Edit tour

Windows Analysis Report
oQy3XhO4cX.dll

Overview

General Information

Sample name:	oQy3XhO4cX.dll renamed because original name is a hash value
Original sample name:	8ab993fdb5f20d2415135216241b614699d538cc.dll
Analysis ID:	1558484
MD5:	d17d6db07618aa4b89f6d66c1b2f5841
SHA1:	8ab993fdb5f20d2415135216241b614699d538cc
SHA256:	449ba2d742d67fc9e6627d4cb6fa952c4ac41efa85ad3df41b1d8cced7965e22
Tags:	dlluser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6148 cmdline: loaddll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3576 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5980 cmdline: rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 3988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1816 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5864 cmdline: rundll32.exe C:\Users\user\Desktop\oQy3XhO4cX.dll,Scheduler MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5336 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5756 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 3344 cmdline: rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 4584 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 2768 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 3672 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1108 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 5676 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

rundll32.exe (PID: 5696 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 2456 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7160 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.rundll32.exe.10000000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth	0x44519:$x1: cracked by ximo 0x445ce:$x1: cracked by ximo 0x44683:$x1: cracked by ximo 0x44738:$x1: cracked by ximo 0x447ed:$x1: cracked by ximo 0x448a2:$x1: cracked by ximo 0x44957:$x1: cracked by ximo 0x44a0c:$x1: cracked by ximo 0x44ac1:$x1: cracked by ximo 0x44b76:$x1: cracked by ximo

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5980, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHR

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oQy3XhO4cX.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: oQy3XhO4cX.dll

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: oQy3XhO4cX.dll

Joe Sandbox ML: detected

Source: oQy3XhO4cX.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpy,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6D0F2DD0,_mbscpy,_mbscpy,strchr,strchr,strchr,_mbscpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,strrchr,_strcmpi,_mbscpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.161 12388	Jump to behavior

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 107.163.56.241 ports 18530,0,1,3,5,8

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic	TCP traffic: 192.168.2.8:49704 -> 107.163.43.161:12388
Source: global traffic	TCP traffic: 192.168.2.8:49705 -> 107.163.56.241:18530
Source: global traffic	TCP traffic: 192.168.2.8:49707 -> 107.163.56.251:6658

Source: Joe Sandbox View

IP Address: 107.163.56.251 107.163.56.251

Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.43.161
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.241
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100050C5 recv,

4_2_100050C5

Source: rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/main
Source: rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://%s.qzone.qq.com/mainMozilla/4.0
Source: rundll32.exe, 00000004.00000002.2703461478.0000000003335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.161:12388/2112.html
Source: rundll32.exe, 00000004.00000002.2703461478.0000000003335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.161:12388/2112.html/
Source: rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.43.161:12388/2112.htmll
Source: rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.240:18963/main.php
Source: rundll32.exe, 00000004.00000002.2703205317.000000000327B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.241:1530//joy.asp?sid=rungnejcndvgnJdFe5vteX8v2.
Source: rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.241:18530/
Source: rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.241:18530//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mteYmJe0nta
Source: rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%s
Source: rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.229.227.140:999/ver.asp?v=%sfound~
Source: rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%sMozilla/4.0
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100052CF OpenClipboard,

4_2_100052CF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E8E SetClipboardData,

4_2_10004E8E

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004F4C GetClipboardData,

4_2_10004F4C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004788 GetAsyncKeyState,

4_2_10004788

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005F3C GetProcessHeap,RtlAllocateHeap,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		4_2_10005F3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005FD3 NtQueryInformationFile,		4_2_10005FD3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100059A0 DeleteService,

4_2_100059A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004804 CreateProcessAsUserA,

4_2_10004804

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005238 ExitWindowsEx,

4_2_10005238

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100150F3	4_2_100150F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F200	4_2_1000F200
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100122E4	4_2_100122E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E5EC	4_2_1001E5EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018642	4_2_10018642
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A67B	4_2_1001A67B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D748	4_2_1001D748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C850	4_2_1001C850
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015883	4_2_10015883
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015B40	4_2_10015B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DB5D	4_2_1001DB5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DD4D	4_2_1001DD4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BD60	4_2_1001BD60

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 10001000 appears 296 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1816

Source: oQy3XhO4cX.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winDLL@33/5@0/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10011C72 sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy,

4_2_10011C72

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005EBA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	4_2_10005EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005912 AdjustTokenPrivileges,	4_2_10005912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007DDE 6D0F2DD0,6D0F2DD0,6D0F2DD0,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,	4_2_10007DDE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005821 GetDiskFreeSpaceExA,

4_2_10005821

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: _mbscpy,_mbscat,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,memset,wsprintfA,RegCreateKeyA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,memset,_mbscpy,RegOpenKeyExA,_CxxThrowException,strlen,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegCloseKey,

4_2_1000ABAC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000D3D5 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,DebugActiveProcess,GetLastError,Process32Next,CloseHandle,

4_2_1000D3D5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100114B0 CoCreateInstance,

4_2_100114B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005000 LockResource,

4_2_10005000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000AAC4 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\11221450

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5980
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6192a207-f004-408c-81f3-0d1f958f9a37

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\oQy3XhO4cX.dll,Scheduler

Source: oQy3XhO4cX.dll

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\oQy3XhO4cX.dll,Scheduler
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1816
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\oQy3XhO4cX.dll,Scheduler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: initial sample

Static PE information: section where entry point is pointing to: ds

Source: oQy3XhO4cX.dll	Static PE information: section name: .fdss
Source: oQy3XhO4cX.dll	Static PE information: section name: .fds
Source: oQy3XhO4cX.dll	Static PE information: section name: .fs
Source: oQy3XhO4cX.dll	Static PE information: section name: ds

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FEA3 push dword ptr [esp+3Ch]; retn 0040h	4_2_10035AF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001000 push dword ptr [esp+14h]; retn 0018h	4_2_10036C9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001000 push eax; mov dword ptr [esp], 63000AC9h	4_2_10036D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001010 pushfd ; mov dword ptr [esp], edx	4_2_10001011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003407B push dword ptr [esp+50h]; retn 0054h	4_2_10034085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210E0 push eax; ret	4_2_1002110E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100010F9 push 4E1E2108h; mov dword ptr [esp], edx	4_2_10001131
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100010F9 pushad ; mov dword ptr [esp], F651B473h	4_2_10001136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100010F9 push edx; mov dword ptr [esp], 1815BBB4h	4_2_100342D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D143 pushad ; mov dword ptr [esp], esi	4_2_1000D15B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001199 pushfd ; mov dword ptr [esp], edx	4_2_1000119A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003442B pushfd ; mov dword ptr [esp], ecx	4_2_10034436
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003442B push 1392E45Eh; mov dword ptr [esp], ecx	4_2_1003443E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003448E push dword ptr [esp+24h]; retn 0028h	4_2_100344A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E56F push dword ptr [esp+2Ch]; retn 0030h	4_2_1003882F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003463D push dword ptr [esp+34h]; retn 0038h	4_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C792 push dword ptr [esp+48h]; retn 004Ch	4_2_10033600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C7A8 push dword ptr [esp+48h]; retn 004Ch	4_2_10033600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B7BC pushfd ; mov dword ptr [esp], ebp	4_2_10034F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B7CC push dword ptr [esp+34h]; retn 0038h	4_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003383A pushfd ; mov dword ptr [esp], esi	4_2_1003384B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B8EA push 8C58C68Fh; mov dword ptr [esp], eax	4_2_10033F47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B8EA pushfd ; mov dword ptr [esp], eax	4_2_100348EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10039A98 pushfd ; mov dword ptr [esp], 12F3A3B1h	4_2_1003CFBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10033AD2 pushfd ; mov dword ptr [esp], ecx	4_2_10033ADD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10033AD2 push 8C58C68Fh; mov dword ptr [esp], eax	4_2_10033F47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E6EA pushfd ; mov dword ptr [esp], E0DA7D61h	4_2_10034B0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10034D73 pushfd ; mov dword ptr [esp], eax	4_2_1000B84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10034DF3 push dword ptr [esp+34h]; retn 0038h	4_2_10034E37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10035EA4 push dword ptr [esp+48h]; retn 004Ch	4_2_1003BC28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10034EB4 push A20C73A1h; mov dword ptr [esp], edx	4_2_10034EF9

Source: oQy3XhO4cX.dll

Static PE information: section name: .fds entropy: 7.938861044095765

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,_mbscpy,memset,_mbscpy, \\.\PHYSICALDRIVE%d

4_2_10011C72

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHR

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_1000AAC4

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHR			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SHR			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10005BDF ClearEventLogA,

4_2_10005BDF

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-10289

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_4-10184

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 6.3 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000F200

4_2_1000F200

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6168	Thread sleep time: -16200000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6168	Thread sleep time: -1800000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E763 lstrcpy,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6D0F2DD0,_mbscpy,_mbscpy,strchr,strchr,strchr,_mbscpy,atoi,CreateDirectoryA,Sleep,FindClose,	4_2_1000E763
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D49E strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,strrchr,_strcmpi,_mbscpy,FindClose,FindNextFileA,FindClose,	4_2_1000D49E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100058AC FindFirstFileA,	4_2_100058AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100069DD _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_100069DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EBE4 strlen,_mbscpy,_mbscat,_mbscat,FindFirstFileA,FindClose,_mbscpy,_mbscat,_mbscat,strcmp,strcmp,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_1000EBE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006DB7 _mbscpy,_mbscat,FindFirstFileA,wsprintfA,strlen,FindNextFileA,FindClose,	4_2_10006DB7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100057EC GetLogicalDriveStringsA,

4_2_100057EC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007DDE 6D0F2DD0,6D0F2DD0,6D0F2DD0,strrchr,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,

4_2_10007DDE

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: rundll32.exe, 00000004.00000002.2703461478.000000000336D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8j*
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2703461478.000000000336D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ons\\VMwareHostO
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004DF5 BlockInput,

4_2_10004DF5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006843 LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,

4_2_10006843

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10006322 GetProcessHeap,HeapFree,_strnicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,CloseHandle,memset,strrchr,_strnicmp,CloseHandle,CloseHandle,lstrlen,_strnicmp,OpenProcess,GetModuleFileNameExA,_strnicmp,GetCurrentProcess,DuplicateHandle,CloseHandle,CloseHandle,HeapFree,

4_2_10006322

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000558A SetUnhandledExceptionFilter,

4_2_1000558A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.241 18530	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.43.161 12388	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E04 keybd_event,

4_2_10004E04

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004E1F mouse_event,

4_2_10004E1F

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100048C9 SetSecurityDescriptorDacl,

4_2_100048C9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004925 AllocateAndInitializeSid,

4_2_10004925

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,memcpy,	4_2_1000960F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: strlen,memset,___crtGetLocaleInfoEx,lstrcpy,	4_2_1000C295
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,	4_2_1000949C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetModuleFileNameA,GetModuleFileNameA,strrchr,_mbscat,strrchr,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,ReleaseMutex,CloseHandle,GetTickCount,srand,rand,rand,Sleep,SetFileAttributesA,wsprintfA,_mbscpy,_mbscat,_mbscat,Sleep,memset,_mbscat,_mbscat,_mbscat,MoveFileA,Concurrency::details::platform::__CreateTimerQueueTimer,___crtGetLocaleInfoEx,rand,rand,rand,rand,rand,rand,rand,MoveFileExA,Sleep,memset,___crtGetTimeFormatEx,	4_2_1000D7E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,6D0F2DD0,memset,___crtGetTimeFormatEx,GetLastError,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,6D0F2DD0,MultiByteToWideChar,WideCharToMultiByte,6D0F2DD0,WideCharToMultiByte,strlen,6D06C7F0,6D06C7F0,wsprintfA,strlen,strrchr,6D06C7F0,6D06C7F0,	4_2_10009A63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,wsprintfA,6D0F2DD0,memset,___crtGetTimeFormatEx,memset,___crtGetLocaleInfoEx,MultiByteToWideChar,6D0F2DD0,MultiByteToWideChar,WideCharToMultiByte,6D0F2DD0,WideCharToMultiByte,strlen,6D06C7F0,6D06C7F0,wsprintfA,strlen,strrchr,6D06C7F0,6D06C7F0,6D06C7F0,6D06C7F0,	4_2_10009FAB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1001F343 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

4_2_1001F343

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10004996 LookupAccountNameA,

4_2_10004996

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10008C6A memset,GetVersionExA,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,

4_2_10008C6A

Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007225 WSAStartup,socket,socket,htons,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,WSACleanup,

4_2_10007225

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Service Execution	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	12 Windows Service	11 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	12 Windows Service	1 Software Packing	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	111 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Indicator Removal	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
oQy3XhO4cX.dll	97%	ReversingLabs	Win32.Backdoor.Venik
oQy3XhO4cX.dll	100%	Avira	TR/Patched.Ren.Gen
oQy3XhO4cX.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://107.163.56.241:1530//joy.asp?sid=rungnejcndvgnJdFe5vteX8v2.	0%	Avira URL Cloud	safe
http://107.163.43.161:12388/2112.html/	0%	Avira URL Cloud	safe
http://%s.qzone.qq.com/main	0%	Avira URL Cloud	safe
http://107.163.43.161:12388/2112.htmll	0%	Avira URL Cloud	safe
http://107.163.43.161:12388/2112.html	0%	Avira URL Cloud	safe
http://67.229.227.140:999/ver.asp?v=%sfound~	0%	Avira URL Cloud	safe
http://107.163.56.240:18963/main.php	0%	Avira URL Cloud	safe
http://%s.qzone.qq.com/mainMozilla/4.0	0%	Avira URL Cloud	safe
http://107.163.56.241:18530/	0%	Avira URL Cloud	safe
http://107.163.56.241:18530//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mteYmJe0nta	0%	Avira URL Cloud	safe
http://67.229.227.140:999/ver.asp?v=%s	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.163.56.241:1530//joy.asp?sid=rungnejcndvgnJdFe5vteX8v2.	rundll32.exe, 00000004.00000002.2703205317.000000000327B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.240:18963/main.php	rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://67.229.227.140:999/ver.asp?v=%sfound~	rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.161:12388/2112.html/	rundll32.exe, 00000004.00000002.2703461478.0000000003335000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%sMozilla/4.0	rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false		high
http://%s.qzone.qq.com/main	rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.161:12388/2112.html	rundll32.exe, 00000004.00000002.2703461478.0000000003335000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.241:18530//joy.asp?sid=rungnejcndvgnJLdFe5vteX8v2LUicbtudb8mteYmJe0nta	rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.LOG1.17.dr, Amcache.hve.17.dr	false		high
http://%s.qzone.qq.com/mainMozilla/4.0	rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s	rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false		high
http://107.163.56.241:18530/	rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.43.161:12388/2112.htmll	rundll32.exe, 00000004.00000002.2703461478.00000000032EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://67.229.227.140:999/ver.asp?v=%s	rundll32.exe, rundll32.exe, 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
107.163.43.161	unknown	United States	20248	TAKE2US	true
107.163.56.241	unknown	United States	20248	TAKE2US	true
107.163.56.251	unknown	United States	20248	TAKE2US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558484
Start date and time:	2024-11-19 14:14:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oQy3XhO4cX.dll renamed because original name is a hash value
Original Sample Name:	8ab993fdb5f20d2415135216241b614699d538cc.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@33/5@0/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 34 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: oQy3XhO4cX.dll

Simulations

Behavior and APIs

Time	Type	Description
08:15:37	API Interceptor	23x Sleep call for process: rundll32.exe modified
08:15:38	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
107.163.43.161	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
107.163.43.161	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse
107.163.56.241	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse
107.163.56.251	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse
	02hNixBIvP.exe	Get hash	malicious	Unknown	Browse
	abc.dll	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TAKE2US	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
TAKE2US	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123
TAKE2US	gmqIbj35WF.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	Bcr1Wl2Jn0.dll	Get hash	malicious	Unknown	Browse	107.163.56.240
	OL50O9ho5M.dll	Get hash	malicious	Unknown	Browse	107.163.56.251
	81mieek02V.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	Vb1S2HJcnN.dll	Get hash	malicious	Unknown	Browse	107.163.56.110
	VqCbf9fhnQ.exe	Get hash	malicious	Unknown	Browse	107.163.43.253
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	107.163.215.236
	DHL_doc.exe	Get hash	malicious	FormBook	Browse	107.163.130.253
	wODub61gZe.exe	Get hash	malicious	FormBook	Browse	107.163.130.249
	mips.elf	Get hash	malicious	Mirai	Browse	107.163.25.123

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 19 13:16:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	160420
Entropy (8bit):	2.013656788749467
Encrypted:	false
SSDEEP:	768:MGBAbdFCuO5OO+J8JqOcZQt+fhGC/0Z6Lyf3xh:MBfCo2RcyWGC/0Z6+fhh
MD5:	6ED806A9831AB8830EBCF8DBA7916434
SHA1:	22ED4D3F572E3FD5E63D9A69BDF04DF9BD2377FA
SHA-256:	180C49E80F48439A13ABECA33F03276F1290EB944CE871E57B9A6FC646FD91B2
SHA-512:	E0AEE8D97AA20A7FCDFA23A2009BC0514F715EE3D95F42FB63F98B6030A0E061FC4E47F3A9217323EADFBF9B3648E6807E42EF4519901B328EA1992B38D9A4A9
Malicious:	false
Preview:	MDMP..a..... .........<g............t...............\|...........(Z..........T.......8...........T............B...0..........L(..........8..............................................................................eJ.............GenuineIntel............T.......\...w.<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA2C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.698591834036754
Encrypted:	false
SSDEEP:	192:R6l7wVeJp/g6Vv6YcK6fIgmf8FZuprr89b5QsfKqRzm:R6lXJp46t6Y56wgmf8FZf5jfKqo
MD5:	9BE12AB619B360E5DC5C456235DC5591
SHA1:	9CC24AAE0377F38093508CA1245E61F879E345D6
SHA-256:	8080298E792CB8402331729E35459E1639D06EC11780BA9C029D5C4173408648
SHA-512:	D5E7DC70D060B5BEC6F44993F946CA7FB14A3A323E9C679DDF56AEA99F186C68BAADC7B27BB2C753F2178DE9FF940341EBE6C35463EA991970723F4334A544C1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA6C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.483740523067429
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuNJg77aI9zwWpW8VYGYm8M4JCdP5FiIX+q8vjP/CGScSDd:uIjfunI7pJ7VeJGK2J3Dd
MD5:	E780FBCE2DF297F8E060194942A2751D
SHA1:	09593A593574C74B069BBE8D6809D0FAC1A9646C
SHA-256:	64B0F6ED05EA00626F3AA7F18B674A5DD92ABE257C06C270B1951A0C37E32BAB
SHA-512:	70D97FC0FED18275EA9803F86F8B8CFC1E594EF7559C418A9B76B24959B0EB9A904494CE8876F28482F6E3CDDF5CDE3BE820730B1DEB35DCD64A4575B3917344
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594978" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3728533208741
Encrypted:	false
SSDEEP:	6144:1FVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNEiL:zV1QyWWI/glMM6kF7Kq
MD5:	AE1E1022E53703F298994A03BBF9A33B
SHA1:	977916C29CA3D3478B684BAE81EA80D49D29BE49
SHA-256:	42EF93F986EBB6696810A380659813EE8543C25FF608F64E62610FFC44DA9476
SHA-512:	BB05CBB2B305F5EDD1114CC9A26DAA2DB6DD0E2C5CDC1E2BB4738043AEF6403838D77886FC15AAD856951A8819211A895E7F60C56942391E731C3FFEB99B6897
Malicious:	false
Preview:	regfC...B....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1716224
Entropy (8bit):	4.579619895964344
Encrypted:	false
SSDEEP:	6144:PqFVfpi6ceLP/9skLmb0ayWWSPDaJG8nAge35OlMMhA2AX4WABlguNEiL:6V1QyWWS/glMM6kF7Kq
MD5:	909904025E9F53599BA791B1DEF9F502
SHA1:	D21B72CFF59DB0E58153A4FCD9B66C25352DECDA
SHA-256:	4754C0D37552D46D168E8B970D206E7A407EBCB27B5B5F703017F6A37ED8CF23
SHA-512:	03CBBCC6E0BFB726026395EFEF5B69B551F442BAF54EA46184254192DB6BE9DC0B7323ECA930E22358353CFAF6E9002C0559F222B301D91E42A463F2EF3F05E3
Malicious:	false
Preview:	regfB...B....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....:..................................................................................................................................................................................................................................................................................................................................................HvLE........B....0.......s./.i......r..).....0...@......hbin.................\.Z............nk,..\.Z........P...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........A...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t.......vk..<...............

