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:18:01.789694071 CET	49831	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:01.789727926 CET	49830	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:02.446013927 CET	49832	80	192.168.2.7	202.108.0.52
Nov 19, 2024 14:18:02.745913982 CET	49833	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:02.789716959 CET	49829	3204	192.168.2.7	174.139.6.42
Nov 19, 2024 14:18:02.874643087 CET	49834	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:03.742821932 CET	49833	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:03.992822886 CET	49834	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:05.742863894 CET	49833	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:06.008493900 CET	49834	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:09.742885113 CET	49833	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:10.024151087 CET	49834	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:17.742945910 CET	49833	805	192.168.2.7	174.139.6.43
Nov 19, 2024 14:18:18.041418076 CET	49834	805	192.168.2.7	174.139.6.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:15:54.151190996 CET	51322	53	192.168.2.7	1.1.1.1
Nov 19, 2024 14:15:54.642369032 CET	53	51322	1.1.1.1	192.168.2.7
Nov 19, 2024 14:16:55.444747925 CET	51369	53	192.168.2.7	1.1.1.1
Nov 19, 2024 14:16:55.798311949 CET	53	51369	1.1.1.1	192.168.2.7
Nov 19, 2024 14:17:58.735167027 CET	51846	53	192.168.2.7	1.1.1.1
Nov 19, 2024 14:17:59.304852962 CET	53	51846	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 14:15:54.151190996 CET	192.168.2.7	1.1.1.1	0xd336	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:16:55.444747925 CET	192.168.2.7	1.1.1.1	0x11cf	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:17:58.735167027 CET	192.168.2.7	1.1.1.1	0x8e5d	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 14:15:54.642369032 CET	1.1.1.1	192.168.2.7	0xd336	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:15:54.642369032 CET	1.1.1.1	192.168.2.7	0xd336	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:16:55.798311949 CET	1.1.1.1	192.168.2.7	0x11cf	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:16:55.798311949 CET	1.1.1.1	192.168.2.7	0x11cf	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Nov 19, 2024 14:17:59.304852962 CET	1.1.1.1	192.168.2.7	0x8e5d	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Nov 19, 2024 14:17:59.304852962 CET	1.1.1.1	192.168.2.7	0x8e5d	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll"
Imagebase:	0xca0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,Cache
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",#1
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:15:21
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x1a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:15:24
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,InputFile
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:15:27
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\MYuRWuVXzX.dll,PrintFile
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:15:28
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672
Imagebase:	0xfd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",InputFile
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MYuRWuVXzX.dll",PrintFile
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7212, Parent PID: 7192

General

Target ID:	21
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8152 -s 668
Imagebase:	0xfd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:15:30
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x1a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:15:56
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Imagebase:	0x7ff75da10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:15:56
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5404, Parent PID: 7536

General

Target ID:	27
Start time:	08:15:56
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:15:57
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x1a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:16:04
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\MYuRWuVXzX.dll",Cache
Imagebase:	0x330000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7744, Parent PID: 7700

General

Target ID:	30
Start time:	08:16:05
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7808, Parent PID: 7744

General

Target ID:	31
Start time:	08:16:05
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:16:06
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x1a0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	215
Total number of Limit Nodes:	11

Executed Functions

Function 10008B7A Relevance: 5.1, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\user\Desktop\MYuRWuVXzX.dll, xrefs: 10008B7A
\\.\PHYSICALDRIVE%d, xrefs: 10008B8E
C:\Users\user\Desktop, xrefs: 10008B85
12010110, xrefs: 10008B83

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 12010110$C:\Users\user\Desktop$C:\Users\user\Desktop\MYuRWuVXzX.dll$\\.\PHYSICALDRIVE%d
API String ID: 0-3001985746
Opcode ID: d1bde99b7a48b8a99095c3bee3ab59be48feb6d361b3f5fdcb5601930a665859
Instruction ID: 249cf3601d27e5fa7ddbc6ba0a3185761e4daf039234a1860a3155705fd1f26b
Opcode Fuzzy Hash: d1bde99b7a48b8a99095c3bee3ab59be48feb6d361b3f5fdcb5601930a665859
Instruction Fuzzy Hash: F321D2B650411CBEF721D6A4DC86EEF73BCEB006D8F104722BA50A60C1EA74AF0847B5

Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12

Function 100042A2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0b067cb8bbfa7de454ba6c3417ffa9e589ecfc91d67ec7e279df7130436443
Instruction ID: 8f64b4c478186d3a8207ec9037983d4e2cc715c9f42932eb678dd7b57f5906ff
Opcode Fuzzy Hash: 2d0b067cb8bbfa7de454ba6c3417ffa9e589ecfc91d67ec7e279df7130436443
Instruction Fuzzy Hash: CD012C75901119BEEF10DBA4DD82EEFBBFCDF09290F404061B940E6151E7B0AB009BA0

Function 10008AAD Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4505f0bd29c53c8e4fe4ed99ff9dfd0c6da315105a386e57f5c4fc47fc3019e
Instruction ID: e794ed515d01e19b3d2ac5b7441d454b1bbdacd0a92e1b0313b33cc43114ccfe
Opcode Fuzzy Hash: b4505f0bd29c53c8e4fe4ed99ff9dfd0c6da315105a386e57f5c4fc47fc3019e
Instruction Fuzzy Hash: C9F0966228E3C26DE30287285841BC2FF846B76314F0CCBCDB0D85B283C1A58088CBB6

Function 10006EDE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F24
Sleep.KERNEL32 ref: 10007059
wsprintfA.USER32 ref: 1000709D
PrintFile.MYURWUVXZX(00000000,?,00000000), ref: 100070D6
PrintFile.MYURWUVXZX(00000000,?,00000000,?,00000000), ref: 100070E9

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006F90
c:\1.txt, xrefs: 10007047
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F79
iOffset, xrefs: 10007042
QVNEU3ZjLmV4ZQ==, xrefs: 10006EEE
http://174.139.6.43:805/index.php, xrefs: 10007007

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FilePrintSleep$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://174.139.6.43:805/index.php$iOffset
API String ID: 1547040302-2718946471
Opcode ID: 21c1d53286d87408efaf897a79b2c6b33d3911d636a9fd1d838c49cbb3a062a6
Instruction ID: 5a36ebefe1c04161e99549fc7ab99fecfd9d3f15ee4e50f1ea2acdaac8b1ccbf
Opcode Fuzzy Hash: 21c1d53286d87408efaf897a79b2c6b33d3911d636a9fd1d838c49cbb3a062a6
Instruction Fuzzy Hash: BE51C7B6D04359AAF722D760CC56FCF77ACEB083C1F1045A5F208E6086DA75AB808E55

Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(00000000,?,000F003F,00000000,?,80000002,?,10005E16,?,ProcessorNameString,00000000,00000004,?,?,80000002,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Strings

@, xrefs: 10005E57
ProcessorNameString, xrefs: 10005E02
%u MB, xrefs: 10005E7E
Find CPU Error, xrefs: 10005E36
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
12010110, xrefs: 10005E8F
http://174.139.6.43:805/index.php, xrefs: 10005EF8

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12010110$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://174.139.6.43:805/index.php
API String ID: 271660946-1867114097
Opcode ID: 5bba1878f1e395187efe2545bde0c3003e7e72feb6fdbd658dc2b7cbbad62c67
Instruction ID: 608af9c2b18cb9836f978af7e57985311d6e03b70ae207eed12c800596a1b3a1
Opcode Fuzzy Hash: 5bba1878f1e395187efe2545bde0c3003e7e72feb6fdbd658dc2b7cbbad62c67
Instruction Fuzzy Hash: 0B31E076C04208BAFB10D764DC46FDF77BCEB04341F50406AFA54BA182EB75BA458B99

Function 10006CF7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

wsprintfA.USER32 ref: 10006D88
___crtGetTimeFormatEx.LIBCMT ref: 10006DAE

Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DB3,?,Cache,00000000,00000001,?,00000001,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Strings

%s "%s",Cache, xrefs: 10006D82
C:\Users\user\Desktop\MYuRWuVXzX.dll, xrefs: 10006D26, 10006D2C, 10006D71
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
Cache, xrefs: 10006DA6
REG_SZ, xrefs: 10006D44
C:\Windows\SysWOW64\rundll32.exe, xrefs: 10006D77