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9172154880300765
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 97.04% Win32 EXE Yoda's Crypter (26571/9) 2.57% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	oQy3XhO4cX.dll
File size:	138'955 bytes
MD5:	d17d6db07618aa4b89f6d66c1b2f5841
SHA1:	8ab993fdb5f20d2415135216241b614699d538cc
SHA256:	449ba2d742d67fc9e6627d4cb6fa952c4ac41efa85ad3df41b1d8cced7965e22
SHA512:	65d2558cc77a4d2f9eaab13858f33bf56fab4d6f52e96473bca95b6230695571d49e7f7adb6798970d87b3f71baf9b93536d6c1559e798796473b58981838c28
SSDEEP:	1536:1RNinzmWJgrDquOUAyPkXgeJI6g8LHe07Uee41pUcQRyXAHJ3HyNa8s64PpW2xpd:zNYOrFAyugeJOym41pLLQN+a8O8Cpd
TLSH:	FAD312DB3492503EC0DAFE7BC88AA45D25B76ED0208AFF48F3A0654F1E708B81567D56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.\.N.m.E...N.=.H...N.m.J...N.Rich..N................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1004b000
Entrypoint Section:	ds
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x56515A58 [Sun Nov 22 06:02:00 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c14bd7810997176bf9a0fc63aaecc73e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 000A2C2Ah
push 000D9038h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
pop eax
mov dword ptr fs:[00000000h], eax
pop eax
pop eax
pop eax
pop eax
mov ebp, eax
mov eax, 100490B0h
jmp eax
nop
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4a328	0x40	.fs
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a000	0x328	.fs
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a368	0xc	.fs
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.fdss	0x1000	0x27000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fds	0x28000	0x22000	0x21400	643e5aa7b1e175061d5c8b6ff92fc4ef	False	0.9865410596804511	data	7.938861044095765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fs	0x4a000	0x1000	0x400	ca92c4a5a58d8f944fc303cb98ef5fea	False	0.470703125	data	3.9294239228795704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ds	0x4b000	0x208	0x200	7805f27e1b3a7702fd08c1b531386f51	False	0.115234375	data	0.697818995102615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
ADVAPI32.dll	RegOpenKeyA
MFC42.DLL
MSVCP60.dll	??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
MSVCRT.dll	rand
NETAPI32.dll	Netbios
ntdll.dll	NtQueryInformationFile
ole32.dll	CoInitialize
OLEAUT32.dll	VariantClear
PSAPI.DLL	GetModuleFileNameExA
SHLWAPI.dll	StrStrIA
USER32.dll	wsprintfA
WS2_32.dll	WSAGetLastError

Exports

Name	Ordinal	Address
Scheduler	1	0x1000fff3

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 14:15:38.711272955 CET	49704	12388	192.168.2.8	107.163.43.161
Nov 19, 2024 14:15:38.711483002 CET	49705	18530	192.168.2.8	107.163.56.241
Nov 19, 2024 14:15:39.720136881 CET	49704	12388	192.168.2.8	107.163.43.161
Nov 19, 2024 14:15:39.720212936 CET	49705	18530	192.168.2.8	107.163.56.241
Nov 19, 2024 14:15:41.720052958 CET	49705	18530	192.168.2.8	107.163.56.241
Nov 19, 2024 14:15:41.720237017 CET	49704	12388	192.168.2.8	107.163.43.161
Nov 19, 2024 14:15:45.720076084 CET	49704	12388	192.168.2.8	107.163.43.161
Nov 19, 2024 14:15:45.735687017 CET	49705	18530	192.168.2.8	107.163.56.241
Nov 19, 2024 14:15:53.720055103 CET	49704	12388	192.168.2.8	107.163.43.161
Nov 19, 2024 14:15:53.751305103 CET	49705	18530	192.168.2.8	107.163.56.241
Nov 19, 2024 14:16:00.794069052 CET	49707	6658	192.168.2.8	107.163.56.251
Nov 19, 2024 14:16:01.782587051 CET	49707	6658	192.168.2.8	107.163.56.251
Nov 19, 2024 14:16:03.782603025 CET	49707	6658	192.168.2.8	107.163.56.251
Nov 19, 2024 14:16:07.782629013 CET	49707	6658	192.168.2.8	107.163.56.251
Nov 19, 2024 14:16:15.798223972 CET	49707	6658	192.168.2.8	107.163.56.251

Target ID:	0
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll"
Imagebase:	0x6b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\oQy3XhO4cX.dll,Scheduler
Imagebase:	0x160000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",#1
Imagebase:	0x160000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:15:35
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xb80000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:15:38
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Imagebase:	0x160000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:15:38
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 1984, Parent PID: 4584

General

Target ID:	12
Start time:	08:15:38
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:15:38
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xb80000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:16:01
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1816
Imagebase:	0x2b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	08:16:07
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Imagebase:	0x160000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:16:08
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5868, Parent PID: 1108

General

Target ID:	21
Start time:	08:16:08
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:16:08
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xb80000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:16:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\oQy3XhO4cX.dll",Scheduler
Imagebase:	0x160000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 2456, Parent PID: 5696

General

Target ID:	24
Start time:	08:16:16
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2756, Parent PID: 2456

General

Target ID:	25
Start time:	08:16:16
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:16:16
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xb80000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.4%
Total number of Nodes:	385
Total number of Limit Nodes:	8

Executed Functions

Function 1000E763 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 233
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,1000EBC9), ref: 1000E791
lstrcat.KERNEL32(00000000,1002B328), ref: 1000E7A3
lstrcat.KERNEL32(00000000,*.*), ref: 1000E7B5
FindFirstFileA.KERNEL32(00000000,?), ref: 1000E7C9
FindNextFileA.KERNEL32(000000FF,?), ref: 1000E7F3
lstrcpy.KERNEL32(00000000,1000EBC9), ref: 1000E844
lstrcat.KERNEL32(00000000,1002B330), ref: 1000E856
lstrcat.KERNEL32(00000000,?), ref: 1000E86A
_strcmpi.MSVCRT ref: 1000E87C
PathIsDirectoryA.SHLWAPI(00000000), ref: 1000E8CD
6D0F2DD0.MFC42(00A00000), ref: 1000E906

Strings

NPKI, xrefs: 1000E877
P, xrefs: 1000E975
107.163.56.240:18963/main.php, xrefs: 1000E9C8
11221450, xrefs: 1000E8A6
*.*, xrefs: 1000E7A9
%s\%s, xrefs: 1000E8B2
/image.php, xrefs: 1000EA75

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: lstrcat$FileFindlstrcpy$DirectoryFirstNextPath_strcmpi
String ID: %s\%s$*.*$/image.php$107.163.56.240:18963/main.php$11221450$NPKI$P
API String ID: 562152879-1605710944
Opcode ID: 8dc3f451ec439195fb642174bf6b405dfc93262f3e312056b2019c0f5341db0b
Instruction ID: 19444b947d153ba7138296ce0e6c54724dfe7cb5038b80b89ac979f494543493
Opcode Fuzzy Hash: 8dc3f451ec439195fb642174bf6b405dfc93262f3e312056b2019c0f5341db0b
Instruction Fuzzy Hash: 6991A6B59002A8AFEB64CBA4CC84BDE77B9EB58341F0044E5E30DA6141DB75AF98CF51

Function 10011C72 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 10011C8E
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4
DeviceIoControl.KERNEL32(000000FF,00074080,00000000,00000000,?,00000018,10011A6D,00000000), ref: 10011CF0
GetLastError.KERNEL32(00000400,?,00000000,00000000), ref: 10011D0C
FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10011D1A

Strings

\\.\PHYSICALDRIVE%d, xrefs: 10011C85

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ControlCreateDeviceErrorFileFormatLastMessagesprintf
String ID: \\.\PHYSICALDRIVE%d
API String ID: 1111953355-613073274
Opcode ID: 9f30885270635e6f7f4378129046c2ac62e5a9f342dcb6496bc87d1829db50c4
Instruction ID: ac9daaf844bbbce85607c204d6ced58bc456b83f5b99ea7e7b7fe265a51f8282
Opcode Fuzzy Hash: 9f30885270635e6f7f4378129046c2ac62e5a9f342dcb6496bc87d1829db50c4
Instruction Fuzzy Hash: C351A6B5A00218ABEB24CF54CC41BDD7775EF85704F148294F6096A2C1DB729A94CF55

Function 10006843 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 10006865
GetProcAddress.KERNEL32(?,GetExtendedUdpTable), ref: 1000687D
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 1000689A
malloc.MSVCRT ref: 100068CA
GetExtendedUdpTable.IPHLPAPI(00000000,00000000,00000001,00000002,00000001,00000000), ref: 10006903

Strings

GetExtendedUdpTable, xrefs: 10006871
z, xrefs: 100068AF
iphlpapi.dll, xrefs: 10006860

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable$AddressLibraryLoadProcmalloc
String ID: GetExtendedUdpTable$iphlpapi.dll$z
API String ID: 2385667234-347336574
Opcode ID: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction ID: e72f5ed3c2909e77353821d2c1bd01ab583724ea6bb6368f571f4905b0ca2030
Opcode Fuzzy Hash: 5328ac57c6a4c2ab5cc262d5627e7cd2f3de5afe600d25952e17e25023f3c01c
Instruction Fuzzy Hash: 3541E9F09002289BDB24DB50CD85BD8B7B9EB88304F20C5E9E70967295D7709EC6CF59

Function 1000960F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009674

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 10009631

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: 1c552b1c28aa3bc19c23a19089090d0fa10cbf4bb900b856f0b97fb28ca6ac2c
Instruction ID: edbbad18566889c42df8cf001e4eb437ffe5273fdd268d158c28225184eb7580
Opcode Fuzzy Hash: 1c552b1c28aa3bc19c23a19089090d0fa10cbf4bb900b856f0b97fb28ca6ac2c
Instruction Fuzzy Hash: F5311DF6D00208EBEB20DB94CC86BCD73B8EB44340F5185A4E70877285E775AB948B99

Function 10005EBA Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
CloseHandle.KERNEL32(?), ref: 10005F29

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction ID: efa5140f03dfd4bc98f9291f5672f447fd415e0b54fcefeffd77d2d0beff28df
Opcode Fuzzy Hash: f6b6b03c6faaef396f20f0d52fdbd3e93666b8a4be3b0b9069461b6b7524bcc7
Instruction Fuzzy Hash: FB012D70A1020AABFB14CFE4CC85BBF77B8EB88741F208515FA05D6284D6799A42CB60

Function 1000FFF3 Relevance: 61.4, APIs: 28, Strings: 7, Instructions: 200
sleepthreadfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658,1002B5F8), ref: 10010016
GetLastError.KERNEL32 ref: 10010022
wsprintfA.USER32 ref: 1001006D
Sleep.KERNEL32(000007D0), ref: 10010090
DeleteFileA.KERNEL32(00000000), ref: 1001009A
PathIsDirectoryA.SHLWAPI(C:\Users\user\Desktop\11221450), ref: 100100C4
CreateDirectoryA.KERNEL32(C:\Users\user\Desktop\11221450,00000000), ref: 10010102
Sleep.KERNEL32(000007D0), ref: 10010113
DeleteFileA.KERNEL32(00000000), ref: 1001011D
CreateThread.KERNEL32(00000000,00000000,1000FEA3,00000000,00000000,00000000), ref: 1001013B
CreateThread.KERNEL32(00000000,00000000,1000C5DD,00000000,00000000,00000000), ref: 10010155
Sleep.KERNEL32(000003E8), ref: 10010160
WSAStartup.WS2_32(00000202,?), ref: 10010172
CreateThread.KERNEL32(00000000,00000000,1000BDDD,107.163.56.251:6658,00000000,00000000), ref: 10010190
CreateThread.KERNEL32(00000000,00000000,1000EAE6,00000000,00000000,00000000), ref: 100101A5
Sleep.KERNEL32(00000BB8), ref: 100101B0
CreateThread.KERNEL32(00000000,00000000,1000CB08,00000000,00000000,00000000), ref: 10010201
CreateThread.KERNEL32(00000000,00000000,1000EF29,00000000,00000000,00000000), ref: 10010216
Sleep.KERNEL32(00000BB8), ref: 10010221
CreateThread.KERNEL32(00000000,00000000,10007225,00000000,00000000,00000000), ref: 10010236
CreateThread.KERNEL32(00000000,00000000,1000C753,00000000,00000000,00000000), ref: 1001024B
Sleep.KERNEL32(000927C0), ref: 10010256
Sleep.KERNEL32(000927C0), ref: 1001026A
CreateThread.KERNEL32(00000000,00000000,1000BA90,00000000,00000000,00000000), ref: 1001027F
Sleep.KERNEL32(0000EA60), ref: 1001028A
CreateThread.KERNEL32(00000000,00000000,1000F9DF,00000000,00000000,00000000), ref: 1001029F
Sleep.KERNEL32(000000FF), ref: 100102A7
Sleep.KERNEL32(0036EE80), ref: 100102BB

Strings

C:\Users\user\Desktop, xrefs: 1001005C
123, xrefs: 100100E7
M107.163.56.251:6658, xrefs: 1001000D
SeDebugPrivilege, xrefs: 100100A7
cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s", xrefs: 10010061
C:\Users\user\Desktop\11221450, xrefs: 100100BF, 100100FD
107.163.56.251:6658, xrefs: 10010182

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create$SleepThread$DeleteDirectoryFile$ErrorLastMutexPathStartupwsprintf
String ID: 107.163.56.251:6658$123$C:\Users\user\Desktop$C:\Users\user\Desktop\11221450$M107.163.56.251:6658$SeDebugPrivilege$cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s"
API String ID: 1343898817-3164740760
Opcode ID: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
Instruction ID: 202ca25a55749d9caac28ba7abe87623cc4d3d132b78e06582e95a8dd985acec
Opcode Fuzzy Hash: fefafe8ab9288ea41c363e7c11848018cdd40a52e75ac5e3db2d34ff6eba06cf
Instruction Fuzzy Hash: 31616F30B81324BBF720DBA08C4BF9A7661EB14B42F604594F749BD1D0DBF066928F56

Function 10009806 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbscpy.MSVCRT(00000000,?), ref: 10009834
strstr.MSVCRT ref: 10009894
strstr.MSVCRT ref: 100098C6
strcspn.MSVCRT ref: 100098DF
strstr.MSVCRT ref: 10009904
strcspn.MSVCRT ref: 1000991D
strncpy.MSVCRT ref: 10009935
_mbscpy.MSVCRT(00000000,?), ref: 1000994E
_mbscpy.MSVCRT(00000000,00000000), ref: 10009966
strstr.MSVCRT ref: 1000997A
strcspn.MSVCRT ref: 10009993
strncpy.MSVCRT ref: 100099AB
strcspn.MSVCRT ref: 100099C0
atoi.MSVCRT(?), ref: 100099DD

Part of subcall function 1000949C: ___crtGetTimeFormatEx.LIBCMTD ref: 10009517
Part of subcall function 1000949C: memset.MSVCRT ref: 1000953C
Part of subcall function 1000949C: ___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

WSAStartup.WS2_32(00000202,?), ref: 100099F8
htons.WS2_32(00000000), ref: 10009A0C
socket.WS2_32(00000002,00000001,00000000), ref: 10009A2E
connect.WS2_32(?,00000002,00000010), ref: 10009A41
closesocket.WS2_32(?), ref: 10009A50

Strings

http://, xrefs: 10009888

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strcspnstrstr$_mbscpy$___crtstrncpy$FormatInfoLocaleStartupTimeatoiclosesocketconnecthtonsmemsetsocket
String ID: http://
API String ID: 2442996125-1121587658
Opcode ID: ac03bdceba01dc52bc363b04a17981fe5360d76d08a8c37df158606eb789235e
Instruction ID: 328f30d5f0abd543537b81f1a207a30335c7fdbd19ea60133f8a33c6dacf31c1
Opcode Fuzzy Hash: ac03bdceba01dc52bc363b04a17981fe5360d76d08a8c37df158606eb789235e
Instruction Fuzzy Hash: 4151CF71900218BFEF14DBA4DC89BDA77BCEF45304F1041A8F649A6144EB319B99CFA2

Function 10011E80 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 10011E9A
memset.MSVCRT ref: 10011EB0
Netbios.NETAPI32(00000037), ref: 10011EDB
Netbios.NETAPI32(00000032), ref: 10011F55

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 1001205E
3, xrefs: 10011FA7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Netbiosmemset
String ID: %02X%02X%02X%02X%02X%02X$3
API String ID: 1915571530-847158874
Opcode ID: e682560842b1c5bbc8f73b42685206b775cb85e69039e3f260726e3811ab9e07
Instruction ID: 995f6e05dfeb694b0f45a1fd62118eef7e3e694447b149082da1e2005757cfe0
Opcode Fuzzy Hash: e682560842b1c5bbc8f73b42685206b775cb85e69039e3f260726e3811ab9e07
Instruction Fuzzy Hash: 2D518F7592065A8BDB36CB14CC42BE9B3B8EF95300F4441F8A44CAA242EBB49BD4DF45

Function 1000C43A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 101
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 1000C463
6D0F2DD0.MFC42(00000084), ref: 1000C47A
_mbscpy.MSVCRT(1002D040,?), ref: 1000C4E3

Strings

http://107.163.56.241:18530/, xrefs: 1000C45E, 1000C5A6
11221450, xrefs: 1000C571
%s/joy.asp?sid=%s, xrefs: 1000C5AB
http://, xrefs: 1000C459
%s|NULL|%s|%s, xrefs: 1000C582

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscpystrstr
String ID: %s/joy.asp?sid=%s$%s|NULL|%s|%s$11221450$http://$http://107.163.56.241:18530/
API String ID: 3519433431-1877419398
Opcode ID: e00ea349709bc09113082a407562ec662709d3d00abd0d4abe236b1349ca538f
Instruction ID: 96c4c4460f3670001d58eb54bbc12df5c97e6194365fac138d2a8c86e213b446
Opcode Fuzzy Hash: e00ea349709bc09113082a407562ec662709d3d00abd0d4abe236b1349ca538f
Instruction Fuzzy Hash: EC4156F5D00218AFEB20CF14DC81B9AB7B4EB85240F4045F9E70967281EB356A898F5A

Function 1000BDDD Relevance: 9.0, APIs: 6, Instructions: 49
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000BDF8

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BE47
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BE56
CloseHandle.KERNEL32(?), ref: 1000BE60
Sleep.KERNEL32(00002710), ref: 1000BE6B
CloseHandle.KERNEL32(?), ref: 1000BE7A

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
String ID:
API String ID: 3243752880-0
Opcode ID: 8771a04588f9dc2f16d17a829460210603032358937fc65401b82ea2910729cc
Instruction ID: e824f486e2537cd13a86d57df264f215c657a490cf5d40ca5208cd8ad212e3ab
Opcode Fuzzy Hash: 8771a04588f9dc2f16d17a829460210603032358937fc65401b82ea2910729cc
Instruction Fuzzy Hash: 0411AD74A44208FBFB14DFE0CC9AFEDB774EB44711F204594FB0A9A2D0CA705A918B95

Function 1002132A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 10021358
_initterm.MSVCRT ref: 10021383
free.MSVCRT ref: 100213C0

Strings

kGuPiDu, xrefs: 10021340

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _inittermfreemalloc
String ID: kGuPiDu
API String ID: 1678931842-1843548027
Opcode ID: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction ID: a13e4d924212a13dcf2931888b3098d0df1cffd824a8125765e678fcc9b3a535
Opcode Fuzzy Hash: 32bd48cbedac31db7fc202db5474fc450ca80691310f4af71ef2a1824f5b65be
Instruction Fuzzy Hash: 4D114C366646B1EBF314DF61EC84AC937E6FB64359BB14019E804D65A0F731AD828B50

Function 10009751 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 100097B3

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10009773

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 483802873-1918919809
Opcode ID: 70449c398292e22e77c7340437fd52007b27366e81dc92532d215e76e86d941f
Instruction ID: aa3042b00974eb3661dab9a980acd1570a60d3873d689b260169291dcc9804a7
Opcode Fuzzy Hash: 70449c398292e22e77c7340437fd52007b27366e81dc92532d215e76e86d941f
Instruction Fuzzy Hash: 271121F9D00208EBEB20DB50CC46B8D73B4DB44380F2181A5F6087B285EA75BA948B99

Function 100043BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(76BE0000,00000000), ref: 100043D4

Strings

Q2xvc2VXaW5kb3c=, xrefs: 100043C0

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: Q2xvc2VXaW5kb3c=
API String ID: 190572456-2652562148
Opcode ID: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
Instruction ID: 86b06878a34977032f00de5cded76d8bf0c7f73d773c853c7e08730fcfccc261
Opcode Fuzzy Hash: fbc0b191b7f26a15644bc567497c0b691dff815fb9515091f55041d4ba3a90e7
Instruction Fuzzy Hash: 50C08CF580021C6FF600EBE4ADCAE423BACE70C2997100022FB0DC2216EB32A05186A2

Function 100024A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(70190000,00000000), ref: 100024BE

Strings

TmV0TG9jYWxHcm91cEVudW0=, xrefs: 100024AA

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEVudW0=
API String ID: 190572456-980335172
Opcode ID: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction ID: 94a68914744b6255420893e6e3bedd0a82bd00ad7f141df6458ff9631ea00634
Opcode Fuzzy Hash: 4c51d861e7fd02144a7db00ae8db112198e28f32e65c5de3b64188d75a474123
Instruction Fuzzy Hash: 1EC080F540061C6FF200D7D8ACC5E41379CD3482997100011F60DC2211D53160414652

Function 100024D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(70190000,00000000), ref: 100024EC

Strings

TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 100024D8

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
API String ID: 190572456-3430808999
Opcode ID: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction ID: 0e6cf0e7949062256b1582b677e2dc4b335822ba4defa2ba0336d22a514f21fc
Opcode Fuzzy Hash: 2859fcc0f97cbaf8f8a39a9c3ca047e8023cc2ef79e200a45133f090903b1013
Instruction Fuzzy Hash: 38C080F5C0061C6FF300D7D4ACC9D4137DCD3081997100011F70DC2211D73160414652

Function 1000255F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(70190000,00000000), ref: 10002576

Strings

TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 10002562

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: TmV0QXBpQnVmZmVyRnJlZQ==
API String ID: 190572456-3244026974
Opcode ID: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction ID: ff91b108fad4cc851aac3f9e389e9e2a63f3c8257eb8f5e683f791925ec63412
Opcode Fuzzy Hash: 4dfb2dc32d8d45aa0c1131dfe6f868fa75675e8bfe7981136751ebd02a99021a
Instruction Fuzzy Hash: 21C08CF680161CAFF200DBE4ACCAE823BACD3082A97110022F60EC3212E631B041C662

Function 1000258D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(75550000,00000000), ref: 100025A4

Strings

R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==, xrefs: 10002590

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: R2V0U2VjdXJpdHlEZXNjcmlwdG9yQ29udHJvbA==
API String ID: 190572456-3292411561
Opcode ID: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
Instruction ID: c4aeed86ffe8b449379c60583828ab32e035c01f2a5dfc01b8ce5ea512c12cf6
Opcode Fuzzy Hash: 1d48e16200f9b9f298709b5dcea94d537105a9f624fa3b7e2dd664796b368c7d
Instruction Fuzzy Hash: A5C08CF580026CAFF700DBE4ACCAE4237ACF30829D7100022FA0AC3212E721A44186A2

Function 1000172D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75550000,00000000), ref: 10001744

Strings

U2V0RXJyb3JNb2Rl, xrefs: 10001730

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: U2V0RXJyb3JNb2Rl
API String ID: 190572456-495186574
Opcode ID: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction ID: b616446aa3eae8f0e246bd7a0e97171c4ab2d65e5c8aa983a289ca1212d1c33e
Opcode Fuzzy Hash: 0aa649e1d36acdcdedc86aa3030a6d3833cf809a082bd0010dd5db48b3c8f688
Instruction Fuzzy Hash: A6C08CF980021CABF300DBE4ACC6E46379CF30C19D7A00423F60AC2612EB31B40287A3

Function 1000EAE6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0036EE80), ref: 1000EBD3

Strings

C:\Program Files, xrefs: 1000EAF9

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
Instruction ID: c4e0b3600881029edc50d20150f75f5e2cc0ea145c3db068fc966fb5d715c26f
Opcode Fuzzy Hash: b3865f1773a3df5841c7476650eb2ea4794f304571f036a323e11238ceeefbc7
Instruction Fuzzy Hash: DB314BB4D04298DBEB10CFA4C9816DEBBB0FB08344F248499D806B7346D37AAE46DB55

Function 100086C0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 100086CA
inet_addr.WS2_32(?), ref: 100086D7

Part of subcall function 10004733: gethostbyname.WS2_32(?), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: inet_addr$gethostbyname
String ID:
API String ID: 2998999989-0
Opcode ID: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction ID: 7e645cfb302764e8d8533147197651d5e6009befd3d72f555b77b30a82d9c00f
Opcode Fuzzy Hash: bb45a3487608896cfbf36d0f50aaacc2a051598b0221e32025faafd4cdf23f35
Instruction Fuzzy Hash: 93F0D0B9A14208EFDB10DFA4C48898DBBB4FB48251F208595ED4997309D735EB51DF50

Function 10005A8D Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10005AB4

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction ID: 4cfd926ed5ee4b74160d84ed1ccf0fcb76e3c9c35cbabeff5299be230ac46b6e
Opcode Fuzzy Hash: bca9ff1eb5be66ae6672d46cc0f94d350eff6bc44041ef987f654cf8287df7d2
Instruction Fuzzy Hash: 5CE0FEB6214109AB8B44CF8DD890DEB77EDAB8C654B158248BA1DD3254D634E8518BA4

Function 10005B51 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction ID: 003bc1bca6d8c776606440d32dd4298a63b416cb58658e6586ac9de98fafa826
Opcode Fuzzy Hash: 08a337b6385868c0f675b507c6987362c60cd516618c9477459b3f79bd5ed091
Instruction Fuzzy Hash: 20D092B221420DAB8B04CF88D880CDB37EDAB8C610B008108FA0DC3200C630E9518BA0

Function 10004D54 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction ID: 01f520d78d0293c333997eaa499525b6bf33e0a14dea869d1b4eebbdcbea7866
Opcode Fuzzy Hash: 90c0bf59dd08bd5d87e8d08355b5a90ac8499dc7e9f0787b89098dff34845f0b
Instruction Fuzzy Hash: E4D092B221020DAB8B04CF88D884C9B77ADAB8C600B008108BA0DC3210C630E951CBA0

Function 10005784 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10005793

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction ID: ceb44158fe26a4df53ddd6796a7450bcc70568043160c05e16c1b80753528501
Opcode Fuzzy Hash: a2b2b71d08cffb2413e2815f424846c236d11f47ef861f68627a2a105e900391
Instruction Fuzzy Hash: 64C04C7A11420CABCB04DFD8DC84CAB77EDAB8C610B14C508FA1D87200DA31F9118BA4

Function 10004CAD Relevance: 1.5, APIs: 1, Instructions: 11synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction ID: 7a9713bbb07ef6c8d943612d259fbcec43348370ec0d3c79817316860ce7ebf9
Opcode Fuzzy Hash: bb1b3a1bc0f12fc904b8b3d4bb6a8e82535589da7040e946a222171785d456a3
Instruction Fuzzy Hash: ABC04C7611424CABCB04DFD8DC84CAB37ADFB8C610B148548FA1D87200C730F9119BA4

Function 100015AD Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(04E61050,?,100015AB), ref: 100015B6

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction ID: aa9e6f373e50f86635e89be718cfcb74191758a12ce1f5a61408757a6cf1a103
Opcode Fuzzy Hash: 7b9efe137b9a3625fa2be7c8f2c66eb373832209af40d9067f265c298ba25b99
Instruction Fuzzy Hash: C4B0927240432C9FE600DBE89CC9C1237ACB3086093A00452E90AC3A21D730A402CA96

Function 100015ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035BD0C0,?,100015EB), ref: 100015F6

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction ID: 29f41251ce689b307b62650387fb13a5c84ed48d826cf923518eb1e266bdb45f
Opcode Fuzzy Hash: 7c04ac33f73942233e9bc7669ccbfea438ff98b86e57c92f0219278dcb297bdc
Instruction Fuzzy Hash: EAB0927240432D9BE700DBE89CCAC0137ACA7086087604412E909C3A21D630A4428B52

Function 1000164D Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035BA0A8,?,1000164B), ref: 10001656

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction ID: ba1e3f7c76a82d39c198cdf2c2322580641102d8f53e3edecd95e5ced58cbd87
Opcode Fuzzy Hash: c6caff2039d44a6e5aa75d4bb98cb9209e82c10100db12a54ea678f8e826c46d
Instruction Fuzzy Hash: B8B0927244432C9BE600DBE99CC8C0137ACE608A083604412E90A83A21D630A4428F92

Function 100016ED Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(035B5080,?,100016EB), ref: 100016F6

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction ID: ceafc5a161691708641d67a93fab1652c5b609e1f825db1f72d2572ab5d16a00
Opcode Fuzzy Hash: ffcc3db7b2bdde7f73629938805343ac14b0e3f16aaf80ff0ed903defb3ce77a
Instruction Fuzzy Hash: DDB0927240432C9BF600DBE89CC8D1677ACB6086083604822E909D3A21D630A4428B92

Function 10004733 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(?), ref: 1000473A

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction ID: ed7e62d2018f1f5fe489a5e2af283e66eb16d0056b782be615d6e68807e7cafe
Opcode Fuzzy Hash: 406ea3a98ef40a00d8bec193654c218e6d6cc0861c4cd66da68cf03bb168c3d3
Instruction Fuzzy Hash: 1EB0123140030C97CA005BE8D84CC95779CD6085047000400F50C83500C631F4004A90

Function 10005812 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(1000EBB8,?,1000EBB8,1002B35C), ref: 10005819

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction ID: 70a1fadde607be084ccef56658dda61e356474f6f706b475b9c53b19a0d7fe5b
Opcode Fuzzy Hash: 2a186cc019d29aeb2781d42997b730e683c4d9d36727cc720603f04b3b6f70d0
Instruction Fuzzy Hash: 0FB0123100030C97CA005BD8D848C8577DC970C6407408000F60C83101CA70F4004AD0

Function 10005ABC Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 10005AC3

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction ID: d309ecb02fbcf521f446e64dffd2c407881538d3ff2428412e6fd22df4654e57
Opcode Fuzzy Hash: bad93dd7ba07adfec8e7d5db093e91b400f46df775f4aea040612f4a0dfc6238
Instruction Fuzzy Hash: A5B0123200430C97CA005BD8D848CC5379CD60C5007000051F50CC3100C730F4004A90

Function 10011A40 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10011A5B

Part of subcall function 10011C72: sprintf.MSVCRT ref: 10011C8E
Part of subcall function 10011C72: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10011CB4

Part of subcall function 10011E80: memset.MSVCRT ref: 10011E9A
Part of subcall function 10011E80: memset.MSVCRT ref: 10011EB0
Part of subcall function 10011E80: Netbios.NETAPI32(00000037), ref: 10011EDB

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CreateFileNetbiossprintf
String ID:
API String ID: 2265170204-0
Opcode ID: a4332b1645f862f82f7eb4b219ddf43da0a854aa1b97c9327c3544342e36a4f3
Instruction ID: dceb83b943926abd5faf33fd0d5094280e9a27f0c6a434b0c500408138b30427
Opcode Fuzzy Hash: a4332b1645f862f82f7eb4b219ddf43da0a854aa1b97c9327c3544342e36a4f3
Instruction Fuzzy Hash: 99E09A74A04208FBCB08DBD4ED52B9EB7B8DF00340F1000A9F9056B381DAB2EF009AD4

Function 1000FEA3 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710), ref: 1000FEB2

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4fce0586221d5b7f2ab32fed1b7aed4802dceffac77cf3fcc1f851374ffc7c6a
Instruction ID: 48dbc91ac08fb344a6ac96d98cd474edb1b2e67bc503a630d425958a5cdb5dd6
Opcode Fuzzy Hash: 4fce0586221d5b7f2ab32fed1b7aed4802dceffac77cf3fcc1f851374ffc7c6a
Instruction Fuzzy Hash: D3D02B30508300BED612B7A98D49C4B7EB6EB50B40F014A2CB1D050263837B00A0E563

Non-executed Functions

Function 1000D7E3 Relevance: 96.7, APIs: 40, Strings: 15, Instructions: 414sleepsynchronizationstringCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D856
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D86A
strrchr.MSVCRT ref: 1000D879
_mbscat.MSVCRT ref: 1000D891
strrchr.MSVCRT ref: 1000D8A2

Part of subcall function 10005EBA: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005EE5
Part of subcall function 10005EBA: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 10005F1F
Part of subcall function 10005EBA: CloseHandle.KERNEL32(?), ref: 10005F29

CreateMutexA.KERNEL32(00000000,00000001,M107.163.56.251:6658), ref: 1000D8E2
GetLastError.KERNEL32 ref: 1000D8EE
ReleaseMutex.KERNEL32(?), ref: 1000D916
CloseHandle.KERNEL32(?), ref: 1000D923
ReleaseMutex.KERNEL32(?), ref: 1000D952
CloseHandle.KERNEL32(?), ref: 1000D95F
GetTickCount.KERNEL32 ref: 1000DA2C
srand.MSVCRT ref: 1000DA33
rand.MSVCRT ref: 1000DA3C
rand.MSVCRT ref: 1000DAAA
Sleep.KERNEL32(00000064), ref: 1000DAE5
SetFileAttributesA.KERNEL32(c:\,00000002), ref: 1000DAF4
wsprintfA.USER32 ref: 1000DB0D
_mbscpy.MSVCRT(00000000,c:\), ref: 1000DB24

Part of subcall function 1000D747: GetTickCount.KERNEL32 ref: 1000D75F
Part of subcall function 1000D747: srand.MSVCRT ref: 1000D766
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D76F
Part of subcall function 1000D747: rand.MSVCRT ref: 1000D7BA

_mbscat.MSVCRT ref: 1000DB71
_mbscat.MSVCRT ref: 1000DB87

Part of subcall function 10004DC0: CreateDirectoryA.KERNEL32(?,?), ref: 10004DCB

Sleep.KERNEL32(00000064), ref: 1000DBA2
memset.MSVCRT ref: 1000DBB3
_mbscat.MSVCRT ref: 1000DBD8
_mbscat.MSVCRT ref: 1000DBEE
_mbscat.MSVCRT ref: 1000DC02
MoveFileA.KERNEL32(00000000,00000000), ref: 1000DC18
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000DC41

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

___crtGetLocaleInfoEx.LIBCMTD ref: 1000DC5C

Part of subcall function 1000556F: SetFilePointer.KERNEL32(?,?,?,?), ref: 10005582

Part of subcall function 10005434: CloseHandle.KERNEL32(10008EDA,?,10008EDA,000000FF), ref: 1000543B

Part of subcall function 10005558: GetModuleFileNameA.KERNEL32(?,?,?), ref: 10005567

rand.MSVCRT ref: 1000DC89
rand.MSVCRT ref: 1000DC9B
rand.MSVCRT ref: 1000DCAD
rand.MSVCRT ref: 1000DCBF
rand.MSVCRT ref: 1000DCD1
rand.MSVCRT ref: 1000DCE3
rand.MSVCRT ref: 1000DCF5
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000DD32

Part of subcall function 10005BF2: CopyFileA.KERNEL32(?,?,?), ref: 10005C01

Sleep.KERNEL32(00001388), ref: 1000DD55
memset.MSVCRT ref: 1000DD66

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

___crtGetTimeFormatEx.LIBCMTD ref: 1000DDD2

Part of subcall function 10004FB3: ShellExecuteA.SHELL32(?,?,?,?,?,?), ref: 10004FCE

Strings

c:\windows\system32, xrefs: 1000DDC2
launch, xrefs: 1000DD9B
c:\wiseman.exe, xrefs: 1000DDAF
\ReadMe.txt, xrefs: 1000D885
c:\, xrefs: 1000DAD4, 1000DADA
3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000DA1E
%s\ReadMe.txt, xrefs: 1000DB01
%s\%c%c%c%c%c%c%c.exe, xrefs: 1000DD0E
WinSta0\Default, xrefs: 1000DD6E
.txt, xrefs: 1000DBF6
M107.163.56.251:6658, xrefs: 1000D8D9
123, xrefs: 1000D995
SeDebugPrivilege, xrefs: 1000D8CC
c:\wiseman.exe, xrefs: 1000DDC9
SeDebugPrivilege, xrefs: 1000D7F0