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Cache$C:\Users\user\Desktop\MYuRWuVXzX.dll$C:\Windows\SysWOW64\rundll32.exe$Cache$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-1077102366
Opcode ID: bb86c0d43eb9ab9efd1c2027701aff7e6fc11ff8395b8caecd4f4744f71e12c2
Instruction ID: 99ed05e62e7b3a3f3e6c4431fc974c4e82ca3383c3213c1f9da7e30f49cf53f9
Opcode Fuzzy Hash: bb86c0d43eb9ab9efd1c2027701aff7e6fc11ff8395b8caecd4f4744f71e12c2
Instruction Fuzzy Hash: B01182B694421CBEFB11D7A4DC86FEA776CEB14344F1004A1F704B9085DAB16FD88AA4

Function 10007FB7 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 186
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100081C7

Strings

NPKI, xrefs: 1000802C
12010110, xrefs: 1000805B
., xrefs: 10007FCF
174.139.6.43:805/index.php, xrefs: 10008113
L2ltYWdlLnBocA==, xrefs: 1000818B
%s\%s, xrefs: 10008067
P, xrefs: 100080F7

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$.$12010110$174.139.6.43:805/index.php$L2ltYWdlLnBocA==$NPKI$P
API String ID: 3472027048-4197230044
Opcode ID: 738c273e8d31f38ad0daa88aa3a4d685d09218f99bde4f8603f1d83bf758a085
Instruction ID: 5cc609afffd9a73f0ab383a3698fbf555166cf4d4a761eedf9d78448fcab9a5b
Opcode Fuzzy Hash: 738c273e8d31f38ad0daa88aa3a4d685d09218f99bde4f8603f1d83bf758a085
Instruction Fuzzy Hash: C451617690425DBEEB51D7A4DC45FEEB7ACEF48380F1004E6E648E6141EB70AB858F21

Function 100082A2 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 127
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=,00000000,00000000), ref: 10008394
wsprintfA.USER32 ref: 100083E6

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
127.0.0.1, xrefs: 100083F4
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405, 10008411
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
http://174.139.6.43:805/index.php, xrefs: 10008353
8.8.8.8, xrefs: 100083EF

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://174.139.6.43:805/index.php
API String ID: 1749205058-1389873648
Opcode ID: 281b55e171da5a292cc508f9d456748616b2977669ef144c21f529741d2b06fe
Instruction ID: b9027ece183413cc2fe871766ac14a59ec9628a189d2433f2f5c13587e1fa655
Opcode Fuzzy Hash: 281b55e171da5a292cc508f9d456748616b2977669ef144c21f529741d2b06fe
Instruction Fuzzy Hash: 2A31F5B6900259B6F711D360CC46FCF37ACEF456C1F2404A6F648AA08AEA75AB804B51

Function 100064D5 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 276
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 100064F7

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006546

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39

Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51

wsprintfA.USER32 ref: 100066E9

Strings

title, xrefs: 10006647, 1000664C, 10006655, 10006672
aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==, xrefs: 100064DF
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000651A

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$Openwsprintf$FileFormatReadTime___crt
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
API String ID: 4054021910-2496724313
Opcode ID: 046fad9f1a01958933c92563f2ac2e9ff5bbde693b647f0ba0e795645c39142f
Instruction ID: 9459dd3cd27c57b52d55672e45d00a506ff908c1b4166d964e6a9a6025d7088c
Opcode Fuzzy Hash: 046fad9f1a01958933c92563f2ac2e9ff5bbde693b647f0ba0e795645c39142f
Instruction Fuzzy Hash: 0481F5B5800249BEFF01DBA4DC82EFF7B7EEF05394F244159F505AA186DA316E8187A1

Function 10008567 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710), ref: 1000857E
Sleep.KERNEL32(001B7740), ref: 100085BF
wsprintfA.USER32 ref: 100085EC

Strings

aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008580
D, xrefs: 10008612
c:\%d.log, xrefs: 100085E6

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
API String ID: 3195947292-1533272838
Opcode ID: 0ca7da5b3ddec2943bb518be0dac8ee471aea5d562f2196624dfc1188ca199db
Instruction ID: 7ef7ad822adc65929ef9e9b86761b6b78b237e2069168f738ddcddf76cdc0eac
Opcode Fuzzy Hash: 0ca7da5b3ddec2943bb518be0dac8ee471aea5d562f2196624dfc1188ca199db
Instruction Fuzzy Hash: F7218EB6C0021CBAEB12EBE4CC45EDFBB7CEF48390F140466F604BB141E6756A458BA1

Function 10006A6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006AA8

Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546

Sleep.KERNEL32(0002BF20,00000000,00000000,000000FF), ref: 10006ADD
CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006AF1

Strings

0x5d65r455f, xrefs: 10006A97
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
String ID: 0x5d65r455f$5762479093
API String ID: 3244495550-2446933972
Opcode ID: a13e0f18fc6e0420c103244c8fb900a35603c7e1ff33430f2db7de7981c5a32c
Instruction ID: c7833fed3da569f06028073e70e7158df40545cc9dc8be8198411593bd3a30d9
Opcode Fuzzy Hash: a13e0f18fc6e0420c103244c8fb900a35603c7e1ff33430f2db7de7981c5a32c
Instruction Fuzzy Hash: 090128B99842187AF210F3705CC7CFF3A5DDB963E4F200135F919A518BDA25AC1541B2

Function 100087B7 Relevance: 7.5, APIs: 5, Instructions: 27
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000927C0), ref: 100087C5
CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
CreateThread.KERNEL32(?,?,Function_0000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
Sleep.KERNEL32(000000FF), ref: 100087E8

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$CreateThread
String ID:
API String ID: 3220764680-0
Opcode ID: 9857e69c7aa5c04d87c58b36f69020f73a70e859f82f10bb09c527f9e2964423
Instruction ID: 97d8cae0da7006b7316437b6fdaa94dcad4298e965bed5c2a5e4c1c08e9363ca
Opcode Fuzzy Hash: 9857e69c7aa5c04d87c58b36f69020f73a70e859f82f10bb09c527f9e2964423
Instruction Fuzzy Hash: 6AD0C9E478835D3CB520B2B60CC9CBF0C0DEBD46FC3264651F669600CE9D808E0089B2

Function 10006499 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 100064F7

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006546

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39

Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51

wsprintfA.USER32 ref: 100066E9

Strings

aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==, xrefs: 100064DF
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000651A

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$Openwsprintf$FileFormatReadTime___crt
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==
API String ID: 4054021910-782189213
Opcode ID: b87da06acb430e907b55b819f665df5b55ac14934558c586ad0e38b2a4140d52
Instruction ID: de3fa6ad6e6742deb3c2b819075dd216dcc61d4f02b498222e5c9363de44746d
Opcode Fuzzy Hash: b87da06acb430e907b55b819f665df5b55ac14934558c586ad0e38b2a4140d52
Instruction Fuzzy Hash: 54414CB6C0020DBEFB01DBA4DC82DFF7A7DEF08394F204169F518A6196DA355E908A61

Function 10006363 Relevance: 6.1, APIs: 4, Instructions: 115
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcspn.MSVCRT ref: 10006399
strcspn.MSVCRT ref: 100063B6
strcspn.MSVCRT ref: 100063FC
strcspn.MSVCRT ref: 1000641B

Part of subcall function 1000611F: ___crtGetTimeFormatEx.LIBCMT ref: 1000616C

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: strcspn$FormatTime___crt
String ID:
API String ID: 4006067733-0
Opcode ID: 7e32e84c0a2b412161a271b9c855e4361201e3b0bc6c11258c3eb35fef5bf9f9
Instruction ID: b9784272a563ed647374224906bb77998104648b3eb0055089ee48751274d8f0
Opcode Fuzzy Hash: 7e32e84c0a2b412161a271b9c855e4361201e3b0bc6c11258c3eb35fef5bf9f9
Instruction Fuzzy Hash: A631767590021CBEEB10DBB4DC85EDF77ADEF04390F504566FA09D6056DA35DB448BA0

Function 100044AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExtendedUdpTable.IPHLPAPI(00000000,?,?,00000002,?,00000000,?,iphlpapi.dll), ref: 100044E9
GetExtendedUdpTable.IPHLPAPI(?,?,?,00000002,?,00000000,?,?,00000002,?,00000000,?,iphlpapi.dll), ref: 10004513

Strings

iphlpapi.dll, xrefs: 100044BC

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable
String ID: iphlpapi.dll
API String ID: 2407854163-3565520932
Opcode ID: d82edb1e857bd60df8add89c233c21abde8a7e740d00d5f79b39cdb23c40caaa
Instruction ID: 2b6a4aec73c395bd92e634a55f7942d7b0a3164a7a8f2c2b2096f65af21ae163
Opcode Fuzzy Hash: d82edb1e857bd60df8add89c233c21abde8a7e740d00d5f79b39cdb23c40caaa
Instruction Fuzzy Hash: 5631FFB6800608BFEB11DFA8CC85DDE77BCEF442E1B214955F914DB146EB30AE408B64

Function 100068F8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

SeShutdownPrivilege, xrefs: 100069FF, 10006A0F
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 5762479093$SeShutdownPrivilege
API String ID: 0-1771388387
Opcode ID: b4a836b946240cbe1def2f35d60b8c487668c573af1450d585fea53fd24861db
Instruction ID: d3a21b4f74493aeb9dd88069dc64c0ae8414ec74d9ca3800e512990c6a579e11
Opcode Fuzzy Hash: b4a836b946240cbe1def2f35d60b8c487668c573af1450d585fea53fd24861db
Instruction Fuzzy Hash: B241C475944209E9FB20D7508C85FFE76AEEB097D4F20016AF509EA0D9D731A984CA62

Function 1000841C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 117sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000493E0,?,80000002,00000000,00000000,000F003F,?), ref: 1000855C

Strings

U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
svchsot.exe, xrefs: 10008524

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
API String ID: 3472027048-2214221337
Opcode ID: f4f0ee8a253ab6dba32727d968bbb502684d180bac0acc3bdd0f5a5de59c2010
Instruction ID: 2b87abad24d222f77376842b4db962159d115086a0dd07b55e0a50adafb81ab1
Opcode Fuzzy Hash: f4f0ee8a253ab6dba32727d968bbb502684d180bac0acc3bdd0f5a5de59c2010
Instruction Fuzzy Hash: 9D311AB6D0015DBEEB11DB94CD81DEFB7BDFB48284F1040A6F645E6105DA31AF848BA1

Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 100071AC
wsprintfA.USER32 ref: 100071FE

Strings

http://174.139.6.43:805/index.php, xrefs: 1000716B

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: http://174.139.6.43:805/index.php
API String ID: 1749205058-3195113140
Opcode ID: b9a93c41c781ff9bcfc1e770fd87d2c773d1f13bec1a5afbddaab18e762cc614
Instruction ID: 6e35aeaf06452b137760d0cb28982c4119741183e15c1229ce18836c51c33211
Opcode Fuzzy Hash: b9a93c41c781ff9bcfc1e770fd87d2c773d1f13bec1a5afbddaab18e762cc614
Instruction Fuzzy Hash: 132129B6D046557AF724D368CC56FCF3BACEF053D0F2000A6F608A50C6E679AE818A11

Function 10006B1F Relevance: 4.5, APIs: 3, Instructions: 49sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006B55
CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B6B
Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,000000FF), ref: 10006B88

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexSleepThread
String ID:
API String ID: 145085098-0
Opcode ID: 3a37f27f64aa174b464509ffcf5adc4b8df3645fe29b96b397a54e66a86212bd
Instruction ID: 3c4a2237d08e5d9619e00aa7178cdc103747d202c60392635861d92f18f70279
Opcode Fuzzy Hash: 3a37f27f64aa174b464509ffcf5adc4b8df3645fe29b96b397a54e66a86212bd
Instruction Fuzzy Hash: EBF0F6B58012647AF621A7B69C8ECDF3E6CDFC67E0F100531F908E618ACA24AD4181F5

Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006201

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: 07bfe6b510ffef2be47a0901998903ec219d5332ad1c8848e6b7f42a5d37de2e
Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
Opcode Fuzzy Hash: 07bfe6b510ffef2be47a0901998903ec219d5332ad1c8848e6b7f42a5d37de2e
Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660

Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 100062BF

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen$FormatTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 1165476586-1918919809
Opcode ID: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
Opcode Fuzzy Hash: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5

Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0036EE80), ref: 10008264

Strings

C:\Program Files, xrefs: 10008200

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: 9c12519ba8f92ada5ea338270599224c826a3e176a5bdac3043c0311ba39c226
Instruction ID: ff1306f0a4f1ac59270128d03767b5ad6af54f96c84c5a7b76bd668247e82245
Opcode Fuzzy Hash: 9c12519ba8f92ada5ea338270599224c826a3e176a5bdac3043c0311ba39c226
Instruction Fuzzy Hash: 60F02276906AA1E6F701DFA458C068F776DFF122A1B210026F940BF046D7B59A4147E2

Function 1002FC2C Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 1002FC6B

Memory Dump Source

Source File: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4044b73696f51e2b1e6b64f9a02cc54bd33ead4d284a8560e5da045e9fae3fc4
Instruction ID: e0253bfad846330eafa5c008a753518da0f6e358bb3de22cecf7cdfeca1259cc
Opcode Fuzzy Hash: 4044b73696f51e2b1e6b64f9a02cc54bd33ead4d284a8560e5da045e9fae3fc4
Instruction Fuzzy Hash: 47E06D7800C351AED723DB2884C169EBBE1DF48655F1049AEB4C44A641C779DA05EB12

Function 1002B150 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 1002FC6B

Memory Dump Source

Source File: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d38e7efbe615d41d2d6fa62e7cbfb4af4c7bd3cc66e2ee54b90ea067be29ed54
Instruction ID: 4064a7a5daca11f8f9dbaf12f50649776f869870b9e913b9e3adfbb249650240
Opcode Fuzzy Hash: d38e7efbe615d41d2d6fa62e7cbfb4af4c7bd3cc66e2ee54b90ea067be29ed54
Instruction Fuzzy Hash: EEC012B400C314BDD633EA1044C111DBE66EF08286F60092DBD401CB014B359B10DA42

Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91

Function 10026BEA Relevance: 1.5, APIs: 1, Instructions: 12synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 10026BF6

Memory Dump Source

Source File: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b53a6fd793d964561314562eaf470bd251ec6143a7204699d6019c60fe4b5473
Instruction ID: be84c96467a41ecb0327eec6b986b37bffeddc9a651601713d77c6c5998be69a
Opcode Fuzzy Hash: b53a6fd793d964561314562eaf470bd251ec6143a7204699d6019c60fe4b5473
Instruction Fuzzy Hash: 68C08CBA440199744D33EB606CC7E6F3BA6EDA2385BC00C09B681A9A16D5213460C7A7

Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95

Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1

Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02

Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12

Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

Process32First.KERNEL32(00000000,00000000), ref: 1000410C

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12

Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,00000000), ref: 1000411D

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12

Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01

Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?,1000824C,10015938), ref: 1000400E

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01

Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01

Non-executed Functions

Function 1000B224 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

K, xrefs: 1000B246

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction ID: 6c5504f13a17a8b4553fb93f6e314e3eb43bbcef24ba1366296fc093faca9512
Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction Fuzzy Hash: 13D1F2311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771

Function 1000AEC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

K, xrefs: 1000AEE2

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction ID: a9c7f45465d92fcd6248bf8d3b75336943ce7982e690b294f387925eaf45448f
Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction Fuzzy Hash: 6F9143311046896EDB21CFAD8C80EFFBBBCAF06A40F840549FE85C7642D255E92DA771

Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,?,?), ref: 10003F51

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02

Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(?,?), ref: 10003F6B

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02

Function 1003D000 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

:j;*, xrefs: 1003D0F8

Memory Dump Source

Source File: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: :j;*
API String ID: 0-479965121
Opcode ID: 7fc21a12c0999fb700d6ecebce830703f7a72e4c6e182fc9bc100d1f689accbe
Instruction ID: 858834caa06d28abb9e02efb9a4eaee66c0d9be3247fcf5f743d5bd8e4c70181
Opcode Fuzzy Hash: 7fc21a12c0999fb700d6ecebce830703f7a72e4c6e182fc9bc100d1f689accbe
Instruction Fuzzy Hash: 7941A02104D7C29FC7168F3484A2693BFB26E4B20479F96DFC5C18F863C216949BC782