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$File$_mbscat$CloseCreateHandle$ModuleMutexNameSleep$CountMoveProcessReleaseTickTimerToken___crtmemsetsrandstrrchr$AdjustAttributesConcurrency::details::platform::__CopyCurrentDirectoryErrorExecuteExistsFormatInfoLastLocaleLookupOpenPathPointerPrivilegePrivilegesQueueShellTimeValue_mbscpywsprintf
String ID: %s\%c%c%c%c%c%c%c.exe$%s\ReadMe.txt$.txt$123$3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6$M107.163.56.251:6658$SeDebugPrivilege$SeDebugPrivilege$WinSta0\Default$\ReadMe.txt$c:\$c:\windows\system32$c:\wiseman.exe$c:\wiseman.exe$launch
API String ID: 652726865-1276110213
Opcode ID: 7301c903defd3cd70dc9b3d825b2f00b4d4087626143eb540bbaa64f9a2eb160
Instruction ID: e7302aca530db56d1bf951a45ff3e4a786c1631362df480cdb7b9b2581457961
Opcode Fuzzy Hash: 7301c903defd3cd70dc9b3d825b2f00b4d4087626143eb540bbaa64f9a2eb160
Instruction Fuzzy Hash: 12F1F5B1D00218ABFB20DB60CC96FDA7775EB54301F4045E9F709A6181EBB66B948F61

Function 10007225 Relevance: 96.6, APIs: 46, Strings: 9, Instructions: 387networksleepCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 1000729A
socket.WS2_32(00000002,00000002,00000000), ref: 100072A6
socket.WS2_32(00000002,00000002,00000000), ref: 100072B8
htons.WS2_32(00000035), ref: 100072CF
inet_addr.WS2_32(127.0.0.1), ref: 100072E1
htons.WS2_32(00000035), ref: 100072F8
inet_addr.WS2_32(?), ref: 1000730C
bind.WS2_32(?,00000002,00000010), ref: 10007328
ioctlsocket.WS2_32(?,8004667E,00000001), ref: 1000734B
select.WS2_32(00000000,00000000,00000000,00000000,000003E8), ref: 1000741B
WSAGetLastError.WS2_32 ref: 10007430
Sleep.KERNEL32(000003E8), ref: 10007441
memset.MSVCRT ref: 10007464
recvfrom.WS2_32(?,00000000,00000200,00000000,?,00000010), ref: 1000748F
memset.MSVCRT ref: 100074C2

Part of subcall function 1000713B: memset.MSVCRT ref: 10007157
Part of subcall function 1000713B: memcpy.MSVCRT(?,-0000000C,-00000010), ref: 10007171
Part of subcall function 1000713B: strlen.MSVCRT ref: 1000717D

wsprintfA.USER32 ref: 10007513
StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,00000000), ref: 10007528
StrStrIA.SHLWAPI(00000000,alyac), ref: 10007553
StrStrIA.SHLWAPI(00000000,ahnlab), ref: 10007569
StrStrIA.SHLWAPI(00000000,v3lite), ref: 1000757F
malloc.MSVCRT ref: 10007595
memcpy.MSVCRT(?,00000000,00000002), ref: 100075B4
memcpy.MSVCRT(00000000,00000000,00000000), ref: 100075D1
htons.WS2_32(00008180), ref: 100075DE
htons.WS2_32(00008182), ref: 10007602
memcpy.MSVCRT(?,?,00000002), ref: 1000761F
htons.WS2_32(00000001), ref: 10007629
memcpy.MSVCRT(?,?,00000002), ref: 10007646
htons.WS2_32(0000C00C), ref: 10007685
memcpy.MSVCRT(00000000,?,00000002), ref: 100076A2
htons.WS2_32(00000001), ref: 100076BB
memcpy.MSVCRT(00000000,?,00000002), ref: 100076DF
htons.WS2_32(00000001), ref: 100076F8
memcpy.MSVCRT(00000000,?,00000002), ref: 1000771C
htonl.WS2_32(0000007B), ref: 10007735
memcpy.MSVCRT(00000000,?,00000004), ref: 10007758
htons.WS2_32(00000004), ref: 10007771
memcpy.MSVCRT(00000000,?,00000002), ref: 10007795
inet_addr.WS2_32(1002D030), ref: 100077C4
inet_addr.WS2_32(127.0.0.1), ref: 100077D7
memcpy.MSVCRT(00000000,00000000,00000004), ref: 100077FA
memcpy.MSVCRT(00000000,00000000,00000000), ref: 1000783F
sendto.WS2_32(?,00000000,00000000,00000000,?,00000010), ref: 10007867
closesocket.WS2_32(?), ref: 10007898
closesocket.WS2_32(?), ref: 100078A5
WSACleanup.WS2_32 ref: 100078AB

Strings

www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007523
ahnlab, xrefs: 1000755D
@, xrefs: 100073BE
alyac, xrefs: 10007547
v3lite, xrefs: 10007573
127.0.0.1, xrefs: 100072DC
%s|, xrefs: 10007507
127.0.0.1, xrefs: 100077D2
8.8.8.8, xrefs: 10007261

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$htons$inet_addr$memset$closesocketsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtostrlenwsprintf
String ID: %s|$127.0.0.1$127.0.0.1$8.8.8.8$@$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 3038323916-584143555
Opcode ID: ec22ab86a417ae1e4f9f74b60d11c1c3b79606598b03a26890ee4ca86a7e9a34
Instruction ID: 3390842cec86af49ff68c52d0698ecfc573ce0de94bd3180ff3bf18654662f0a
Opcode Fuzzy Hash: ec22ab86a417ae1e4f9f74b60d11c1c3b79606598b03a26890ee4ca86a7e9a34
Instruction Fuzzy Hash: B1025E75D04229ABEB64CB54CC89BE9B7B4FF48300F0045E9E60DA6295D7786B84CF91

Function 1000ABAC Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 244serviceCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,%SystemRoot%\System32\svchost.exe -k ), ref: 1000AC15
_mbscat.MSVCRT ref: 1000AC28
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AC57
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AC9E
GetLastError.KERNEL32 ref: 1000ACB3
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 1000ACD0

Strings

RegSetValueEx(Svchost\krnlsrvc), xrefs: 1000AECF
%SystemRoot%\System32\svchost.exe -k , xrefs: 1000AC09
Description, xrefs: 1000AD42
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 1000AE3B
ServiceDll, xrefs: 1000ADD8
RegSetValueEx(ServiceDll), xrefs: 1000ADFD
SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000AD01
RegOpenKeyEx(Svchost), xrefs: 1000AE78
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 1000AD6E

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: OpenService$CreateErrorLastManager_mbscat_mbscpy
String ID: %SystemRoot%\System32\svchost.exe -k $Description$RegOpenKeyEx(Svchost)$RegSetValueEx(ServiceDll)$RegSetValueEx(Svchost\krnlsrvc)$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
API String ID: 3611292957-660433390
Opcode ID: fdd77ce7bfc91025276ee73616ce416ce080ae0130899ba4a85b8e3b0fcc4d2e
Instruction ID: fc4fc097f2df58436204c54070e46900803d4f9edc1039ca72ef93cdf2176969
Opcode Fuzzy Hash: fdd77ce7bfc91025276ee73616ce416ce080ae0130899ba4a85b8e3b0fcc4d2e
Instruction Fuzzy Hash: 51A11EB5900218BBEB25DF90DC89FEE7778EB48740F504598F609A6281D774AA85CFA0

Function 10006322 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 299memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100060BF: CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE

Part of subcall function 10005F3C: GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
Part of subcall function 10005F3C: RtlAllocateHeap.NTDLL(00000000), ref: 10005F56

HeapFree.KERNEL32(00000000,00000000,00000000), ref: 100063BB

Strings

Not found File: %s , xrefs: 10006796
Not found File %s , xrefs: 100063C5
c:\am.log, xrefs: 10006748
Close Files Handle....Failure, xrefs: 10006743
Close Files Handle....Success, xrefs: 1000672F
Process:%d Handle: %d ..%s.. FileName: %s, xrefs: 100066A1
c:\am.log, xrefs: 100066A6
c:\am.log, xrefs: 10006734
Handle: %d .... FileName: %s, xrefs: 100065A3

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocateCreateFileFree
String ID: Close Files Handle....Failure$Close Files Handle....Success$Handle: %d .... FileName: %s$Not found File %s $Not found File: %s $Process:%d Handle: %d ..%s.. FileName: %s$c:\am.log$c:\am.log$c:\am.log
API String ID: 630072122-2461064422
Opcode ID: 8e7af692e5636329d27fc5280d86b7502ef07358887e39e27f5fa48402cf5d40
Instruction ID: 645c5e70bbac33feba3ad968f02ee579f9001a7514e99284e2577437101ece5e
Opcode Fuzzy Hash: 8e7af692e5636329d27fc5280d86b7502ef07358887e39e27f5fa48402cf5d40
Instruction Fuzzy Hash: 63C141B4900228AFEB24CB54CC86FD9B3B5EB58344F2085D8F609A7245DB75AED5CF90

Function 1000949C Relevance: 52.6, APIs: 3, Strings: 27, Instructions: 95timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009517

Part of subcall function 10004D73: InternetOpenUrlA.WININET(80000100,00000000,00000000,1000C5CB,00000000,100097B8), ref: 10004D8E

memset.MSVCRT ref: 1000953C
___crtGetLocaleInfoEx.LIBCMTD ref: 1000955E

Part of subcall function 10004D96: InternetReadFile.WININET(00000400,?,00000000,100096E3), ref: 10004DA9

Part of subcall function 10004DB1: InternetCloseHandle.WININET(100097ED), ref: 10004DB8

Strings

d, xrefs: 100095D8
e, xrefs: 100095A4
p, xrefs: 100095E4
s, xrefs: 100095E0
, xrefs: 100095C8
, xrefs: 100095B8
http, xrefs: 100094E1
a, xrefs: 100095B0
o, xrefs: 100095C0
a, xrefs: 1000959C
a, xrefs: 100095EC
d, xrefs: 100095F8
y, xrefs: 100095F0
!, xrefs: 100095FC
g, xrefs: 100095A0
n, xrefs: 100095BC
, xrefs: 100095D4
, xrefs: 100095A8
l, xrefs: 100095E8
e, xrefs: 100095D0
i, xrefs: 100095DC
c, xrefs: 100095AC
P, xrefs: 10009598
n, xrefs: 100095B4
e, xrefs: 100095F4
b, xrefs: 100095CC
t, xrefs: 100095C4

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$Open___crt$CloseFileFormatHandleInfoLocaleReadTimememset
String ID: $ $ $ $!$P$a$a$a$b$c$d$d$e$e$e$g$http$i$l$n$n$o$p$s$t$y
API String ID: 484075888-3281237192
Opcode ID: 14427c0ed575c54b6491988f781b5c61711229e33d5e049bd773e5419474779d
Instruction ID: 2007758cba872cfcd8f6e98331750ef100b8103267b94e19ec89753a2b5b510a
Opcode Fuzzy Hash: 14427c0ed575c54b6491988f781b5c61711229e33d5e049bd773e5419474779d
Instruction Fuzzy Hash: 10413174D043C8EAFB11C6A8CC097DEBEB55B15744F0440D9D5882A282D7FA5798CBB6

Function 10009FAB Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 335timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000A00F
wsprintfA.USER32 ref: 1000A027
6D0F2DD0.MFC42(0007D000), ref: 1000A035
memset.MSVCRT ref: 1000A063

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 1000A0C6

Strings

http://blog.sina.com.cn/u/%s, xrefs: 1000A01B
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000A07D
title, xrefs: 1000A2BA

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$FormatInternetOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$http://blog.sina.com.cn/u/%s$title
API String ID: 1034901129-1204782975
Opcode ID: 94e20f523dfe52caf891c182f4cd05d1ef66b7acb226b7bdf15ea31a66677ac7
Instruction ID: e515f712fb1f60d133b8907fa9568e81727eaea72b4f5efa335cc261a660f667
Opcode Fuzzy Hash: 94e20f523dfe52caf891c182f4cd05d1ef66b7acb226b7bdf15ea31a66677ac7
Instruction Fuzzy Hash: F4E117B4D00268EFEB24CB58CC85BDEB7B0EB59300F1042D9EA09A7280DB756E85CF51

Function 1000F200 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 277sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60), ref: 1000F281
GetTickCount.KERNEL32 ref: 1000F2A2
GetTickCount.KERNEL32 ref: 1000F2B5
GetTickCount.KERNEL32 ref: 1000F2C8
GetTickCount.KERNEL32 ref: 1000F2DB
GetTickCount.KERNEL32 ref: 1000F2EE
GetTickCount.KERNEL32 ref: 1000F301
GetTickCount.KERNEL32 ref: 1000F314
Sleep.KERNEL32(000003E8), ref: 1000F345
GetTickCount.KERNEL32 ref: 1000F373
GetTickCount.KERNEL32 ref: 1000F386
GetTickCount.KERNEL32 ref: 1000F399
GetTickCount.KERNEL32 ref: 1000F3AC
GetTickCount.KERNEL32 ref: 1000F3BF
DeleteFileA.KERNEL32(?), ref: 1000F44E
DeleteFileA.KERNEL32(?), ref: 1000F4C1
Sleep.KERNEL32(000493E0), ref: 1000F5B8

Strings

InstallPath, xrefs: 1000F524
C:\Users\user\Desktop, xrefs: 1000F327, 1000F3D2
QVlSVFNydi5heWU=, xrefs: 1000F243
U09GVFdBUkVcRVNUc29mdFxBTFlhYw==, xrefs: 1000F55B
%c%c%c%c%c, xrefs: 1000F3D7
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F529
RootDir, xrefs: 1000F556
%s\%c%c%c%c.%c%c%c, xrefs: 1000F32C
QVNEU3ZjLmV4ZQ==, xrefs: 1000F230

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CountTick$Sleep$DeleteFile
String ID: %c%c%c%c%c$%s\%c%c%c%c.%c%c%c$C:\Users\user\Desktop$InstallPath$QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$RootDir$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==$U09GVFdBUkVcRVNUc29mdFxBTFlhYw==
API String ID: 1805227871-3942979696
Opcode ID: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
Instruction ID: 6bdac8f9476eec08e9e208a458106ac04ec5b4e33c9511cad80c78820eb665b7
Opcode Fuzzy Hash: 9afddebed4a4e8b3d803d6ed8e39db65abd5323c4276296a2fe8146688f0c2de
Instruction Fuzzy Hash: 5FA1E9F1D00218ABFB15DB60CC85FEE76B6EB88311F4481A9F709B6285DB786B41CB51

Function 10009A63 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 328timeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10009AC7
wsprintfA.USER32 ref: 10009ADF
6D0F2DD0.MFC42(0007D000), ref: 10009AED
memset.MSVCRT ref: 10009B1B

Part of subcall function 10004D54: InternetOpenA.WININET(10009786,?,?,?,?), ref: 10004D6B

___crtGetTimeFormatEx.LIBCMTD ref: 10009B7E
GetLastError.KERNEL32 ref: 10009BA1

Strings

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)), xrefs: 10009B35
title, xrefs: 10009D7E
http://%s.qzone.qq.com/main, xrefs: 10009AD3

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$ErrorFormatInternetLastOpenTime___crtwsprintf
String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C))$http://%s.qzone.qq.com/main$title
API String ID: 1425117833-1009673476
Opcode ID: e149ed017f7280a21862f8f6364ab543faf9dffd0d7bf729b1b6cbbee908609f
Instruction ID: 75add62b751d2a89d33563ab18894b4b61e0b6b77b5213ad1a6e48b09e06675d
Opcode Fuzzy Hash: e149ed017f7280a21862f8f6364ab543faf9dffd0d7bf729b1b6cbbee908609f
Instruction Fuzzy Hash: 6DE106B4D04268EFEB24CB64CC85BEEB7B4EB59300F1041D9E609A7280DB716E85CF91

Function 1000D49E Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000D4E0

Strings

.txt, xrefs: 1000D689

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: .txt
API String ID: 39653677-2195685702
Opcode ID: c50e63abc1ed21ce169ad536dfc37e2def676ba547544a4074c9d87b2f1db99d
Instruction ID: da2023ba958a437e8159f0edfaac4ee8086fbd0d10ec377c4abfad880adb4c2a
Opcode Fuzzy Hash: c50e63abc1ed21ce169ad536dfc37e2def676ba547544a4074c9d87b2f1db99d
Instruction Fuzzy Hash: AD71B3B5C04218EBDB25EFA0DC85BEEB7B8FB18341F408599F91996144E735AB84CF60

Function 10007DDE Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 104stringCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00000004,?,?,?,?,?,?,?,?,?,?,?,?,1002AF1C,1000850C,?), ref: 10007E36
6D0F2DD0.MFC42(00000000), ref: 10007E5A
6D0F2DD0.MFC42(00000000), ref: 10007E8B
strrchr.MSVCRT ref: 10007EA5
strncpy.MSVCRT ref: 10007EBF
strncpy.MSVCRT ref: 10007ED3
GetSystemInfo.KERNEL32(1002AEEC), ref: 10007EE0
GetCurrentProcess.KERNEL32(00000020,XGhvc3RzLmljcw==), ref: 10007EFE
OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,1002AEE4), ref: 10007F16
AdjustTokenPrivileges.ADVAPI32(76684758,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
CloseHandle.KERNEL32(76684758), ref: 10007F50
strlen.MSVCRT ref: 10007F5B
sscanf.MSVCRT ref: 10007F7C

Strings

XGhvc3RzLmljcw==, xrefs: 10007EFB
C:\Users\user\Desktop, xrefs: 10007EA0
%[^, xrefs: 10007F72
etc\hosts, xrefs: 10007F56, 10007F77
SeDebugPrivilege, xrefs: 10007F0F

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
String ID: %[^$C:\Users\user\Desktop$SeDebugPrivilege$XGhvc3RzLmljcw==$etc\hosts
API String ID: 285331769-1673778235
Opcode ID: 2fff5777e20f646234241b5f3f7695fbcec7cec39405f99ff43c35e461406646
Instruction ID: 328226fcebd27085c81d03e9fdf447683c520cb5a300c2c2c943bb7813867aca
Opcode Fuzzy Hash: 2fff5777e20f646234241b5f3f7695fbcec7cec39405f99ff43c35e461406646
Instruction Fuzzy Hash: ED4118B5900628AFE704DFD4DDC9F9A7BB4FB48304F244119EA04A7290E7B5B586CF91

Function 10008C6A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 105COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 10008CA2
GetVersionExA.KERNEL32(0000009C), ref: 10008CBB
_mbscpy.MSVCRT(00000000,1002A5F8), ref: 10008CDD
_mbscpy.MSVCRT(00000000,2000), ref: 10008D0A
_mbscpy.MSVCRT(00000000,1002A604), ref: 10008D37
_mbscpy.MSVCRT(00000000,2003), ref: 10008D64
_mbscpy.MSVCRT(00000000,Vista), ref: 10008D91
_mbscpy.MSVCRT(00000000,2008), ref: 10008DBE
_mbscpy.MSVCRT(00000000,1002A620), ref: 10008DEB
sprintf.MSVCRT ref: 10008E0F