Function 1003CFE9 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

:j;*, xrefs: 1003D0F8

Memory Dump Source

Source File: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: :j;*
API String ID: 0-479965121
Opcode ID: 5e7e20bddcc949208a985c9c568e650c81c2c55782e51a72f85673627bd12ede
Instruction ID: 37dc1307be5354f7c94da324e7d53fa2cc3f726783098d886b6412b3d4937b60
Opcode Fuzzy Hash: 5e7e20bddcc949208a985c9c568e650c81c2c55782e51a72f85673627bd12ede
Instruction Fuzzy Hash: DE31E22104E7C29FC7128F3994A26937F726E4B2007DB95DFC5C08F863D226A49BC782

Function 1000B70D Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction ID: 9e0b5d620d62c11970e9cc848d1ca02f4ed839136e4bfa4bb83daef4b24ba54e
Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction Fuzzy Hash: AA313A33E2C6B607E324DF7E4C84025F7D6EB8A06275A8779DE88E7255D128EC518BD0

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 230sleepfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10005437
wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.MYURWUVXZX(?,?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,00000000,?,?,40000000,00000001,00000000,00000002,00000000,00000000,10016594,?,?,00000009,00000000), ref: 100055AE

Strings

Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
c:\windows\system32\drivers\%s, xrefs: 10005498
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
%s\%s, xrefs: 10005431

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: rand$wsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 2577056782-455112146
Opcode ID: b3f7697040114edba287b77cff18f9e850b595821fa9d201e811776529f969d9
Instruction ID: 45e6f7ddcc151bb0a1cd2e800ec11b9de2e45d2c2b76098b2714272be18fd0a8
Opcode Fuzzy Hash: b3f7697040114edba287b77cff18f9e850b595821fa9d201e811776529f969d9
Instruction Fuzzy Hash: 7F613873A40358BFFB14DB64CC45FDE776EEB84351F184466F6089B180CAB2EA808B54

Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
VariantInit.OLEAUT32(?), ref: 1000734D
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
VariantInit.OLEAUT32(?), ref: 10007377

Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
VariantInit.OLEAUT32(?), ref: 10007513

Strings

IPEnabled=TRUE, xrefs: 10007226
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072A7
SetDNSServerSearchOrder, xrefs: 1000749B, 1000755F
DNSServerSearchOrder, xrefs: 10007519
GatewayCostMetric, xrefs: 100073BE
DefaultIPGateway, xrefs: 1000737C
Index, xrefs: 1000725D
SetGateways, xrefs: 100072F1, 100073F7
Win32_NetworkAdapterConfiguration, xrefs: 1000722B

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: 2a5b30d4dd87871149fc4dabeee7916cd82abfde6b07db01eeb81412a9d6e17f
Instruction ID: 4aba3901ce6889b80b7d56dd8fe8bd214dd24d8a852bbcd1dcf7b1007c4af2ae
Opcode Fuzzy Hash: 2a5b30d4dd87871149fc4dabeee7916cd82abfde6b07db01eeb81412a9d6e17f
Instruction Fuzzy Hash: 93D17F74D00219EFEB15CFA4C8809EEBBB8FF49781F204019F419AB255DB75AA45CFA1

Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 80COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

C:\Users\user\Desktop, xrefs: 100059D7, 100059DD, 100059E5, 100059FD
%s\version.txt, xrefs: 100059FE
C:\Users\user\Desktop\12010110, xrefs: 100059F6
M%s, xrefs: 10005A0F
M174.139.6.42:3204, xrefs: 10005A14
174.139.6.42:3204, xrefs: 10005A0A
C:\Users\user\Desktop\MYuRWuVXzX.dll, xrefs: 100059C9, 100059CE, 100059DC
ECF4BB82F7E0, xrefs: 10005A4B
12010110, xrefs: 100059A9
C:\Windows\SysWOW64\rundll32.exe, xrefs: 100059BF
C:\Users\user\Desktop\version.txt, xrefs: 10005A03
%s\%s, xrefs: 100059F1
12010110, xrefs: 1000599D, 100059A3

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$12010110$12010110$174.139.6.42:3204$C:\Users\user\Desktop$C:\Users\user\Desktop\12010110$C:\Users\user\Desktop\MYuRWuVXzX.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB82F7E0$M%s$M174.139.6.42:3204
API String ID: 2111968516-2650147959
Opcode ID: b64648563ae13e0490f7e400ea1c861da6946e0cbc7e6ee224e5b95f48207761
Instruction ID: 0624f8af73e2cfb36300ed6a74395b88cb4afd7ae6761723a96b183a91d982dd
Opcode Fuzzy Hash: b64648563ae13e0490f7e400ea1c861da6946e0cbc7e6ee224e5b95f48207761
Instruction Fuzzy Hash: 2F113635600715BBF210E7A19C45F5F7B58DF89696F01411AFB05AE181DB72E8818A72

Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 304COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(?), ref: 10004ED1
VariantInit.OLEAUT32(?,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10005009
VariantInit.OLEAUT32(?,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000500F

Strings

svchost.exe -k NetworkService, xrefs: 10004FE0
Name, xrefs: 10004EE2
ProcessID, xrefs: 10004F0C
CommandLine, xrefs: 10004EF7
svchost.exe, xrefs: 10004F6F
WQL, xrefs: 10004E42
SELECT * FROM , xrefs: 10004DEA

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction ID: 6b37533f750044f272a7895ebb8f3352595696e82f2196816c77362f2c1bf445
Opcode Fuzzy Hash: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction Fuzzy Hash: C0A149B1900209AFEB04DFA4CC81DEEBBB9FF48394F104569F515AB295DB31AE45CB60

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000574F
wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.MYURWUVXZX(?,?,?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000,001F0FFF), ref: 10005835

Strings

c:\windows\system32\drivers\%s, xrefs: 100057AB
c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
ROOT\CIMv2, xrefs: 100057F2
Win32_process, xrefs: 100057ED
%s\%s, xrefs: 10005749

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 1788855648-1421401311
Opcode ID: 285827e491e0801db161c4a776b1667ce142f4882cc2c3032a8919d89beca982
Instruction ID: ee8592e41457db27a0cf69760ac3bb6b81f9307f15eed64a2d66bc65e3bf941c
Opcode Fuzzy Hash: 285827e491e0801db161c4a776b1667ce142f4882cc2c3032a8919d89beca982
Instruction Fuzzy Hash: 25318872910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AAC58A95

Function 100049D6 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 267COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10004AC9

Strings

ahnlab, xrefs: 10004B08
127.0.0.1, xrefs: 10004C4B
alyac, xrefs: 10004AF6
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.ccm|www.knbank.vo.kr|openbank.cu.vo.kr|www.busanbank.vo.kr|bamking.nonghyup.ccm|www.shinhan.ccm|www.wooribank.ccm|www.hanabank.ccm|www.epostbank.bo.kr|www.ibk.vo.kr|www.ibk.vo.kr|www.keb.vo.kr|www.kfc, xrefs: 10004ADF
%s|, xrefs: 10004AC3
v3lite, xrefs: 10004B1A

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s|$127.0.0.1$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.ccm|www.knbank.vo.kr|openbank.cu.vo.kr|www.busanbank.vo.kr|bamking.nonghyup.ccm|www.shinhan.ccm|www.wooribank.ccm|www.hanabank.ccm|www.epostbank.bo.kr|www.ibk.vo.kr|www.ibk.vo.kr|www.keb.vo.kr|www.kfc
API String ID: 2111968516-2906103333
Opcode ID: 2a6ca1cc5f704a2e8bb91bdc775e5c3aa005360710b3485d6d4717dae031ad31
Instruction ID: c6238aebe0a236eb48e22df44501352477e65da63ed159d5ea5c04cc3581395e
Opcode Fuzzy Hash: 2a6ca1cc5f704a2e8bb91bdc775e5c3aa005360710b3485d6d4717dae031ad31
Instruction Fuzzy Hash: 63912CB6C0021DAAEB11EBE5DC85EDFBBBCEB48340F104566F205B6141EB71AB458F61

Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

C:\Users\user\Desktop, xrefs: 10005D16
http://, xrefs: 10005D87
%s\lang.ini, xrefs: 10005D26
search, xrefs: 10005D9B

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-2890774959
Opcode ID: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
Opcode Fuzzy Hash: d1da8393b741fbea104cea0a346650b348cc7a6ae7d15635f455682e2727de3c
Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60

Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

C:\Users\user\Desktop, xrefs: 10005C6B
http://, xrefs: 10005CDC
%s\lang.ini, xrefs: 10005C7B

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-518030693
Opcode ID: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
Opcode Fuzzy Hash: 354cb08d00e8bc516f166db664e2c84127a23412515739fcecc10b8ce6ebd26b
Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100046C3

Strings

%s\%s, xrefs: 100046BD
\*.*, xrefs: 10004668
., xrefs: 100046E4

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$.$\*.*
API String ID: 2111968516-2210278135
Opcode ID: d7f00199204d82f707d192d8761ac714b8ab9018e227ec6d08946cdd1bf8bb93
Instruction ID: 32d83567fd4256abd0d288ec23897bf051c3cc744f8d1e4be676c6f1d689250e
Opcode Fuzzy Hash: d7f00199204d82f707d192d8761ac714b8ab9018e227ec6d08946cdd1bf8bb93
Instruction Fuzzy Hash: D1316CB6C0025CBAEF12DFA4CC46EDE7B7DEB09380F0004A5F618A6051EB719B989B51

Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4

Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D

Strings

C:\Users\user\Desktop, xrefs: 10005FA3
%s\lang.ini, xrefs: 10005FAE

Memory Dump Source

Source File: 00000003.00000002.3008745543.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3008712666.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008776201.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008811674.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008843443.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008881149.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008915458.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008950221.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3008978305.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009009074.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009041254.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3009070627.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueue
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3486561800-1671016533
Opcode ID: c3d1c097a5da3b44b755e1611c3d38cc9cc036bf6ebd217d0bbcb8338429e464
Instruction ID: dfcc7b63688ca43a2c74d680eb54bb4daf041f1c606f04c7c9245eb5a67af0f6
Opcode Fuzzy Hash: c3d1c097a5da3b44b755e1611c3d38cc9cc036bf6ebd217d0bbcb8338429e464
Instruction Fuzzy Hash: A3F046768001187AF620D665CC07FEF3E6CDB857E0F104121FA08E90C4EB75AAC196E0

Analysis Process: rundll32.exePID: 7924, Parent PID: 7564COMMON

Executed Functions

Function 1000CCF2 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3550cc697d02162cd2cb998efc03918ecc409dadfe046b41410d62b90ff4c6d6
Instruction ID: 5b1f34f21e5f272165c6221912b3a3990c70a29bc2186e8f6efd336c1bf7c691
Opcode Fuzzy Hash: 3550cc697d02162cd2cb998efc03918ecc409dadfe046b41410d62b90ff4c6d6
Instruction Fuzzy Hash:

Non-executed Functions

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 230sleepfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10005437
wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.MYURWUVXZX(?,?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,00000000,?,?,40000000,00000001,00000000,00000002,00000000,00000000,10016594,?,?,00000009,00000000), ref: 100055AE

Strings

Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
c:\windows\system32\drivers\%s, xrefs: 10005498
%s\%s, xrefs: 10005431
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: rand$wsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 2577056782-455112146
Opcode ID: fc37e322948ba704b9c3bfb04767599689c3392e0b41ba38c7fc8c28cb076172
Instruction ID: 45e6f7ddcc151bb0a1cd2e800ec11b9de2e45d2c2b76098b2714272be18fd0a8
Opcode Fuzzy Hash: fc37e322948ba704b9c3bfb04767599689c3392e0b41ba38c7fc8c28cb076172
Instruction Fuzzy Hash: 7F613873A40358BFFB14DB64CC45FDE776EEB84351F184466F6089B180CAB2EA808B54

Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
VariantInit.OLEAUT32(?), ref: 1000734D
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
VariantInit.OLEAUT32(?), ref: 10007377

Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
VariantInit.OLEAUT32(?), ref: 10007513

Strings

GatewayCostMetric, xrefs: 100073BE
Index, xrefs: 1000725D
Win32_NetworkAdapterConfiguration, xrefs: 1000722B
DefaultIPGateway, xrefs: 1000737C
SetDNSServerSearchOrder, xrefs: 1000749B, 1000755F
SetGateways, xrefs: 100072F1, 100073F7
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072A7
IPEnabled=TRUE, xrefs: 10007226
DNSServerSearchOrder, xrefs: 10007519

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: f4a6320955e1221aca3e01d30b7553ab6832ba29663f91bcd49d4150e3e8c55d
Instruction ID: 4aba3901ce6889b80b7d56dd8fe8bd214dd24d8a852bbcd1dcf7b1007c4af2ae
Opcode Fuzzy Hash: f4a6320955e1221aca3e01d30b7553ab6832ba29663f91bcd49d4150e3e8c55d
Instruction Fuzzy Hash: 93D17F74D00219EFEB15CFA4C8809EEBBB8FF49781F204019F419AB255DB75AA45CFA1

Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 304COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(000000FF), ref: 10004ED1
VariantInit.OLEAUT32(00000000,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10005009
VariantInit.OLEAUT32(?,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000500F

Strings

svchost.exe, xrefs: 10004F6F
CommandLine, xrefs: 10004EF7
WQL, xrefs: 10004E42
Name, xrefs: 10004EE2
svchost.exe -k NetworkService, xrefs: 10004FE0
ProcessID, xrefs: 10004F0C
SELECT * FROM , xrefs: 10004DEA

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction ID: 6b37533f750044f272a7895ebb8f3352595696e82f2196816c77362f2c1bf445
Opcode Fuzzy Hash: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction Fuzzy Hash: C0A149B1900209AFEB04DFA4CC81DEEBBB9FF48394F104569F515AB295DB31AE45CB60

Function 10006EDE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F24
Sleep.KERNEL32 ref: 10007059
wsprintfA.USER32 ref: 1000709D
PrintFile.MYURWUVXZX(00000000,?,00000000), ref: 100070D6
PrintFile.MYURWUVXZX(00000000,?,00000000,?,00000000), ref: 100070E9

Strings

XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F79
c:\1.txt, xrefs: 10007047
QVNEU3ZjLmV4ZQ==, xrefs: 10006EEE
http://174.139.6.43:805/index.php, xrefs: 10007007
iOffset, xrefs: 10007042
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006F90

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: FilePrintSleep$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://174.139.6.43:805/index.php$iOffset
API String ID: 1547040302-2718946471
Opcode ID: dbcb8368a4f6a39bd3a3b8c3dd0250e49dece4f433070a78b2cae66d1d8be5b7
Instruction ID: 5a36ebefe1c04161e99549fc7ab99fecfd9d3f15ee4e50f1ea2acdaac8b1ccbf
Opcode Fuzzy Hash: dbcb8368a4f6a39bd3a3b8c3dd0250e49dece4f433070a78b2cae66d1d8be5b7
Instruction Fuzzy Hash: BE51C7B6D04359AAF722D760CC56FCF77ACEB083C1F1045A5F208E6086DA75AB808E55

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000574F
wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.MYURWUVXZX(?,?,?,?,00000000), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,001F0FFF), ref: 10005835

Strings

c:\windows\system32\drivers\%s, xrefs: 100057AB
c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
ROOT\CIMv2, xrefs: 100057F2
Win32_process, xrefs: 100057ED
%s\%s, xrefs: 10005749

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 1788855648-1421401311
Opcode ID: a084a2e2b0348bd82a44899adb64241e673018f2f1795e561468d25eddf10b69
Instruction ID: ee8592e41457db27a0cf69760ac3bb6b81f9307f15eed64a2d66bc65e3bf941c
Opcode Fuzzy Hash: a084a2e2b0348bd82a44899adb64241e673018f2f1795e561468d25eddf10b69
Instruction Fuzzy Hash: 25318872910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AAC58A95

Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 80COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

12010110, xrefs: 1000599D, 100059A3
M%s, xrefs: 10005A0F
174.139.6.42:3204, xrefs: 10005A0A
%s\version.txt, xrefs: 100059FE
F896SD5DAE, xrefs: 10005A14
%s\%s, xrefs: 100059F1