Strings

2000, xrefs: 10008CFE
2008, xrefs: 10008DB2
Win %s SP%d, xrefs: 10008E06
2003, xrefs: 10008D58
Vista, xrefs: 10008D85

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscpy$Versionmemsetsprintf
String ID: 2000$2003$2008$Vista$Win %s SP%d
API String ID: 3885147864-2264339393
Opcode ID: b0dda3c9e9704149881d6b70f2d4795d212c9c5038a049737117f2f39d285b42
Instruction ID: 77eacedbfa7f7fe8781faf61d33db6b13d9c70aa213e0c00e07d5b6916aea476
Opcode Fuzzy Hash: b0dda3c9e9704149881d6b70f2d4795d212c9c5038a049737117f2f39d285b42
Instruction Fuzzy Hash: 5F414CB5C00259EBEF24CB50EC4ABCDB7B4FB25345F4085EAE28862185DB755BC88F91

Function 1000EBE4 Relevance: 22.7, APIs: 15, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000EC22

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 977d6aa2a66cf02e5eb0b43c96ef48471811bab0f4bc719f0e4928a6bb009116
Instruction ID: 926a6b6b4829fdad5a48eee5d06f223062afaab11e92024be4e075249e096e26
Opcode Fuzzy Hash: 977d6aa2a66cf02e5eb0b43c96ef48471811bab0f4bc719f0e4928a6bb009116
Instruction Fuzzy Hash: B5619EB2C00298ABEB24CFA0DC85BEEB7B8FB04341F108599F519A2154D7359F84CFA0

Function 1000D3D5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000D3E9
Process32First.KERNEL32(00000000,00000128), ref: 1000D410
lstrcmpiA.KERNEL32(?,ASDsvc.exe), ref: 1000D42A
lstrcmpiA.KERNEL32(?,V3Lite.exe), ref: 1000D440
DebugActiveProcess.KERNEL32(?), ref: 1000D451
GetLastError.KERNEL32 ref: 1000D45B
Process32Next.KERNEL32(00000000,00000128), ref: 1000D486
CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 1000D494

Strings

V3Lite.exe, xrefs: 1000D434
Name:%s,Err:%d, xrefs: 1000D469
c:\11.txt, xrefs: 1000D46E
ASDsvc.exe, xrefs: 1000D41E

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32lstrcmpi$ActiveCloseCreateDebugErrorFirstHandleLastNextProcessSnapshotToolhelp32
String ID: ASDsvc.exe$Name:%s,Err:%d$V3Lite.exe$c:\11.txt
API String ID: 608465442-3371721576
Opcode ID: 35caabe66487620923f73dc6bcef029880f2a6989d30a686548ce9d832097881
Instruction ID: a3de1c484c0ff0f41d4c4eb311ab122c9ab8193aeb8075ee7d44cccd805fc309
Opcode Fuzzy Hash: 35caabe66487620923f73dc6bcef029880f2a6989d30a686548ce9d832097881
Instruction Fuzzy Hash: 30113D75D00218BBEB10EFA1CC85BDEB7B8EB48344F908999E215A2145D774AA85CF61

Function 10018642 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 609COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C), ref: 100186C5

Strings

/../, xrefs: 1001897E
\..\, xrefs: 1001891F
/..\, xrefs: 100189AF
\../, xrefs: 1001894D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 3dad6deeb35b9512ad86aa586e053f4f2c84309cc86d77fe66782fc5dea46d69
Instruction ID: 9a1aa32fb16f76f9e15c91fcc0f4f4f6e0de75efd59efe9036ad9dbbfd9191c7
Opcode Fuzzy Hash: 3dad6deeb35b9512ad86aa586e053f4f2c84309cc86d77fe66782fc5dea46d69
Instruction Fuzzy Hash: 84521C74E042199FDB29CF68C895BDDB7B1FF49304F2481A9E959AB342D731AA81CF40

Function 1000AAC4 Relevance: 16.6, APIs: 11, Instructions: 78servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 1000AAD3
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 1000AAF3
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000AB1E
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1000AB2C
GetLastError.KERNEL32 ref: 1000AB36
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB4C
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB56
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1000AB6B
Sleep.KERNEL32(00000064), ref: 1000AB7D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB8D
CloseServiceHandle.ADVAPI32(00000000), ref: 1000AB97

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigErrorLastManagerQuerySleepStartStatus
String ID:
API String ID: 3874167810-0
Opcode ID: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction ID: f423053ba5e51ed5b3dfd7871e9b23df293113642488d2f777d942f78633b468
Opcode Fuzzy Hash: bba6f238baaf9cca25ab09d3ce2342ec4a8b6771aa0e50b5acd3a6fe71a3f31a
Instruction Fuzzy Hash: 56214A78A00218FBFB10DBE4CCC8F9D77BAEB09761F200345EA05A6186C7749A81DB24

Function 10006DB7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,?,?), ref: 10006DFE
_mbscat.MSVCRT ref: 10006E12
FindFirstFileA.KERNEL32(00000000,?,?,?,?,?), ref: 10006E28
wsprintfA.USER32 ref: 10006E79
strlen.MSVCRT ref: 10006E86
FindNextFileA.KERNEL32(000000FF,?), ref: 10006F72
FindClose.KERNEL32(000000FF,?,?,?,?), ref: 10006F87

Strings

\*.*, xrefs: 10006E06
%s\%s, xrefs: 10006E6D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNext_mbscat_mbscpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 1837839071-3247893053
Opcode ID: e5535df46834fc9ddb26b1ccfc2d17500088a23ab9259e3a8e010982974df7e8
Instruction ID: 2440652bd15ff8e6eaa9a308958dcc277bfe13f4e468759e469709181464b455
Opcode Fuzzy Hash: e5535df46834fc9ddb26b1ccfc2d17500088a23ab9259e3a8e010982974df7e8
Instruction Fuzzy Hash: 9E51AAF6900258ABDB14CB94DC84BEE73B9EB58301F1045E9F609A7245DB35AB88CF54

Function 100069DD Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,?), ref: 10006A24
_mbscat.MSVCRT ref: 10006A38
FindFirstFileA.KERNEL32(00000000,?), ref: 10006A4E
wsprintfA.USER32 ref: 10006A9F
strlen.MSVCRT ref: 10006AAC
FindNextFileA.KERNEL32(000000FF,?), ref: 10006B2B
FindClose.KERNEL32(000000FF), ref: 10006B40

Strings

%s\%s, xrefs: 10006A93
\*.*, xrefs: 10006A2C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Find$File$CloseFirstNext_mbscat_mbscpystrlenwsprintf
String ID: %s\%s$\*.*
API String ID: 1837839071-3247893053
Opcode ID: c99d676474442853c0752dee0b8013e09eef1df9e24bfb4125041fcdc24b46ce
Instruction ID: b1425089a467f23f8ccf7f8da9b04ec626d8d48fdd8cc5af3b7584fd2f615a50
Opcode Fuzzy Hash: c99d676474442853c0752dee0b8013e09eef1df9e24bfb4125041fcdc24b46ce
Instruction Fuzzy Hash: 0A41A9F6900118ABDB14CB94DC80BDE77B9EB58301F2485E9F60997245EB35AB88CF50

Function 1000C295 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C2A3
memset.MSVCRT ref: 1000C2DF

Strings

Applications\iexplore.exe\shell\open\command, xrefs: 1000C2B6
wINsTA0\dEFauLT, xrefs: 1000C401
D, xrefs: 1000C3AD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memsetstrlen
String ID: Applications\iexplore.exe\shell\open\command$D$wINsTA0\dEFauLT
API String ID: 841943882-2639649127
Opcode ID: 4186b62925d03489557c7d6a744d14cb4d6aa589fb54ac11490702c3d445cf32
Instruction ID: 9d13b316d50dd73b30fc64fb160f47868d1605c9bd796a93d971f2c642a19c96
Opcode Fuzzy Hash: 4186b62925d03489557c7d6a744d14cb4d6aa589fb54ac11490702c3d445cf32
Instruction Fuzzy Hash: 54415DB190025CABEB50CF50CC56BEB73B8EB45341F404588E60967281EBB66B89CF91

Function 10005F3C Relevance: 10.6, APIs: 7, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00008000), ref: 10005F4F
RtlAllocateHeap.NTDLL(00000000), ref: 10005F56
NtQuerySystemInformation.NTDLL(?,00000000,00008000,?), ref: 10005F79
GetProcessHeap.KERNEL32(00000000,00000000), ref: 10005F91
HeapFree.KERNEL32(00000000), ref: 10005F98

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocateFreeInformationQuerySystem
String ID:
API String ID: 4073547687-0
Opcode ID: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction ID: 6c64949c2fda0a623aee8140e43d1c032e6d4005dbe1664f83852c3263ea8444
Opcode Fuzzy Hash: fa421480c3af7bdd40bca1bda39b4b7a12526123a1df123442dafb43f0f1f4f4
Instruction Fuzzy Hash: 6B110675D04219FFEB00DBE4C948BAEB7B8FB58342F108968EA1693250D7799A81CB50

Function 1001F343 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,?,?,?,?,?,1001FCA6), ref: 1001F3BB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 1001F40D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction ID: 48a290c9093e3f11dd492f44913f2ca40d6bf3ce9a607d2c265816181fa2b1c7
Opcode Fuzzy Hash: e07356c233d6851d149ce4e661d1cff096aa953cb373bb7e24827da135e15657
Instruction Fuzzy Hash: 4E5194759002099FDB14CFA8C494BDEBBB5BB48304F24C259E825AB391D775E945CFA0

Function 1001C850 Relevance: 5.3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

no future, xrefs: 1001C93E
wild scan, xrefs: 1001CB1E
Code too clever, xrefs: 1001C8B4
insufficient lookahead, xrefs: 1001C911

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: Code too clever$insufficient lookahead$no future$wild scan
API String ID: 0-1205821253
Opcode ID: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
Instruction ID: 833f2951eaadcd835606261b93df60c7d4ef739d43d3d893d275862163d02827
Opcode Fuzzy Hash: ffffd7e7bf95b8e76426c5e24294c4b2245091a4e2ce0604e5eb86e537bcc20b
Instruction Fuzzy Hash: F7D10B74E0414A9FCB08CFA8C8949EEBBF2FF89348F1481A8D459AB345D735AA41CF44

Function 100150F3 Relevance: 3.2, Strings: 2, Instructions: 654COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 1001572A
invalid distance code, xrefs: 1001554C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
Instruction ID: 088faa1eed008bce60876dcdc8d515551ea8ecd5600a09dd07154e6a01506fcf
Opcode Fuzzy Hash: 0aa14effd66f56fb2ad68d8c3f3fafcd2c43e0f32716675206f0a69f01099257
Instruction Fuzzy Hash: 60628F74E0520ADFCB08CF98C5909EEBBB2FF88314F248259D815AB355D735AA91CF94

Function 100122E4 Relevance: 3.1, Strings: 2, Instructions: 583COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 100128F2
invalid literal/length code, xrefs: 10012626

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
Instruction ID: 343714719a1f4e9367ad39c9344e86e2aeab645b661284dda1b7cf89b2300665
Opcode Fuzzy Hash: 11cb14a5374e910596fc5b570488d4db04790213d4fb0f1236439e73328b1b47
Instruction Fuzzy Hash: 815254B8A04209DFCB08CF98C59099DBBB2FF8C314B25C599E819AB355D731EA51CF94

Function 1001DD4D Relevance: 1.8, Strings: 1, Instructions: 584COMMON

Download Yara Rule

Strings

K, xrefs: 1001DD67

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction ID: be64ce4ea56ae2ff729ee4095f2c16fd9afa4c64b7be4d3cfcffd6d849276ff5
Opcode Fuzzy Hash: e160860a9c31c979cddc7bdd37b2469b471d78a0edf540840504c3446d2c6856
Instruction Fuzzy Hash: FD325C71A00249AFCB04CF98DC95EEE7B75FF88300F088568F9199F281D675DA68CB95

Function 1001D748 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

K, xrefs: 1001D762

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction ID: 13cd30b145176b83a50ea1d93efe1898842d2fb191c5ff5e9592714297f69bd4
Opcode Fuzzy Hash: 60322184bcf97f6a5dae0dfbd655d74d096ba38bd0de92ec6cc2b50ddee89e82
Instruction Fuzzy Hash: 16F15B71A00249AFCB04CF98DC95EEE7B75EF88300F08C568F9199F281D675DA64CBA5

Function 10004804 Relevance: 1.5, APIs: 1, Instructions: 27processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004833

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction ID: dada26caca61fb62188d8dac9e18892904bbd52ffffd674216947e8ac7d19412
Opcode Fuzzy Hash: 464e50e2d407f37a84752b830f16678c1962b88c0ca6ae523cfa77ff76a35d66
Instruction Fuzzy Hash: 3FF048B2214109AF8B48CF8DDC90DEB77EEBB8C614B158208FA1DD3250D630E851CBA4

Function 10004925 Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 10004954

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateInitialize
String ID:
API String ID: 220217950-0
Opcode ID: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction ID: 90eb217eefec1c1fdc0b769d8b89dca4f8ae21869411f64d3a2a456763029fa7
Opcode Fuzzy Hash: d31b13ff96311ba46a1ad24a26c0386d19bfbef413bea620b12cb242059160d1
Instruction Fuzzy Hash: 72F04EB2214149AF8B48CF9DDC90DEB77EDAF8C614B159248FA1DD3250D630E851CBA4

Function 10005FD3 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 10005FFD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction ID: 577e262fd81ac71086ec76a3c5116955c632cb2abf2027a79d8cb05fcdf68b55
Opcode Fuzzy Hash: bec12c634777ad1a6b1182b89682b362db1a5c5fd4b7de0c20d7e62ffdaf3036
Instruction Fuzzy Hash: F0E01A75A00208BFDB04DF98C881EAFB7B8EB98300F008659FA159B344D670AA10CBD4

Function 100114B0 Relevance: 1.5, APIs: 1, Instructions: 17comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00000000,10024578,1000FC00,1002B6A0,00000017), ref: 100114CC

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
Instruction ID: b63ec98ceaf2e436dc9e91b5981eb5a547416335e9ba9d76a1a5ab58316722bb
Opcode Fuzzy Hash: 7772389fc6f766d0a30d4ac0d8d1c9d8a4f5184d327a06e7fe100f837938a5ac
Instruction Fuzzy Hash: 7BD067B651410CBB8B04CFC9ED44CABB7ACEB4C310B50814DBA0897200D635AA109BA5

Function 10004E1F Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

mouse_event.USER32(?,?,?,?,?), ref: 10004E36

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction ID: cd64bc9c04189baa85cc60a7def0010568bcfbf044096a859e3bd7374a512153
Opcode Fuzzy Hash: 576c41984f83ec839c8e702e36c6be6a39c5f14811bf847dc41e27320c36a33b
Instruction Fuzzy Hash: 0DD092B221020DAF8B04CF88D884CDB37ADAB8C610B008108BA0DC3200C630E8518BA5

Function 10004E04 Relevance: 1.5, APIs: 1, Instructions: 13keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32(?,?,?,?), ref: 10004E17

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction ID: f831d9c8cafff6064600b4124d045f46117a7ffc6ffe7c2727ae22ba67f01528
Opcode Fuzzy Hash: 617cf7db5e6915c2b0c508f8c4f4d4cff8d0390f3248ef858c4897d067470bbb
Instruction Fuzzy Hash: 93D0127600428D7BCF00CFD89C54CEB7BAC5A4C600B048044FA5CC7201C531E410C771

Function 10005238 Relevance: 1.5, APIs: 1, Instructions: 9shutdownCOMMON

Download Yara Rule

APIs

ExitWindowsEx.USER32(?,?), ref: 10005243

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction ID: 9a2dd19b8ecf135439890cac36e4a679dfc02a0ed1c5e43b286b51b805b47a2f
Opcode Fuzzy Hash: 64bf6e278748b00d013a4a32cba81ad4439a5278214464d1529addb699a4a940
Instruction Fuzzy Hash: 52B0927611030CABCB04DFD8DC88CAA37ACAB8CA10B108004FA0D87240CA31F9408BA0

Function 100057EC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(?,?), ref: 100057F7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction ID: 3f99846e5fc03f1cd515f911f6ea334dcbd29f04822414012a5ac230d652ecea
Opcode Fuzzy Hash: 70eb22c1a6d00f12bff02f03e2fe177aff5227be570b8c2aa0d73f05c82624e2
Instruction Fuzzy Hash: A9B0927611030CABCB04DFD9DC84C9A37ECAB8CA10B108004FA0D87200CA31F9008BA0

Function 100058AC Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 100058B7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction ID: 1268fd6e3a6fee96902ddf7f8e53f7d66be35c16e869bb3695433d0dc63322dc
Opcode Fuzzy Hash: 5eca5d366489734a7a21f4d98dc6090169ca2d963cdcb69d61f098a501044c64
Instruction Fuzzy Hash: 9EB0927611020CABCB18DFDCD884C9A37ECAB8C610B008104FA0D87200CA31F9008BA0

Function 10005BDF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ClearEventLogA.ADVAPI32(?,?), ref: 10005BEA

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClearEvent
String ID:
API String ID: 3812438431-0
Opcode ID: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction ID: 7434daefe77f6d47902705726ab8f34eda02ab0099602c090bfecb55a22fb0ef
Opcode Fuzzy Hash: f203eab47a70755c18356ac29cbe419ab6d8e40207529b9c0f8b96ed8d86fdbd
Instruction Fuzzy Hash: B2B092B611420CABCB04DFD8D894C9A37ACFB4C614B008005FA0D87200CB31F9008BA0

Function 10004E8E Relevance: 1.5, APIs: 1, Instructions: 9clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 10004E99

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction ID: 00ad4f47f5e7d0ee9b57b808d9b7f0335e52eb5749179ceb83dcd797ee5f95d7
Opcode Fuzzy Hash: 4c2d815dfbc7fdf501c1777dd6ba7af959ca3632ae183eae8b59a95046527fde
Instruction Fuzzy Hash: DFB092B612160CABEB04DFE8D888C9AB7ACAB4C610B008004FA1D87201CA32F940CBA0

Function 10005000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

LockResource.KERNEL32(?), ref: 10005007

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LockResource
String ID:
API String ID: 1236514755-0
Opcode ID: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction ID: 29e56bc91a9f9482983e27dc0ed5834eb45bd4535224dddbaac4bf5a93215658
Opcode Fuzzy Hash: 3e749300ccbe693ec0575a7745bab84133156a24157107f0119aad3db2aee462
Instruction Fuzzy Hash: EBB0123100030C97CA009BD8DC4CC95379C96089007100000F50C83500C634F4004690

Function 100052CF Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 100052D6

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction ID: 7efb55d811d09cfa6076e2c53c0765dc55be4d0596901329b8c6f4113f5758ef
Opcode Fuzzy Hash: 85cc18af20efb0ed10210da83868dc610a483086dbafa3db3a232c30decd0897
Instruction Fuzzy Hash: 75B0123140030C9BCB006BD8D848C8537DCA6085007404000F50C83500CB30F40046D4

Function 1000558A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 10005591

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction ID: 3446f4351d0fb0315f265c1257496f9b218a963c1e1e8a386bbfb0b0138b3b89
Opcode Fuzzy Hash: 843600b42da012a431e407c697183c3c11a9610a4af2eca6a13b9f1dd00dca83
Instruction Fuzzy Hash: EEB0123100030C97DA005BD8D848C8577DC96086047008001F60CC3101CA30F8014690

Function 10004788 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(?), ref: 1000478F

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction ID: 941f2af9b74db5ebe652a3bc5d90ee6d32c6752af74bb884e1b1cde712639612
Opcode Fuzzy Hash: e94d98daf5c05d8a006fec42e0e7a589988ec3f17d50f2351a5b76225d7a0502
Instruction Fuzzy Hash: 80B0123100030C97CF005FE8D84CC85379CA6085007100500F50C83100C630F40046D0

Function 100059A0 Relevance: 1.5, APIs: 1, Instructions: 7serviceCOMMON

Download Yara Rule

APIs

DeleteService.ADVAPI32(?), ref: 100059A7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DeleteService
String ID:
API String ID: 700001626-0
Opcode ID: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction ID: f211721f13ae4b958aaaf00c1e1ea3e1c88187a953ac96f05739ed6fd255fc66
Opcode Fuzzy Hash: 3d1a12d7d29f744cd41fffeb751ef00794b376a3712858219c07fbdac142c431
Instruction Fuzzy Hash: 37B0123100030C97CA005BD8D848C8537DC96485407048010F50C83100CA70F40146A1

Function 10004DF5 Relevance: 1.5, APIs: 1, Instructions: 7keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(?), ref: 10004DFC

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction ID: 3baf6831cd208484881523ebff87dae9b7360ad4edd65dec015b26fc2e4f2711
Opcode Fuzzy Hash: 00cc6d4a9d0643ef7b8e941bdf85a557af0a23005d1557f7ee21463ffd2efe28
Instruction Fuzzy Hash: 86B0127100030CA7CB009BD8E84CC85379CB6086047000001F50C83100C730F84046D0

Function 10004F4C Relevance: 1.5, APIs: 1, Instructions: 7clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(?), ref: 10004F53

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction ID: 954e834f1d5633d9c78c7ea24322f83793bd12d053b1b78d752a87b4747b0001
Opcode Fuzzy Hash: b72f90eb1e5c541c96a580534554b9dc2edb15d1cadf9cf10a60f21ae801f786
Instruction Fuzzy Hash: 06B0123100030C97CB00DBD8D849C85379CA608544B040400F50D93500C670F40046D1

Function 1001DB5D Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

K, xrefs: 1001DB77

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction ID: 4821ffda97bad3917eb01a0464c429c8a6cf820fb574935c82d8a63edae2efce
Opcode Fuzzy Hash: 6339895d50acc4890fc2c4bdddf8fcb6dcb411804bfb3ba019924f03f03669d5
Instruction Fuzzy Hash: 25715D31900249AFDB04CF98DC95FEE7B75FF88300F088568FA199B281D675D668CBA5

Function 1001BD60 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

bad d_code, xrefs: 1001BED4

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: bad d_code
API String ID: 0-2582332627
Opcode ID: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
Instruction ID: 2f6b2f45191638f2ae3ba07ee8899200e8ad8888839ee98c0dc0e920f83f02b8
Opcode Fuzzy Hash: 6a06471223b183ab37e18c2c26a020a3e59d19169f923bc6492eff2353404475
Instruction Fuzzy Hash: 9B71CE75E00549DBCB04CF99C895AEEBBB2FF8C304F148168E909AB345D735AA91CB94

Function 10015B40 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction ID: 34f3d6fbe751ec779d85210cdb32b2997779c4aff4a46c926cb419fb41892b26
Opcode Fuzzy Hash: 1b37a6b853c95436d675f261aeeac245198a5dd211321d123e97305fd4e0af68
Instruction Fuzzy Hash: 06A15F74E05148EFCB08CF99C590A9DFBF2EF88304F28C1A9E859AB355D631AB51DB44

Function 1001E5EC Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction ID: 9283f13a6b71ff4d28867ba0371fcc3830cb864e567d112fffee3ea95ca30d3f
Opcode Fuzzy Hash: 6f6452a062c8f2a265baee484629dbee4564c7528d2c0588ec2e65be6e36cc06
Instruction Fuzzy Hash: 8261F230614549ABDB08CF2DC8916A97BE2EF8D358F55C128E829CF250D739EA91CF80

Function 10015883 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction ID: 3e186bd40632953d342a1ca4b5c669cc8258e70e124af2b7e38ac243e047a4b5
Opcode Fuzzy Hash: f0f08fe30d273b37c940692163cb30ccdee1c039196807b4ec46aa2ae06ebd6c
Instruction Fuzzy Hash: 35610331610549AFDB08CF2DC891AA97BE2FF8D354F55C128E929CF350D639EA81CB40

Function 1001A67B Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction ID: b646244c15df26bb11706b77c13e2002d061b3e9df5792a36ac078930f46edd7
Opcode Fuzzy Hash: f74d87246cf27b264b773900421c286abf8d9b10f68190272cf576a4a94c4489
Instruction Fuzzy Hash: FB51EF38A04149ABCB15CF58C4908EDB7F2FF8C354F25C199E9599B345C630AA92CB80

Function 1000DDEE Relevance: 52.9, APIs: 18, Strings: 12, Instructions: 399COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000DE30
memset.MSVCRT ref: 1000DE46
memset.MSVCRT ref: 1000DE5C

Part of subcall function 10005B51: RegOpenKeyExA.KERNEL32(000F003F,00000000,10010261,80000000,1000682F,?,1000682F,80000000,10010261,00000000,000F003F,?,?,?,10010261), ref: 10005B68

Strings

REG_EXPAND_SZ, xrefs: 1000E28E
REG_BINARY, xrefs: 1000E320
JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E29A
JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==, xrefs: 1000E2D6
, xrefs: 1000E1BC
JS0yNHMgJS0xNXMgJXMgXHJcbg==, xrefs: 1000E265
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E301
REG_SZ, xrefs: 1000E259
JS0yNHMgJS0xNXMgXHJcbg==, xrefs: 1000E32C
REG_DWORD, xrefs: 1000E2CA
[%s], xrefs: 1000E138
REG_MULTI_SZ, xrefs: 1000E2F5

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$Open
String ID: $JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgJXMgXHJcbg==$JS0yNHMgJS0xNXMgMHgleCglZCkgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$JS0yNHMgJS0xNXMgXHJcbg==$REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 276825008-1418283934
Opcode ID: e69c9a474d398a8b05f591ddfb3d6d06423474bb97eaa632e0af6825814c9152
Instruction ID: 113f87ce97fe6d344733f2fe9a47c20ccde4d7fba6159d7e819c2bc1bb10b482
Opcode Fuzzy Hash: e69c9a474d398a8b05f591ddfb3d6d06423474bb97eaa632e0af6825814c9152
Instruction Fuzzy Hash: C5E153B6D002589BEB14DF90DC85FDE77B8EB48340F404199F609B6284E775AE988FA1

Function 1000793B Relevance: 47.6, APIs: 16, Strings: 11, Instructions: 308comCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 1000797B
CoInitializeEx.COMBASE(00000000,00000000), ref: 10007987
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
CoCreateInstance.COMBASE(100246B0,00000000,00000001,100245E0,00000000), ref: 100079BE

Part of subcall function 10010360: 6D0F2DD0.MFC42(0000000C), ref: 10010380

CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
wcscat.MSVCRT ref: 10007A97

Part of subcall function 100102D0: 6D0F2DD0.MFC42(0000000C,00000000,1002AF20), ref: 100102F0

VariantInit.OLEAUT32(1002AF10), ref: 10007BAD
VariantInit.OLEAUT32(c:\1.txt), ref: 10007BB7
VariantInit.OLEAUT32(1002A718), ref: 10007BC4
_mbscpy.MSVCRT(00000000,00000000,FADB9516), ref: 10007CA5
_strcmpi.MSVCRT ref: 10007CCB
_mbscpy.MSVCRT(00000000,00000000,00000000), ref: 10007D31
StrStrIA.SHLWAPI(100286FC,svchost.exe -k NetworkService), ref: 10007D57
VariantClear.OLEAUT32(1002AF10), ref: 10007D76
VariantClear.OLEAUT32(c:\1.txt), ref: 10007D80
CoUninitialize.COMBASE ref: 10007DC2

Strings

CommandLine, xrefs: 10007BFC
5r455f, xrefs: 1000795E
http, xrefs: 10007A96, 10007AAE
ProcessID, xrefs: 10007C20
svchost.exe, xrefs: 10007CBF
Name, xrefs: 10007BDB
WQL, xrefs: 10007ADF
SELECT * FROM , xrefs: 10007A6C
svchost.exe -k NetworkService, xrefs: 10007D4B
c:\1.txt, xrefs: 10007BB6, 10007BF9, 10007D7F
cheEntryInfoA, xrefs: 10007B7D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Variant$Init$ClearInitialize_mbscpy$BlanketCreateInstanceProxySecurityUninitialize_strcmpimemsetwcscat
String ID: 5r455f$CommandLine$Name$ProcessID$SELECT * FROM $WQL$c:\1.txt$cheEntryInfoA$http$svchost.exe$svchost.exe -k NetworkService
API String ID: 56062499-2074608166
Opcode ID: aaf45c52288c47e4c4ac5a154b3a7f6ce62af5da4cf99c67da78fd531393a822
Instruction ID: 189a79c95d12f2324ed77b7531e52b51722813dc0f720325a82f4d3d448fa42a
Opcode Fuzzy Hash: aaf45c52288c47e4c4ac5a154b3a7f6ce62af5da4cf99c67da78fd531393a822
Instruction Fuzzy Hash: D7D11879A01228ABDB24DB64CC89BDDB7F4FB48700F1081D9E119A7290DF75AB85CF90

Function 1000805F Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD
memcmp.MSVCRT(00000000,00000000,-00000002), ref: 1000834E

Strings

%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$File_mbscatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryProcessSleep_mbscpysrandstrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 3843169200-1917988604
Opcode ID: 1491cef888996cd526795351f172c59571ecb1c96255f6ff221f3e58b708ccc6
Instruction ID: 1fc89b949b869141e7d21f023f72e52535fd7918e05709aa5f44e13cd79eb387
Opcode Fuzzy Hash: 1491cef888996cd526795351f172c59571ecb1c96255f6ff221f3e58b708ccc6
Instruction Fuzzy Hash: 8B81A370900218FFEB14CBA8CC85FD9777AFB88304F1485A8E609A7255DB75AB85CF51

Function 100080A0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 168filesleepinjectionCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(00000000,00000000,-00000001), ref: 100080CC
wsprintfA.USER32 ref: 1000810B

Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 1000817F
wsprintfA.USER32 ref: 1000819E
CreateDirectoryA.KERNEL32(?,00000000), ref: 100081B0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000009,00000000), ref: 100081E7
time.MSVCRT(00000000), ref: 10008208
srand.MSVCRT ref: 10008212
rand.MSVCRT ref: 1000821B
rand.MSVCRT ref: 1000822D
rand.MSVCRT ref: 1000823F
rand.MSVCRT ref: 10008251
rand.MSVCRT ref: 10008263
rand.MSVCRT ref: 10008275
wsprintfA.USER32 ref: 10008293
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 100082B2
CloseHandle.KERNEL32(?), ref: 100082C5
Sleep.KERNEL32(000003E8), ref: 100082D0
DeleteFileA.KERNEL32(?), ref: 100082DD

Strings

%s\%s, xrefs: 100080FF
c:\windows\system32\drivers\%s\%s, xrefs: 10008192
c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10008287
c:\windows\system32\drivers\%s, xrefs: 10008173

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$File_mbscatwsprintf$Create$CloseHandleWritestrchr$DeleteDirectoryMemoryProcessSleep_mbscpymemcmpsrandstrlentime
String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
API String ID: 2821110951-1917988604
Opcode ID: b3a0a7c7159a84962405ee64190d82e482e6a88e6c63d58b1461d50fb48282a3
Instruction ID: 9b1f3f05a2db119796ee803a315ca48c205a346098eddc4b2f03f44ea683e2e5
Opcode Fuzzy Hash: b3a0a7c7159a84962405ee64190d82e482e6a88e6c63d58b1461d50fb48282a3
Instruction Fuzzy Hash: 9C51C370900218BFEB14CBA4CC89FD9777AFB88305F1484A8F309A6291DF796B498F51

Function 1001983E Relevance: 36.2, APIs: 1, Strings: 23, Instructions: 154stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10019AC2

Strings

Couldn't create/open file, xrefs: 100199FD
Caller: faulty arguments, xrefs: 10019A54
Zip-bug: trying to seek the unseekable, xrefs: 10019A9C
Success, xrefs: 100199E5
Failed to allocate memory, xrefs: 10019A09
Caller: there was a previous error, xrefs: 10019A78
Caller: mixing creation and opening of zip, xrefs: 10019A8A
Error writing to file, xrefs: 10019A15
Error reading file, xrefs: 10019A42
Caller: can only get memory of a memory zipfile, xrefs: 10019A66
File not found in the zipfile, xrefs: 10019A21
Still more data to unzip, xrefs: 10019A2D
Caller: the file had already been partially unzipped, xrefs: 10019A5D
Caller: not enough space allocated for memory zipfile, xrefs: 10019A6F
Zip-bug: tried to change mind, but not allowed, xrefs: 10019AAE
Zip-bug: an internal error during flation, xrefs: 10019AB7
Zipfile is corrupt or not a zipfile, xrefs: 10019A39
Caller: additions to the zip have already been ended, xrefs: 10019A81
unknown zip result code, xrefs: 10019852
Correct password required, xrefs: 10019A4B
Zip-bug: internal initialisation not completed, xrefs: 10019A93
Zip-bug: the anticipated size turned out wrong, xrefs: 10019AA5
Culdn't duplicate handle, xrefs: 100199F1

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen
String ID: Caller: additions to the zip have already been ended$Caller: can only get memory of a memory zipfile$Caller: faulty arguments$Caller: mixing creation and opening of zip$Caller: not enough space allocated for memory zipfile$Caller: the file had already been partially unzipped$Caller: there was a previous error$Correct password required$Couldn't create/open file$Culdn't duplicate handle$Error reading file$Error writing to file$Failed to allocate memory$File not found in the zipfile$Still more data to unzip$Success$Zip-bug: an internal error during flation$Zip-bug: internal initialisation not completed$Zip-bug: the anticipated size turned out wrong$Zip-bug: tried to change mind, but not allowed$Zip-bug: trying to seek the unseekable$Zipfile is corrupt or not a zipfile$unknown zip result code
API String ID: 39653677-623105054
Opcode ID: 758aca4aa3c28b89c750bf8aad23f8a2e8376273e6f5f691afde7864671419ce
Instruction ID: a83791a1f2fbf65fc3504aa118a75d67dc6fc6344bb7a2db01cb83caf290f6f2
Opcode Fuzzy Hash: 758aca4aa3c28b89c750bf8aad23f8a2e8376273e6f5f691afde7864671419ce
Instruction Fuzzy Hash: 41617770D08659DBDB61CF84D4443EEBAB0FF00345FE0869A99262E254D7B5A6C8DBC3

Function 1002080E Relevance: 36.2, APIs: 2, Strings: 22, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10020A79
strncpy.MSVCRT ref: 10020ABB

Strings

Zip-bug: tried to change mind, but not allowed, xrefs: 10020A65
Couldn't create/open file, xrefs: 100209C0
Error writing to file, xrefs: 100209D8
File not found in the zipfile, xrefs: 100209E4
Zip-bug: internal initialisation not completed, xrefs: 10020A4A
Caller: additions to the zip have already been ended, xrefs: 10020A38
Zip-bug: the anticipated size turned out wrong, xrefs: 10020A5C
Caller: mixing creation and opening of zip, xrefs: 10020A41
Success, xrefs: 100209A8
Still more data to unzip, xrefs: 100209F0
Caller: not enough space allocated for memory zipfile, xrefs: 10020A26
Culdn't duplicate handle, xrefs: 100209B4
Failed to allocate memory, xrefs: 100209CC
Caller: faulty arguments, xrefs: 10020A0B
Caller: can only get memory of a memory zipfile, xrefs: 10020A1D
Caller: the file had already been partially unzipped, xrefs: 10020A14
Error reading file, xrefs: 10020A02
Zipfile is corrupt or not a zipfile, xrefs: 100209F9
Zip-bug: an internal error during flation, xrefs: 10020A6E
Caller: there was a previous error, xrefs: 10020A2F
Zip-bug: trying to seek the unseekable, xrefs: 10020A53
unknown zip result code, xrefs: 10020822

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlenstrncpy
String ID: Caller: additions to the zip have already been ended$Caller: can only get memory of a memory zipfile$Caller: faulty arguments$Caller: mixing creation and opening of zip$Caller: not enough space allocated for memory zipfile$Caller: the file had already been partially unzipped$Caller: there was a previous error$Couldn't create/open file$Culdn't duplicate handle$Error reading file$Error writing to file$Failed to allocate memory$File not found in the zipfile$Still more data to unzip$Success$Zip-bug: an internal error during flation$Zip-bug: internal initialisation not completed$Zip-bug: the anticipated size turned out wrong$Zip-bug: tried to change mind, but not allowed$Zip-bug: trying to seek the unseekable$Zipfile is corrupt or not a zipfile$unknown zip result code
API String ID: 3366577668-1255542691
Opcode ID: d8374c3ad5f4ebd14834886504741f0533b2edd860437b87c5c23429274d2f67
Instruction ID: ec3a13afa7cd80cc0a229431ce520e6303d2f69214dbb925724a83a4e5159c47
Opcode Fuzzy Hash: d8374c3ad5f4ebd14834886504741f0533b2edd860437b87c5c23429274d2f67
Instruction Fuzzy Hash: BE619B70D0435DEADF61CF90E4447AEB7B2FB04385FE0C65AA81226162C7F54A84DB83

Function 1000622A Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 71COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,cmd.exe), ref: 1000623D
GetCurrentProcessId.KERNEL32 ref: 1000625B

Part of subcall function 10005CE2: _mbscpy.MSVCRT(00000000,00000000), ref: 10005D1A
Part of subcall function 10005CE2: CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95

Strings

C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 100062A3
%s.%d, xrefs: 100062F5
C:\Windows\6C4DA6FB\svchsot.exe, xrefs: 10006291
cmd.exe, xrefs: 10006234
self, xrefs: 10006266
cmd.exe, xrefs: 10006247
C:\Windows\6C4DA6FB\svchsot.vir, xrefs: 1000629E