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$12010110$174.139.6.42:3204$F896SD5DAE$M%s
API String ID: 2111968516-1869864888
Opcode ID: 134a06de1f574864bfa21b0196dbc7ade879cbebcd3e1f093504a29b26a4b43a
Instruction ID: 0624f8af73e2cfb36300ed6a74395b88cb4afd7ae6761723a96b183a91d982dd
Opcode Fuzzy Hash: 134a06de1f574864bfa21b0196dbc7ade879cbebcd3e1f093504a29b26a4b43a
Instruction Fuzzy Hash: 2F113635600715BBF210E7A19C45F5F7B58DF89696F01411AFB05AE181DB72E8818A72

Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096

Strings

12010110, xrefs: 10005E8F
Find CPU Error, xrefs: 10005E36
@, xrefs: 10005E57
%u MB, xrefs: 10005E7E
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
http://174.139.6.43:805/index.php, xrefs: 10005EF8
ProcessorNameString, xrefs: 10005E02

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12010110$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://174.139.6.43:805/index.php
API String ID: 271660946-1867114097
Opcode ID: 5361ab5d587e6ea13ffced72387de769d1a66e4b1df98791523302deec0479ea
Instruction ID: 608af9c2b18cb9836f978af7e57985311d6e03b70ae207eed12c800596a1b3a1
Opcode Fuzzy Hash: 5361ab5d587e6ea13ffced72387de769d1a66e4b1df98791523302deec0479ea
Instruction Fuzzy Hash: 0B31E076C04208BAFB10D764DC46FDF77BCEB04341F50406AFA54BA182EB75BA458B99

Function 100082A2 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 127sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=,00000000,00000000), ref: 10008394
wsprintfA.USER32 ref: 100083E6

Strings

Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405, 10008411
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
127.0.0.1, xrefs: 100083F4
8.8.8.8, xrefs: 100083EF
http://174.139.6.43:805/index.php, xrefs: 10008353
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://174.139.6.43:805/index.php
API String ID: 1749205058-1389873648
Opcode ID: 9b21ca15742f6382eb5840071324cf376b28052617cd303cd5749190d49b64d5
Instruction ID: b9027ece183413cc2fe871766ac14a59ec9628a189d2433f2f5c13587e1fa655
Opcode Fuzzy Hash: 9b21ca15742f6382eb5840071324cf376b28052617cd303cd5749190d49b64d5
Instruction Fuzzy Hash: 2A31F5B6900259B6F711D360CC46FCF37ACEF456C1F2404A6F648AA08AEA75AB804B51

Function 10007FB7 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 186sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100081C7

Strings

174.139.6.43:805/index.php, xrefs: 10008113
., xrefs: 10007FCF
P, xrefs: 100080F7
L2ltYWdlLnBocA==, xrefs: 1000818B
%s\%s, xrefs: 10008067
NPKI, xrefs: 1000802C

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$.$174.139.6.43:805/index.php$L2ltYWdlLnBocA==$NPKI$P
API String ID: 3472027048-663353412
Opcode ID: 50242a6b2a21b222361bd26d6a38d610deb9d29393d74dc95a4981fb93dc413c
Instruction ID: 5cc609afffd9a73f0ab383a3698fbf555166cf4d4a761eedf9d78448fcab9a5b
Opcode Fuzzy Hash: 50242a6b2a21b222361bd26d6a38d610deb9d29393d74dc95a4981fb93dc413c
Instruction Fuzzy Hash: C451617690425DBEEB51D7A4DC45FEEB7ACEF48380F1004E6E648E6141EB70AB858F21

Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A

wsprintfA.USER32 ref: 10006D88
___crtGetTimeFormatEx.LIBCMT ref: 10006DAE

Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096

Strings

%s "%s",Cache, xrefs: 10006D82
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
REG_SZ, xrefs: 10006D44
Cache, xrefs: 10006DA6

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Cache$Cache$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-128323000
Opcode ID: 6f01c57138434e0966ccc76966a10d270a34dc04ddb1e8c7dee392cb54238091
Instruction ID: 99ed05e62e7b3a3f3e6c4431fc974c4e82ca3383c3213c1f9da7e30f49cf53f9
Opcode Fuzzy Hash: 6f01c57138434e0966ccc76966a10d270a34dc04ddb1e8c7dee392cb54238091
Instruction Fuzzy Hash: B01182B694421CBEFB11D7A4DC86FEA776CEB14344F1004A1F704B9085DAB16FD88AA4

Function 10008567 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 1000857E
Sleep.KERNEL32(001B7740), ref: 100085BF
wsprintfA.USER32 ref: 100085EC

Strings

D, xrefs: 10008612
aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008580
c:\%d.log, xrefs: 100085E6

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
API String ID: 3195947292-1533272838
Opcode ID: ee48c70ecdb7b9f0d8741ba884e2fff9c0a0dff7f26708994b2a8bbafb54f76a
Instruction ID: 7ef7ad822adc65929ef9e9b86761b6b78b237e2069168f738ddcddf76cdc0eac
Opcode Fuzzy Hash: ee48c70ecdb7b9f0d8741ba884e2fff9c0a0dff7f26708994b2a8bbafb54f76a
Instruction Fuzzy Hash: F7218EB6C0021CBAEB12EBE4CC45EDFBB7CEF48390F140466F604BB141E6756A458BA1

Function 100068F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

SeShutdownPrivilege, xrefs: 100069FF, 10006A0F
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 5762479093$SeShutdownPrivilege
API String ID: 0-1771388387
Opcode ID: 952cc4ce18592a3b581436360f3749d00765313b27f249e64cd6a9a6e0234606
Instruction ID: a118fc2c38e718541663bef851cd2fff5ad6ce8bd3a6440b045a7bd8de9c543f
Opcode Fuzzy Hash: 952cc4ce18592a3b581436360f3749d00765313b27f249e64cd6a9a6e0234606
Instruction Fuzzy Hash: 3A41C375944209FDF720E7508C85FFF36AEEB097D4F20016AF509EA099D730A980CA62

Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

http://, xrefs: 10005D87
search, xrefs: 10005D9B
%s\lang.ini, xrefs: 10005D26

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://$search
API String ID: 1721638100-482061809
Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60

Function 10006363 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strcspn.MSVCRT ref: 10006399
strcspn.MSVCRT ref: 100063B6
strcspn.MSVCRT ref: 100063FC
strcspn.MSVCRT ref: 1000641B

Part of subcall function 1000611F: ___crtGetTimeFormatEx.LIBCMT ref: 1000616C

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: strcspn$FormatTime___crt
String ID:
API String ID: 4006067733-0
Opcode ID: a88b3595071e3976dec8b3c927f74e16a2468285b2c4f7438c857c87a1d4182d
Instruction ID: b9784272a563ed647374224906bb77998104648b3eb0055089ee48751274d8f0
Opcode Fuzzy Hash: a88b3595071e3976dec8b3c927f74e16a2468285b2c4f7438c857c87a1d4182d
Instruction Fuzzy Hash: A631767590021CBEEB10DBB4DC85EDF77ADEF04390F504566FA09D6056DA35DB448BA0

Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100046C3

Strings

%s\%s, xrefs: 100046BD
., xrefs: 100046E4
\*.*, xrefs: 10004668

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$.$\*.*
API String ID: 2111968516-2210278135
Opcode ID: 6ef935c6990bfa298087fb4875cbfc4e321a7b43b0cc1adc9d040f95560a56be
Instruction ID: 32d83567fd4256abd0d288ec23897bf051c3cc744f8d1e4be676c6f1d689250e
Opcode Fuzzy Hash: 6ef935c6990bfa298087fb4875cbfc4e321a7b43b0cc1adc9d040f95560a56be
Instruction Fuzzy Hash: D1316CB6C0025CBAEF12DFA4CC46EDE7B7DEB09380F0004A5F618A6051EB719B989B51

Function 10006A6E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006AA8
Sleep.KERNEL32(0002BF20,00000000,00000000,000000FF,?,?,Function_0000687E,00000001), ref: 10006ADD
CreateThread.KERNEL32(?,?,Function_0000687E,00000001), ref: 10006AF1

Strings

0x5d65r455f, xrefs: 10006A97
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexSleepThread
String ID: 0x5d65r455f$5762479093
API String ID: 145085098-2446933972
Opcode ID: 6e223566669f54b27c52c443740e9d8619d75d8ece84f689cc22bca68b99062e
Instruction ID: 42830097d2b935476e62f5b5a5986fc168cf732b2afb478cd656d2399f53d04c
Opcode Fuzzy Hash: 6e223566669f54b27c52c443740e9d8619d75d8ece84f689cc22bca68b99062e
Instruction Fuzzy Hash: 23F02B76A4031476F210F3B06C87DBF3A0DDB953D0F140035FA049908BEA25AC1541B2

Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

http://, xrefs: 10005CDC
%s\lang.ini, xrefs: 10005C7B

Memory Dump Source

Source File: 0000000B.00000002.3012213051.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.3012167333.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012268442.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012316994.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012343267.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012413916.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012460420.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012519261.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012547803.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012597562.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012644052.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000B.00000002.3012697622.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://
API String ID: 1721638100-679094439
Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

Analysis Process: rundll32.exePID: 8152, Parent PID: 7564COMMON

Non-executed Functions

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 230sleepfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10005437
wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.MYURWUVXZX(?,?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,00000000,?,?,40000000,00000001,00000000,00000002,00000000,00000000,10016594,?,?,00000009,00000000), ref: 100055AE

Strings

Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
c:\windows\system32\drivers\%s, xrefs: 10005498
%s\%s, xrefs: 10005431

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: rand$wsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 2577056782-455112146
Opcode ID: fc37e322948ba704b9c3bfb04767599689c3392e0b41ba38c7fc8c28cb076172
Instruction ID: 45e6f7ddcc151bb0a1cd2e800ec11b9de2e45d2c2b76098b2714272be18fd0a8
Opcode Fuzzy Hash: fc37e322948ba704b9c3bfb04767599689c3392e0b41ba38c7fc8c28cb076172
Instruction Fuzzy Hash: 7F613873A40358BFFB14DB64CC45FDE776EEB84351F184466F6089B180CAB2EA808B54

Function 1000720E Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
VariantInit.OLEAUT32(?), ref: 1000734D
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
VariantInit.OLEAUT32(?), ref: 10007377

Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
VariantInit.OLEAUT32(?), ref: 10007513

Strings

DefaultIPGateway, xrefs: 1000737C
GatewayCostMetric, xrefs: 100073BE
Index, xrefs: 1000725D
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072A7
SetGateways, xrefs: 100072F1, 100073F7
DNSServerSearchOrder, xrefs: 10007519
SetDNSServerSearchOrder, xrefs: 1000749B, 1000755F
Win32_NetworkAdapterConfiguration, xrefs: 1000722B
IPEnabled=TRUE, xrefs: 10007226

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: f4a6320955e1221aca3e01d30b7553ab6832ba29663f91bcd49d4150e3e8c55d
Instruction ID: 4aba3901ce6889b80b7d56dd8fe8bd214dd24d8a852bbcd1dcf7b1007c4af2ae
Opcode Fuzzy Hash: f4a6320955e1221aca3e01d30b7553ab6832ba29663f91bcd49d4150e3e8c55d
Instruction Fuzzy Hash: 93D17F74D00219EFEB15CFA4C8809EEBBB8FF49781F204019F419AB255DB75AA45CFA1

Function 10004D36 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 304COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(000000FF), ref: 10004ED1
VariantInit.OLEAUT32(00000000,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10005009
VariantInit.OLEAUT32(?,?,100101A8,00000000,00000001,100100D8,?,00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000500F

Strings

ProcessID, xrefs: 10004F0C
WQL, xrefs: 10004E42
CommandLine, xrefs: 10004EF7
SELECT * FROM , xrefs: 10004DEA
svchost.exe, xrefs: 10004F6F
svchost.exe -k NetworkService, xrefs: 10004FE0
Name, xrefs: 10004EE2

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction ID: 6b37533f750044f272a7895ebb8f3352595696e82f2196816c77362f2c1bf445
Opcode Fuzzy Hash: 18a33b7d364d92f1f38b265d4a3f42f5bb0327c946340e8b760ae1ab73ba960c
Instruction Fuzzy Hash: C0A149B1900209AFEB04DFA4CC81DEEBBB9FF48394F104569F515AB295DB31AE45CB60

Function 10006EDE Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F24
Sleep.KERNEL32 ref: 10007059
wsprintfA.USER32 ref: 1000709D
PrintFile.MYURWUVXZX(00000000,?,00000000), ref: 100070D6
PrintFile.MYURWUVXZX(00000000,?,00000000,?,00000000), ref: 100070E9

Strings

c:\1.txt, xrefs: 10007047
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006F90
QVNEU3ZjLmV4ZQ==, xrefs: 10006EEE
http://174.139.6.43:805/index.php, xrefs: 10007007
iOffset, xrefs: 10007042
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F79

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: FilePrintSleep$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://174.139.6.43:805/index.php$iOffset
API String ID: 1547040302-2718946471
Opcode ID: dbcb8368a4f6a39bd3a3b8c3dd0250e49dece4f433070a78b2cae66d1d8be5b7
Instruction ID: 5a36ebefe1c04161e99549fc7ab99fecfd9d3f15ee4e50f1ea2acdaac8b1ccbf
Opcode Fuzzy Hash: dbcb8368a4f6a39bd3a3b8c3dd0250e49dece4f433070a78b2cae66d1d8be5b7
Instruction Fuzzy Hash: BE51C7B6D04359AAF722D760CC56FCF77ACEB083C1F1045A5F208E6086DA75AB808E55

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000574F
wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.MYURWUVXZX(?,?,?,?,00000000), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000,001F0FFF), ref: 10005835

Strings

Win32_process, xrefs: 100057ED
ROOT\CIMv2, xrefs: 100057F2
c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
c:\windows\system32\drivers\%s, xrefs: 100057AB
%s\%s, xrefs: 10005749

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 1788855648-1421401311
Opcode ID: a084a2e2b0348bd82a44899adb64241e673018f2f1795e561468d25eddf10b69
Instruction ID: ee8592e41457db27a0cf69760ac3bb6b81f9307f15eed64a2d66bc65e3bf941c
Opcode Fuzzy Hash: a084a2e2b0348bd82a44899adb64241e673018f2f1795e561468d25eddf10b69
Instruction Fuzzy Hash: 25318872910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AAC58A95

Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 80COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

174.139.6.42:3204, xrefs: 10005A0A
M%s, xrefs: 10005A0F
F896SD5DAE, xrefs: 10005A14
%s\version.txt, xrefs: 100059FE
12010110, xrefs: 1000599D, 100059A3
%s\%s, xrefs: 100059F1

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$12010110$174.139.6.42:3204$F896SD5DAE$M%s
API String ID: 2111968516-1869864888
Opcode ID: 134a06de1f574864bfa21b0196dbc7ade879cbebcd3e1f093504a29b26a4b43a
Instruction ID: 0624f8af73e2cfb36300ed6a74395b88cb4afd7ae6761723a96b183a91d982dd
Opcode Fuzzy Hash: 134a06de1f574864bfa21b0196dbc7ade879cbebcd3e1f093504a29b26a4b43a
Instruction Fuzzy Hash: 2F113635600715BBF210E7A19C45F5F7B58DF89696F01411AFB05AE181DB72E8818A72

Function 10005DB4 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096

Strings

http://174.139.6.43:805/index.php, xrefs: 10005EF8
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
@, xrefs: 10005E57
Find CPU Error, xrefs: 10005E36
12010110, xrefs: 10005E8F
%u MB, xrefs: 10005E7E
ProcessorNameString, xrefs: 10005E02

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12010110$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://174.139.6.43:805/index.php
API String ID: 271660946-1867114097
Opcode ID: 5361ab5d587e6ea13ffced72387de769d1a66e4b1df98791523302deec0479ea
Instruction ID: 608af9c2b18cb9836f978af7e57985311d6e03b70ae207eed12c800596a1b3a1
Opcode Fuzzy Hash: 5361ab5d587e6ea13ffced72387de769d1a66e4b1df98791523302deec0479ea
Instruction Fuzzy Hash: 0B31E076C04208BAFB10D764DC46FDF77BCEB04341F50406AFA54BA182EB75BA458B99

Function 100082A2 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 127sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=,00000000,00000000), ref: 10008394
wsprintfA.USER32 ref: 100083E6

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082DC
8.8.8.8, xrefs: 100083EF
http://174.139.6.43:805/index.php, xrefs: 10008353
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008405, 10008411
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082C5
127.0.0.1, xrefs: 100083F4