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateCurrentFileProcess_mbscpy
String ID: %s.%d$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.vir$cmd.exe$cmd.exe$self
API String ID: 121295410-3617494418
Opcode ID: 2cd0d02b9790060a8ae0d77817feb3be9d08b7b95a69bdfdf9f3c30ea61bf2ee
Instruction ID: 11dda13007a575690e2789da7b2ac66cc1117108efdf45987319c1011c6ab237
Opcode Fuzzy Hash: 2cd0d02b9790060a8ae0d77817feb3be9d08b7b95a69bdfdf9f3c30ea61bf2ee
Instruction Fuzzy Hash: 9F21D275900214FBFB00EFF4DC8AF9A3769EF1A351F208054FB0996180DF7296A58BA1

Function 1000EF29 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 189sleepstringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF71
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000EF83
_mbscat.MSVCRT ref: 1000EF9E
_mbscat.MSVCRT ref: 1000EFBB
6D0F2DD0.MFC42(00080000), ref: 1000EFDE
memset.MSVCRT ref: 1000F08F
Sleep.KERNEL32(000927C0), ref: 1000F0CC
strlen.MSVCRT ref: 1000F168
strcmp.MSVCRT ref: 1000F181
wsprintfA.USER32 ref: 1000F19E
Sleep.KERNEL32(000927C0), ref: 1000F1CF

Strings

XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000EF89
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000EFA6
http://107.163.56.240:18963/main.php, xrefs: 1000F069
8.8.8.8, xrefs: 1000F1A7
127.0.0.1, xrefs: 1000F1AC
cmd.exe /c ipconfig /flushdns, xrefs: 1000F1BD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectorySleepSystem_mbscat$memsetstrcmpstrlenwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$cmd.exe /c ipconfig /flushdns$http://107.163.56.240:18963/main.php
API String ID: 3822996416-3520984710
Opcode ID: 61fad219ac9db59ba165ff8e3539cb9f75e70931b41ec22a29f43a15eae7c439
Instruction ID: 1b7d056821bea9ffcc31071dd2aa98b9aaa464bf06ce50bac68d0a223335520a
Opcode Fuzzy Hash: 61fad219ac9db59ba165ff8e3539cb9f75e70931b41ec22a29f43a15eae7c439
Instruction Fuzzy Hash: 1571A1B5D04218ABEB60CB68DCC5BD9B3B5EB58340F1041E8E60CA7281DB75AF858F91

Function 10008FF9 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 134registrytimeCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10009030
___crtGetTimeFormatEx.LIBCMTD ref: 10009071

Part of subcall function 10005AF9: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 10005B14

Part of subcall function 10005ABC: RegCloseKey.KERNEL32(?), ref: 10005AC3

_mbscpy.MSVCRT(?,?), ref: 10009093
_mbscpy.MSVCRT(?,Find CPU Error), ref: 100090A6
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 100090DA
__aulldiv.LIBCMT ref: 100090F5
__aulldiv.LIBCMT ref: 10009103
_mbscpy.MSVCRT(?,11221450,?,?,00000400,00000000), ref: 1000914A
GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,00000400,00000000), ref: 10009152
_mbscpy.MSVCRT(?,00000000,?,?,?,?,?,?,00000400,00000000), ref: 100091B5

Strings

ProcessorNameString, xrefs: 10009065
http://107.163.56.240:18963/main.php, xrefs: 100091BF
Find CPU Error, xrefs: 1000909D
11221450, xrefs: 1000913C
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10009009
@, xrefs: 100090C9
%u MB, xrefs: 10009128

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscpy$__aulldiv$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
String ID: %u MB$11221450$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.240:18963/main.php
API String ID: 1484250483-2547790904
Opcode ID: c2c0c32ab576b11e6bd5d6c35985afb97b9d528d25e0feedbf34843814d19808
Instruction ID: cefe20e9956c0aeb191ec147d5f548dd9efc5a21e1516fd84fccf84d5fb5ed44
Opcode Fuzzy Hash: c2c0c32ab576b11e6bd5d6c35985afb97b9d528d25e0feedbf34843814d19808
Instruction Fuzzy Hash: B941D8F99012186BEB10DB54DC89FDA7379EF54340F4482A8F608A7285EB74AA84CB95

Function 10005CE2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 130stringfileCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,00000000), ref: 10005D1A
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005D32
strrchr.MSVCRT ref: 10005D41
CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 10005D95
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 10005DBC
time.MSVCRT(00000000), ref: 10005DC4
localtime.MSVCRT(?), ref: 10005DDA
strftime.MSVCRT ref: 10005DF2
vsprintf.MSVCRT ref: 10005E48
sprintf.MSVCRT ref: 10005E75
strlen.MSVCRT ref: 10005E8B
WriteFile.KERNEL32(?,?,00000000,00000000), ref: 10005EA2
CloseHandle.KERNEL32(?), ref: 10005EAF

Strings

%s%s, xrefs: 10005E69
log.txt, xrefs: 10005D68

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerWrite_mbscpylocaltimesprintfstrftimestrlenstrrchrtimevsprintf
String ID: %s%s$log.txt
API String ID: 4258924203-1489102009
Opcode ID: c49ee3aaf1ee1162d53095b1f85a859aca8ff1944970cf77330318e6a4c8fa1f
Instruction ID: 4248ec1d1ae275c58dfadc2bb918cf7de6159c9ba061f12476aacb7595d00ccb
Opcode Fuzzy Hash: c49ee3aaf1ee1162d53095b1f85a859aca8ff1944970cf77330318e6a4c8fa1f
Instruction Fuzzy Hash: 29519375D00268EBEB25CB94CC8DBDA7778EB68301F0045D5E709A6280DBB55AC9CF91

Function 100084F9 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 10007DDE: 6D0F2DD0.MFC42(00000004,?,?,?,?,?,?,?,?,?,?,?,?,1002AF1C,1000850C,?), ref: 10007E36
Part of subcall function 10007DDE: 6D0F2DD0.MFC42(00000000), ref: 10007E5A
Part of subcall function 10007DDE: 6D0F2DD0.MFC42(00000000), ref: 10007E8B
Part of subcall function 10007DDE: strrchr.MSVCRT ref: 10007EA5
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007EBF
Part of subcall function 10007DDE: strncpy.MSVCRT ref: 10007ED3
Part of subcall function 10007DDE: GetSystemInfo.KERNEL32(1002AEEC), ref: 10007EE0
Part of subcall function 10007DDE: GetCurrentProcess.KERNEL32(00000020,XGhvc3RzLmljcw==), ref: 10007EFE
Part of subcall function 10007DDE: OpenProcessToken.ADVAPI32(00000000), ref: 10007F05
Part of subcall function 10007DDE: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,1002AEE4), ref: 10007F16
Part of subcall function 10007DDE: AdjustTokenPrivileges.ADVAPI32(76684758,00000000,00000001,00000010,00000000,00000000), ref: 10007F46
Part of subcall function 10007DDE: CloseHandle.KERNEL32(76684758), ref: 10007F50
Part of subcall function 10007DDE: strlen.MSVCRT ref: 10007F5B
Part of subcall function 10007DDE: sscanf.MSVCRT ref: 10007F7C

wsprintfA.USER32 ref: 1000853B

Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

wsprintfA.USER32 ref: 100085AF
wsprintfA.USER32 ref: 100085CE
CreateDirectoryA.KERNEL32(%s|%s,00000000), ref: 100085E0

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6

Part of subcall function 1000793B: memset.MSVCRT ref: 1000797B
Part of subcall function 1000793B: CoInitializeEx.COMBASE(00000000,00000000), ref: 10007987
Part of subcall function 1000793B: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000799F
Part of subcall function 1000793B: CoCreateInstance.COMBASE(100246B0,00000000,00000001,100245E0,00000000), ref: 100079BE
Part of subcall function 1000793B: CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10007A54
Part of subcall function 1000793B: wcscat.MSVCRT ref: 10007A97

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000863A

Strings

ROOT\CIMv2, xrefs: 1000860B
%s|%s, xrefs: 100085DF
c:\windows\system32\drivers\%s, xrefs: 100085A3
Win32_process, xrefs: 10008606
c:\windows\system32\drivers\%s\%s, xrefs: 100085C2
65r455f, xrefs: 100085CD, 100085EC
ZU11dGV4, xrefs: 100085F3
%s\%s, xrefs: 1000852F

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscat$CreateProcesswsprintf$CloseFileHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryInfoInstanceLookupPrivilegePrivilegesProxySecuritySystemValueWrite_mbscpymemsetsscanfstrrchrwcscat
String ID: %s\%s$%s|%s$65r455f$ROOT\CIMv2$Win32_process$ZU11dGV4$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 2046235666-808396485
Opcode ID: b96300de3a959b6f6867844c2c09bc134bfcc2d97d8e8c2f8824ba90d23407a5
Instruction ID: 0c0eef8aac9374081f6669d655c3be3116369b3939affcc587e91564fd5685db
Opcode Fuzzy Hash: b96300de3a959b6f6867844c2c09bc134bfcc2d97d8e8c2f8824ba90d23407a5
Instruction Fuzzy Hash: 6F41B771900A6CAFEB20CBA8CC89FDA77B5FB84304F1005E4E609B6245DB766BD58F45

Function 1000A948 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 104registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 1000A9C6
_CxxThrowException.MSVCRT(?,10024C88), ref: 1000A9EB
RegQueryValueExA.ADVAPI32(00000000,DLLPath,00000000,00000002,00000000,00000080), ref: 1000AA0A
_CxxThrowException.MSVCRT(1002E0FC,10024C88), ref: 1000AA2F
StrStrIA.SHLWAPI(00000000,mp3), ref: 1000AA40
lstrlen.KERNEL32(?,00000000), ref: 1000AA50
RegCloseKey.ADVAPI32(00000000), ref: 1000AAAD

Strings

DLLPath, xrefs: 1000AA5D
sc config RemoteAccess start= auto, xrefs: 1000AA82
net start RemoteAccess, xrefs: 1000AA8F
mp3, xrefs: 1000AA34
sc stop RemoteAccess, xrefs: 1000AA75
DLLPath, xrefs: 1000AA01
U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==, xrefs: 1000A982

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$CloseOpenQueryValuelstrlen
String ID: DLLPath$DLLPath$U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==$mp3$net start RemoteAccess$sc config RemoteAccess start= auto$sc stop RemoteAccess
API String ID: 1704467221-3685978068
Opcode ID: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
Instruction ID: 43c9b28ce93485f090b6302de8d1e2f99a1725c96703827c3c982aa9faeb6eb3
Opcode Fuzzy Hash: ad9174915639a06eaf530e16f97f94d3facbc0bd19862eabbce3580c61a70436
Instruction Fuzzy Hash: BA418FB5900218BFEB10DFD4DD89FEEBB78EB49740F504158F205B6281DB785A85CBA1

Function 10009337 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(urlmon.dll), ref: 10009348
LoadLibraryA.KERNEL32(wininet.dll), ref: 10009359
GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 10009391
GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 100093A6
6D0F2DD0.MFC42(00000050), ref: 100093B4
_mbscat.MSVCRT ref: 1000941F
_mbscat.MSVCRT ref: 10009435
_mbscat.MSVCRT ref: 10009449
memset.MSVCRT ref: 10009459

Strings

urlmon.dll, xrefs: 10009343
wininet.dll, xrefs: 10009354
GetUrlCacheEntryInfoA, xrefs: 1000939D
WinSta0\Default, xrefs: 10009461
URLDownloadToCacheFileA, xrefs: 10009385

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscat$AddressLibraryLoadProc$memset
String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
API String ID: 2031231167-1569318151
Opcode ID: 742c53e42c08f1ba670bbd8947db793b9e5c58679491c2c55f7f7490216694c4
Instruction ID: 81b372d6bc21d2fef04a9a1ddd25012b240df206b743b4629fc927ee19ea9d3e
Opcode Fuzzy Hash: 742c53e42c08f1ba670bbd8947db793b9e5c58679491c2c55f7f7490216694c4
Instruction Fuzzy Hash: 2031C7B5D042586FEB10CBA0DC85FEFBB74EB18701F5004A5F709A6280DB756A84CF55

Function 1000EE6E Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 1000EE78
_strcmpi.MSVCRT ref: 1000EE97
_strcmpi.MSVCRT ref: 1000EEAD
_strcmpi.MSVCRT ref: 1000EEC3
_strcmpi.MSVCRT ref: 1000EED9
strstr.MSVCRT ref: 1000EEEF
strstr.MSVCRT ref: 1000EF05

Strings

AYLaunch.exe, xrefs: 1000EEFC
.aye, xrefs: 1000EED0
.sys, xrefs: 1000EEBA
V3Lite.exe, xrefs: 1000EEE6
.dll, xrefs: 1000EE8E
.exe, xrefs: 1000EEA4

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _strcmpi$strstr$strrchr
String ID: .aye$.dll$.exe$.sys$AYLaunch.exe$V3Lite.exe
API String ID: 4200840081-2419393344
Opcode ID: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
Instruction ID: 466c2cd852741ed10da6fcfff3d329652218b2498b962fc8da7131ac82429ea1
Opcode Fuzzy Hash: a66008e92193723ad6069ec4cb46ca3f240866ecbfae53507d4d6401f2827d7e
Instruction Fuzzy Hash: 4A1173B4900189F7EB10CBA4ED49AAE37A8EF043C6F544164FD05A6205E733EF24C7A1

Function 1000F9DF Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121registrysleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000), ref: 1000FA4E
RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000FA9C
memset.MSVCRT ref: 1000FAE5
memset.MSVCRT ref: 1000FAFB
RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 1000FB54
StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000FB6F
RegDeleteValueA.ADVAPI32(?,?), ref: 1000FB87
RegCloseKey.ADVAPI32(00000000), ref: 1000FB99
Sleep.KERNEL32(000493E0), ref: 1000FBA4

Strings

svchsot.exe, xrefs: 1000FB63
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000FA44

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$svchsot.exe
API String ID: 1121228644-2172464104
Opcode ID: 9d00bb194b07a1bb5b771fdc727d592163efcfe6b350b88652163b49e7477233
Instruction ID: c6f70cebfc850f900d70c9a4584eddebb96ea2d54561a80a661612636b8fad89
Opcode Fuzzy Hash: 9d00bb194b07a1bb5b771fdc727d592163efcfe6b350b88652163b49e7477233
Instruction Fuzzy Hash: 87416475A40168ABEB24CB54CD45FD9B3B8FB48740F1081D9E349A6180DBF4AEC8DFA4

Function 1000BA90 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00001218), ref: 1000BA9E
WSAStartup.WS2_32(00000202,?), ref: 1000BAC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

memset.MSVCRT ref: 1000BB06

Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A00F
Part of subcall function 10009FAB: wsprintfA.USER32 ref: 1000A027
Part of subcall function 10009FAB: 6D0F2DD0.MFC42(0007D000), ref: 1000A035
Part of subcall function 10009FAB: memset.MSVCRT ref: 1000A063

Sleep.KERNEL32(0002BF20), ref: 1000BB28
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BB4E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BB5D
CloseHandle.KERNEL32(?), ref: 1000BB67
Sleep.KERNEL32(0002BF20), ref: 1000BB72
CloseHandle.KERNEL32(?), ref: 1000BB84

Strings

0x5d65r455f, xrefs: 1000BAC7
5762479093, xrefs: 1000BB12

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$5762479093
API String ID: 1532593739-2446933972
Opcode ID: 1aa5a029c31a8f57f3459db156c4c738950f266d1a140a60ae31945813a66b89
Instruction ID: ee4fe3ff80eea35deae1171875856fc337cdd1930f9e5ee3871eb6d0d01d88b9
Opcode Fuzzy Hash: 1aa5a029c31a8f57f3459db156c4c738950f266d1a140a60ae31945813a66b89
Instruction Fuzzy Hash: 922184B5A40214BBF710DBE0CD8BFDD7774EB55741F2041A4FA09962C8DB706A508B96

Function 1000BC72 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 68sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00001218), ref: 1000BC80
WSAStartup.WS2_32(00000202,?), ref: 1000BCA3

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

memset.MSVCRT ref: 1000BCE8

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: 6D0F2DD0.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BD0A
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BD30
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BD3F
CloseHandle.KERNEL32(?), ref: 1000BD49
Sleep.KERNEL32(001B7740), ref: 1000BD54
CloseHandle.KERNEL32(?), ref: 1000BD66

Strings

2073372682, xrefs: 1000BCF4
0x5d65r455f, xrefs: 1000BCA9

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$CloseCreateHandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x5d65r455f$2073372682
API String ID: 1532593739-3710683282
Opcode ID: 9942864624be78247dac6591834e8625d7a2c5a1ea7b6b007f56e46c8e93dbd5
Instruction ID: ec3ba378adc137da86a7fa9cbe3624fdafc09a65b00566f21923adef7c9e2253
Opcode Fuzzy Hash: 9942864624be78247dac6591834e8625d7a2c5a1ea7b6b007f56e46c8e93dbd5
Instruction Fuzzy Hash: 93218475A40214BBFB10DFE0CC8AFDD7774EB54741F2041A5F6099A2D5EB706A508B92

Function 1000F8F9 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 64fileCOMMON

Download Yara Rule

APIs

Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE30
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE46
Part of subcall function 1000DDEE: memset.MSVCRT ref: 1000DE5C

wsprintfA.USER32 ref: 1000F97A
DeleteFileA.KERNEL32(00000000), ref: 1000F98A
memset.MSVCRT ref: 1000F99E
wsprintfA.USER32 ref: 1000F9B9
DeleteFileA.KERNEL32(00000000), ref: 1000F9C9
DeleteFileA.KERNEL32(C:\1.vbs), ref: 1000F9D4

Strings

%s\ASDSvc.exe, xrefs: 1000F96E
C:\1.vbs, xrefs: 1000F9CF
InstallPath, xrefs: 1000F947
U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==, xrefs: 1000F94C
%s\V3Lite.exe, xrefs: 1000F9AD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memset$DeleteFile$wsprintf
String ID: %s\ASDSvc.exe$%s\V3Lite.exe$C:\1.vbs$InstallPath$U09GVFdBUkVcQWhuTGFiXFYzTGl0ZQ==
API String ID: 1479746147-790033058
Opcode ID: 76510e5ad0f0a7d840a7ac59a9f66772fcdb44f7757913529646aec1d244dc55
Instruction ID: 3f8b95e0ea3bd24813ccbb7ad79f06d8baedde75e715387043a4284ac7343189
Opcode Fuzzy Hash: 76510e5ad0f0a7d840a7ac59a9f66772fcdb44f7757913529646aec1d244dc55
Instruction Fuzzy Hash: A311D6B5810618BBE710D7A4DC89FE6B378EB24300F4001D4F748A6181EBB126D88B91

Function 1001918D Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 100195EB
%s%s, xrefs: 100195A9

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s$%s%s%s
API String ID: 0-1506711308
Opcode ID: 42203c4f5e60dc4c313bcbfaa3242895f4168d4235d153e75d5da6e43a912288
Instruction ID: 7f3d1bd727637aae945e036ecbbf7404439f41d044326d2380a7333964229f50
Opcode Fuzzy Hash: 42203c4f5e60dc4c313bcbfaa3242895f4168d4235d153e75d5da6e43a912288
Instruction Fuzzy Hash: 7B0215B4904228DBDB26CF54C984BA9B7B9EB49305F1482D9E81DAB291D730EFC5CF50

Function 1001EAC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 208fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 1001EAD1
GetFileSize.KERNEL32(?,00000000), ref: 1001EBA0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1001EBBD
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1001EBD3
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1001EBE3
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1001EBF9

Strings

(, xrefs: 1001EBA9
PE, xrefs: 1001EC5E

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID: ($PE
API String ID: 2979504256-3347799738
Opcode ID: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction ID: a2f518cc74f5bf6d3c6c6775fd81b0518a7a4a596ada43fd48c2c3d5df82ea48
Opcode Fuzzy Hash: fe54d1f251eca4ebab7ed7a7db03ff5dc34b9185225e73e372399f2878510901
Instruction Fuzzy Hash: 27810D71E00248ABEB08CFD4D895BAEB7B5FF88340F148129F515AB294D734E886CF94

Function 1000C83D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 192sleepstringCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00080000), ref: 1000C876
memset.MSVCRT ref: 1000C932
Sleep.KERNEL32(000927C0,1002AEE0), ref: 1000C981
strlen.MSVCRT ref: 1000CA1E
wsprintfA.USER32 ref: 1000CA40

Part of subcall function 10007F89: _mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
Part of subcall function 10007F89: strchr.MSVCRT ref: 10007FD3
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 10007FFD
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000800E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000801E
Part of subcall function 10007F89: _mbscat.MSVCRT ref: 1000802F
Part of subcall function 10007F89: strchr.MSVCRT ref: 10008049

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6

strcmp.MSVCRT ref: 1000CAC2
Sleep.KERNEL32(000927C0), ref: 1000CAD1

Strings

http://107.163.56.240:18963/main.php, xrefs: 1000C90C
iOffset, xrefs: 1000C968
c:\1.txt, xrefs: 1000C96D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscat$FileSleepstrchrstrlen$CloseCreateHandleWrite_mbscpymemsetstrcmpwsprintf
String ID: c:\1.txt$http://107.163.56.240:18963/main.php$iOffset
API String ID: 2734459437-992998774
Opcode ID: 4a2ded3db8f8dd1e7763f1c4dc4cfb6574e26ea6859953c76b6160c5fd13c7f4
Instruction ID: 38d56a867debf3668477e47f832bb14d7cc83a34d2ec41b954da4208bafbb5ac
Opcode Fuzzy Hash: 4a2ded3db8f8dd1e7763f1c4dc4cfb6574e26ea6859953c76b6160c5fd13c7f4
Instruction Fuzzy Hash: F771AEB5D04218ABEB21CB64CC85BDAB7B5EF59340F1445E8E50CA7242EB35AE84CF51

Function 1000C668 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10006322: GetProcessHeap.KERNEL32 ref: 1000634F

Part of subcall function 100067AC: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
Part of subcall function 100067AC: strlen.MSVCRT ref: 100067DB
Part of subcall function 100067AC: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
Part of subcall function 100067AC: CloseHandle.KERNEL32(656C6261), ref: 100067F6

CloseHandle.KERNEL32 ref: 1000C6D1
Sleep.KERNEL32(00001388), ref: 1000C6DC
MoveFileExA.KERNEL32(00000000,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 1000C6EF
CopyFileA.KERNEL32(00000000,?,00000000), ref: 1000C702
DeleteFileA.KERNEL32(00000000), ref: 1000C70F
Sleep.KERNEL32(000003E8), ref: 1000C71A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 1000C736

Strings

C:\Users\user\Desktop, xrefs: 1000C69F
%s\data.db, xrefs: 1000C6A4
hosts, xrefs: 1000C677

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleSleep$CopyDeleteHeapMoveProcessWritestrlen
String ID: %s\data.db$C:\Users\user\Desktop$hosts
API String ID: 3797919734-1872397264
Opcode ID: efc404cb1c36cd2c8ce508b618bdaed85bcec96449d26f1028287ccc5fd69aa9
Instruction ID: f5900b32a1c57befda946730cab26c328d09066f7718e655d8f69fd7b70c79ee
Opcode Fuzzy Hash: efc404cb1c36cd2c8ce508b618bdaed85bcec96449d26f1028287ccc5fd69aa9
Instruction Fuzzy Hash: A421B0B6A00218BBEB14CFA4DC85FCA3769FB58710F104294FB199B1C0DBB1AA85CB50

Function 10007F89 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,U11dGV4,1002AF1C,10008569,00000000), ref: 10007FBC
strchr.MSVCRT ref: 10007FD3
_mbscat.MSVCRT ref: 10007FFD
_mbscat.MSVCRT ref: 1000800E
_mbscat.MSVCRT ref: 1000801E
_mbscat.MSVCRT ref: 1000802F
strchr.MSVCRT ref: 10008049

Strings

www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10007FB0
, xrefs: 10008005
U11dGV4, xrefs: 10007F96

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbscat$strchr$_mbscpy
String ID: $U11dGV4$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 702901625-1239733050
Opcode ID: f326c0bdbb4f28ea7d5a4b7c8fd45c6401bdca4bcea2e6c00a19b61eabe8c604
Instruction ID: 2bc11947cdbfdc4e0e0399083b1b6a46f6613d3c1d050bc1cbc246461a669991
Opcode Fuzzy Hash: f326c0bdbb4f28ea7d5a4b7c8fd45c6401bdca4bcea2e6c00a19b61eabe8c604
Instruction Fuzzy Hash: 91219379D00158ABDB11CFA8ED81BDD7774FB68302F5084A5EA0CA7244D6B5ABD48BA0

Function 1000BB90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00001218), ref: 1000BB9E
WSAStartup.WS2_32(00000202,?), ref: 1000BBC1

Part of subcall function 10004CAD: CreateMutexA.KERNEL32(00000000,00000000,1000BAD5,?,1000BAD5,00000000,00000000,0x5d65r455f), ref: 10004CBC

Part of subcall function 1000535B: GetLastError.KERNEL32(?,1000BAE3), ref: 1000535E

CloseHandle.KERNEL32(?), ref: 1000BC66

Part of subcall function 10009A63: memset.MSVCRT ref: 10009AC7
Part of subcall function 10009A63: wsprintfA.USER32 ref: 10009ADF
Part of subcall function 10009A63: 6D0F2DD0.MFC42(0007D000), ref: 10009AED
Part of subcall function 10009A63: memset.MSVCRT ref: 10009B1B

Sleep.KERNEL32(0002BF20), ref: 1000BC0D
CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BC33
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BC42
CloseHandle.KERNEL32(?), ref: 1000BC4C
Sleep.KERNEL32(0002BF20), ref: 1000BC57

Strings

2963854030, xrefs: 1000BBF7
0x555dasfas, xrefs: 1000BBC7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleSleepmemset$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
String ID: 0x555dasfas$2963854030
API String ID: 2708768594-3075894505
Opcode ID: 9a8ad658dd4bb7acd71c8c901d0bc274c19d79f238f30afa04d8c1102c3cd462
Instruction ID: d84f95eccd45cc1831ea6bca91d576b8e54f65b4ebe8b4c65b06786423185a31
Opcode Fuzzy Hash: 9a8ad658dd4bb7acd71c8c901d0bc274c19d79f238f30afa04d8c1102c3cd462
Instruction Fuzzy Hash: DB21B1B5A40214BBFB10DFE0CD8AFDD7775EB55341F2041A4FA099A284DB706A91CB52

Function 10010940 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 248comstringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10010968
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1001098D
CoCreateInstance.COMBASE(100246B0,00000000,00000001,Function_000245E0,?), ref: 100109A8

Part of subcall function 10010360: 6D0F2DD0.MFC42(0000000C), ref: 10010380

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10010A3B

Strings

WQL, xrefs: 10010B6B
SELECT * FROM , xrefs: 10010AB4
ROOT\CIMV2, xrefs: 100109D1
WHERE , xrefs: 10010B06

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: BlanketCreateInitializeInstanceProxySecuritystrlen
String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
API String ID: 570563250-2582412207
Opcode ID: 98bf76f53860a594a0a0b1b9da7cabe3198b5f99b835eb4c1d9bb814207d1e67
Instruction ID: 5cbe6ac5fde7eb26dc338a514e816c495378dc4111dc2c4ddae531228331e323
Opcode Fuzzy Hash: 98bf76f53860a594a0a0b1b9da7cabe3198b5f99b835eb4c1d9bb814207d1e67
Instruction Fuzzy Hash: 0EA10874A00249EBDB04CFA4CD95BEEB7B4FF14314F208258F5516B2D2D7B4AA86CB91

Function 1000D232 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(%systemroot%\system32\csrss.exe,?,00000104), ref: 1000D24F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000208), ref: 1000D288
GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryInformationProcess), ref: 1000D298
GetProcAddress.KERNEL32(00000000), ref: 1000D29F
GetCurrentProcess.KERNEL32(00000000,00000000,00000018,?), ref: 1000D2D6
wcscpy.MSVCRT ref: 1000D312

Strings

ntdll.dll, xrefs: 1000D293
NtQueryInformationProcess, xrefs: 1000D28E
%systemroot%\system32\csrss.exe, xrefs: 1000D24A

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AddressByteCharCurrentEnvironmentExpandHandleModuleMultiProcProcessStringsWidewcscpy
String ID: %systemroot%\system32\csrss.exe$NtQueryInformationProcess$ntdll.dll
API String ID: 703503636-1587409518
Opcode ID: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
Instruction ID: d4a10707df85f749384b0f406625ba1c85e5810cd389dcc908323d6700f8676c
Opcode Fuzzy Hash: 5b4e04cc3fdfb721d1f71ff26fba47fb89f303d233a3ec030fd47cff8edf33ff
Instruction Fuzzy Hash: 04212F71910218BFEB65CBA4CC89FDABBB8EB48310F50419AE609E6291DB705B45CF61

Function 1000CB08 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 154sleepstringCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00080000), ref: 1000CB24
memset.MSVCRT ref: 1000CBD2
Sleep.KERNEL32(000927C0), ref: 1000CC09
strlen.MSVCRT ref: 1000CCA5
strcmp.MSVCRT ref: 1000CCBB
wsprintfA.USER32 ref: 1000CCD5

Part of subcall function 100084F9: wsprintfA.USER32 ref: 1000853B
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085AF
Part of subcall function 100084F9: wsprintfA.USER32 ref: 100085CE
Part of subcall function 100084F9: CreateDirectoryA.KERNEL32(%s|%s,00000000), ref: 100085E0

Sleep.KERNEL32(000927C0), ref: 1000CCE9

Strings

http://107.163.56.240:18963/main.php, xrefs: 1000CBAF

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$Sleep$CreateDirectorymemsetstrcmpstrlen
String ID: http://107.163.56.240:18963/main.php
API String ID: 3532960077-1318255662
Opcode ID: 0d9f96c5881fc43c5d68f49406752060d2a24b9eff16c93c5737f26b3724a7d6
Instruction ID: acf207941c7ebc88904dff186f98427c2258807a785c7ff7885373aecb3466dd
Opcode Fuzzy Hash: 0d9f96c5881fc43c5d68f49406752060d2a24b9eff16c93c5737f26b3724a7d6
Instruction Fuzzy Hash: 38518AB5D0061CABEB10CB94CC82FEFB7B5EF48341F1444A8E508A7245D771AB858F91

Function 10006F92 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006FAA
strlen.MSVCRT ref: 10006FC3
strlen.MSVCRT ref: 10006FDC
strlen.MSVCRT ref: 10006FF5
strrchr.MSVCRT ref: 1000700D
_mbscpy.MSVCRT(00000000,?), ref: 10007068
strrchr.MSVCRT ref: 10007079

Strings

123, xrefs: 1000701C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPath_mbscpy
String ID: 123
API String ID: 2492324655-2286445522
Opcode ID: 6ae7ca9b40b598d48eb85bbcc3ba575c99ff50f77e4743fd11b9f870836d6378
Instruction ID: b10010325145a17280ae543c62f60846424ed8c502da58d9684bb6765ff15b86
Opcode Fuzzy Hash: 6ae7ca9b40b598d48eb85bbcc3ba575c99ff50f77e4743fd11b9f870836d6378
Instruction Fuzzy Hash: 634173FAD00248BBEB14CBA4DC42BDE77B5EF58340F1445A4F9099B241E636EB84CB91

Function 10006B4B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringCOMMON

Download Yara Rule

APIs

PathIsDirectoryA.SHLWAPI(?), ref: 10006B59
strlen.MSVCRT ref: 10006B6E
strlen.MSVCRT ref: 10006B87
strlen.MSVCRT ref: 10006BA0
strrchr.MSVCRT ref: 10006BCC
_mbscpy.MSVCRT(00000000,?), ref: 10006C0F
strrchr.MSVCRT ref: 10006C20

Strings

123, xrefs: 10006BB2

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$strrchr$DirectoryPath_mbscpy
String ID: 123
API String ID: 2492324655-2286445522
Opcode ID: 0216acf93dd336674bfca4f255ea5692cfb5bf92b0d8c78ebbaafcd0a2b3642d
Instruction ID: 79c25a0058445eb4a21c39191d2c2c99bec266b48e571f529a8f3a9425a03f32
Opcode Fuzzy Hash: 0216acf93dd336674bfca4f255ea5692cfb5bf92b0d8c78ebbaafcd0a2b3642d
Instruction Fuzzy Hash: E531B8FAD00248BBEB10CBA4DC81ADE77B5EF58340F1445A4F9499B241E776EB848BD1

Function 100060BF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(NUL,80000000,00000000,00000000,00000003,00000000,00000000), ref: 100060DE
CloseHandle.KERNEL32(000000FF), ref: 1000610B

Strings

NUL, xrefs: 100060D9

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: NUL
API String ID: 3498533004-1038343538
Opcode ID: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction ID: e9d1fb6442f0c914e32f04b904cbdd2044a8a5df72d57b902c957921bdc8d841
Opcode Fuzzy Hash: bacd73ea0e29112e69a3a4bd1fe7e27659f169c8efd550f9f9d80bd28413b36f
Instruction Fuzzy Hash: 7C313D7090022AEBEB10CBE4CC85BEEB7B6FF49344F344554EA117B286C730AA55DB91

Function 100214EE Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 45memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1,SELECT * FROM ,1002AEF4,10010494,00000001,00000000,1002AF0C,10010314,00007325), ref: 10021500
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,c:\1.txt,00000001), ref: 10021527
GetLastError.KERNEL32 ref: 10021537
GetLastError.KERNEL32 ref: 1002153D
SysAllocString.OLEAUT32(c:\1.txt), ref: 10021554

Strings

SELECT * FROM , xrefs: 100214F5
Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100214F6
c:\1.txt, xrefs: 10021519, 10021553

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID: Rvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1$SELECT * FROM $c:\1.txt
API String ID: 4196186757-3737772539
Opcode ID: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
Instruction ID: 1fe5ed956030cf47e0064620fe093005c6aabeb1075080af0839e4b43014f2e2
Opcode Fuzzy Hash: 784b38830f32eaa514aa5bd1c42134cdc8b8a0bef03c8b7befdc0e07884de4bc
Instruction Fuzzy Hash: 7501F436500526F7E7209BA1DC85FDA3FA8EF613A1FB18031FD09D1090E730956286A1

Function 1000AF61 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

CreateMutexA.KERNEL32(00000000,00000001,Global\98012trt8-d8dfsf), ref: 1000AF86
GetLastError.KERNEL32 ref: 1000AF8F
ReleaseMutex.KERNEL32(?), ref: 1000AFC4
CloseHandle.KERNEL32(?), ref: 1000AFCE

Strings

SeDebugPrivilege, xrefs: 1000AF69
Global\98012trt8-d8dfsf, xrefs: 1000AF7D
c:\11.txt, xrefs: 1000AFAC
ERROR_ALREADY_EXISTS, xrefs: 1000AFA7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: MutexProcess$CloseCreateCurrentErrorHandleLastOpenReleaseToken
String ID: ERROR_ALREADY_EXISTS$Global\98012trt8-d8dfsf$SeDebugPrivilege$c:\11.txt
API String ID: 1194210303-4205529783
Opcode ID: 33d6c9e2637d354fe1692b1cfc5d348cc65f7f4e25ac4b6de4792443762265fe
Instruction ID: bda5bf97716bd855d7aa97815c2b0071a65dd76f9c377fc55d067d3e89c7e2b6
Opcode Fuzzy Hash: 33d6c9e2637d354fe1692b1cfc5d348cc65f7f4e25ac4b6de4792443762265fe
Instruction Fuzzy Hash: 8AF0FF74D01309FBEB10DBE0DC89F8D7BB5EB15342F504155F90562251DB755684CB51

Function 1000A780 Relevance: 13.6, APIs: 9, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 1000A7E8
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A80A
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8A2
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000A8DC

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open$Create
String ID:
API String ID: 161609438-0
Opcode ID: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
Instruction ID: e3d78695a21ea1c89d74b4d509c2f3cee1bcccb682452cc6d6267459aaa28678
Opcode Fuzzy Hash: 48ce5e50f1d47d1142ff7ebc09636edddc09909f7c68f00c98578799335025ba
Instruction Fuzzy Hash: 83512F75A04209EFEB14CF95CC85FEE77B8EB49780F208219FA15A7284D775E981CB60

Function 1000F6C6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F6DA
Process32First.KERNEL32(00000000,00000128), ref: 1000F701
Process32Next.KERNEL32(00000000,00000128), ref: 1000F716
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F733
wsprintfA.USER32 ref: 1000F77C
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F7F2

Strings

pid_%d, xrefs: 1000F770

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpiwsprintf
String ID: pid_%d
API String ID: 4001055788-1598735649
Opcode ID: 7f93a367622f754b37ce18e9f8067485a0730c2609bd782d80c9590e221b1374
Instruction ID: c9d53c2518a1c93e9c5bb71c043409e6e03239473161a3a160f8e14674c82ed7
Opcode Fuzzy Hash: 7f93a367622f754b37ce18e9f8067485a0730c2609bd782d80c9590e221b1374
Instruction Fuzzy Hash: 68314AB5C05218EBEB60DFA4CC85BEDB7B4EF08340F1044EAE50DA6255E6746B84DF52

Function 10021563 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 10021576
6D0F2DD0.MFC42(00000002,100112AB,lNlcnZpY2VB,SELECT * FROM ,1002AF18,?,100105BB,?,?,1002AF20,100112AB), ref: 10021580
WideCharToMultiByte.KERNEL32(00000000,00000000,100112AB,000000FF,00000000,00000002,00000000,00000000,lNlcnZpY2VB,SELECT * FROM ,1002AF18,?,100105BB,?,?,1002AF20), ref: 100215A2
GetLastError.KERNEL32(?,100105BB,?,?,1002AF20,100112AB), ref: 100215B2
GetLastError.KERNEL32(?,100105BB,?,?,1002AF20,100112AB), ref: 100215B8

Strings

lNlcnZpY2VB, xrefs: 10021574
SELECT * FROM , xrefs: 10021573

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWidewcslen
String ID: SELECT * FROM $lNlcnZpY2VB
API String ID: 4237787585-3054530141
Opcode ID: 6dfb9da961e70475fd7f847a5874915236b3e6614d90c1a870618db8b11b8792
Instruction ID: f102809e0f6523f15fafc923