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://174.139.6.43:805/index.php
API String ID: 1749205058-1389873648
Opcode ID: 9b21ca15742f6382eb5840071324cf376b28052617cd303cd5749190d49b64d5
Instruction ID: b9027ece183413cc2fe871766ac14a59ec9628a189d2433f2f5c13587e1fa655
Opcode Fuzzy Hash: 9b21ca15742f6382eb5840071324cf376b28052617cd303cd5749190d49b64d5
Instruction Fuzzy Hash: 2A31F5B6900259B6F711D360CC46FCF37ACEF456C1F2404A6F648AA08AEA75AB804B51

Function 10007FB7 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 186sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100081C7

Strings

., xrefs: 10007FCF
NPKI, xrefs: 1000802C
L2ltYWdlLnBocA==, xrefs: 1000818B
174.139.6.43:805/index.php, xrefs: 10008113
%s\%s, xrefs: 10008067
P, xrefs: 100080F7

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$.$174.139.6.43:805/index.php$L2ltYWdlLnBocA==$NPKI$P
API String ID: 3472027048-663353412
Opcode ID: 50242a6b2a21b222361bd26d6a38d610deb9d29393d74dc95a4981fb93dc413c
Instruction ID: 5cc609afffd9a73f0ab383a3698fbf555166cf4d4a761eedf9d78448fcab9a5b
Opcode Fuzzy Hash: 50242a6b2a21b222361bd26d6a38d610deb9d29393d74dc95a4981fb93dc413c
Instruction Fuzzy Hash: C451617690425DBEEB51D7A4DC45FEEB7ACEF48380F1004E6E648E6141EB70AB858F21

Function 10006CF7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A

wsprintfA.USER32 ref: 10006D88
___crtGetTimeFormatEx.LIBCMT ref: 10006DAE

Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?,80000002,?,00000000,000F003F,?), ref: 10004096

Strings

Cache, xrefs: 10006DA6
%s "%s",Cache, xrefs: 10006D82
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D4A
REG_SZ, xrefs: 10006D44

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Cache$Cache$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-128323000
Opcode ID: 6f01c57138434e0966ccc76966a10d270a34dc04ddb1e8c7dee392cb54238091
Instruction ID: 99ed05e62e7b3a3f3e6c4431fc974c4e82ca3383c3213c1f9da7e30f49cf53f9
Opcode Fuzzy Hash: 6f01c57138434e0966ccc76966a10d270a34dc04ddb1e8c7dee392cb54238091
Instruction Fuzzy Hash: B01182B694421CBEFB11D7A4DC86FEA776CEB14344F1004A1F704B9085DAB16FD88AA4

Function 10008567 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 1000857E
Sleep.KERNEL32(001B7740), ref: 100085BF
wsprintfA.USER32 ref: 100085EC

Strings

aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008580
c:\%d.log, xrefs: 100085E6
D, xrefs: 10008612

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
API String ID: 3195947292-1533272838
Opcode ID: ee48c70ecdb7b9f0d8741ba884e2fff9c0a0dff7f26708994b2a8bbafb54f76a
Instruction ID: 7ef7ad822adc65929ef9e9b86761b6b78b237e2069168f738ddcddf76cdc0eac
Opcode Fuzzy Hash: ee48c70ecdb7b9f0d8741ba884e2fff9c0a0dff7f26708994b2a8bbafb54f76a
Instruction Fuzzy Hash: F7218EB6C0021CBAEB12EBE4CC45EDFBB7CEF48390F140466F604BB141E6756A458BA1

Function 100068F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

SeShutdownPrivilege, xrefs: 100069FF, 10006A0F
5762479093, xrefs: 10006AC7

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 5762479093$SeShutdownPrivilege
API String ID: 0-1771388387
Opcode ID: 952cc4ce18592a3b581436360f3749d00765313b27f249e64cd6a9a6e0234606
Instruction ID: a118fc2c38e718541663bef851cd2fff5ad6ce8bd3a6440b045a7bd8de9c543f
Opcode Fuzzy Hash: 952cc4ce18592a3b581436360f3749d00765313b27f249e64cd6a9a6e0234606
Instruction Fuzzy Hash: 3A41C375944209FDF720E7508C85FFF36AEEB097D4F20016AF509EA099D730A980CA62

Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

http://, xrefs: 10005D87
search, xrefs: 10005D9B
%s\lang.ini, xrefs: 10005D26

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://$search
API String ID: 1721638100-482061809
Opcode ID: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
Instruction ID: d10eea2e68a17fc7dae01a0a692719cf89fcc4e95e635f9962b470bf74251c26
Opcode Fuzzy Hash: 33ea2848b0bc3da7384bcd1edad61293b65bebd0800f34c916c6c70b8e553ac8
Instruction Fuzzy Hash: D81106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA72AFC44A60

Function 10006363 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strcspn.MSVCRT ref: 10006399
strcspn.MSVCRT ref: 100063B6
strcspn.MSVCRT ref: 100063FC
strcspn.MSVCRT ref: 1000641B

Part of subcall function 1000611F: ___crtGetTimeFormatEx.LIBCMT ref: 1000616C

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: strcspn$FormatTime___crt
String ID:
API String ID: 4006067733-0
Opcode ID: a88b3595071e3976dec8b3c927f74e16a2468285b2c4f7438c857c87a1d4182d
Instruction ID: b9784272a563ed647374224906bb77998104648b3eb0055089ee48751274d8f0
Opcode Fuzzy Hash: a88b3595071e3976dec8b3c927f74e16a2468285b2c4f7438c857c87a1d4182d
Instruction Fuzzy Hash: A631767590021CBEEB10DBB4DC85EDF77ADEF04390F504566FA09D6056DA35DB448BA0

Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100046C3

Strings

\*.*, xrefs: 10004668
%s\%s, xrefs: 100046BD
., xrefs: 100046E4

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$.$\*.*
API String ID: 2111968516-2210278135
Opcode ID: 6ef935c6990bfa298087fb4875cbfc4e321a7b43b0cc1adc9d040f95560a56be
Instruction ID: 32d83567fd4256abd0d288ec23897bf051c3cc744f8d1e4be676c6f1d689250e
Opcode Fuzzy Hash: 6ef935c6990bfa298087fb4875cbfc4e321a7b43b0cc1adc9d040f95560a56be
Instruction Fuzzy Hash: D1316CB6C0025CBAEF12DFA4CC46EDE7B7DEB09380F0004A5F618A6051EB719B989B51

Function 10006A6E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006AA8
Sleep.KERNEL32(0002BF20,00000000,00000000,000000FF,?,?,Function_0000687E,00000001), ref: 10006ADD
CreateThread.KERNEL32(?,?,Function_0000687E,00000001), ref: 10006AF1

Strings

5762479093, xrefs: 10006AC7
0x5d65r455f, xrefs: 10006A97

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexSleepThread
String ID: 0x5d65r455f$5762479093
API String ID: 145085098-2446933972
Opcode ID: 6e223566669f54b27c52c443740e9d8619d75d8ece84f689cc22bca68b99062e
Instruction ID: 42830097d2b935476e62f5b5a5986fc168cf732b2afb478cd656d2399f53d04c
Opcode Fuzzy Hash: 6e223566669f54b27c52c443740e9d8619d75d8ece84f689cc22bca68b99062e
Instruction Fuzzy Hash: 23F02B76A4031476F210F3B06C87DBF3A0DDB953D0F140035FA049908BEA25AC1541B2

Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167C0), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

http://, xrefs: 10005CDC
%s\lang.ini, xrefs: 10005C7B

Memory Dump Source

Source File: 00000012.00000002.3334608532.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.3334501099.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334713685.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334818610.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3334925941.000000001001E000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335119760.000000001003E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335226802.000000001003F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335373524.0000000010059000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335482471.000000001005A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335646433.0000000010068000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335750800.0000000010069000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.3335854123.000000001006A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://
API String ID: 1721638100-679094439
Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MYuRWuVXzX.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\1.txt

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_5eb2d3d4-e5f5-4c1d-a11d-a7ed1d40f08d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_04d508df-b13c-449b-9b64-bcd97878548d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BD4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C04.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3355.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33F2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3412.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
MYuRWuVXzX.dll

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre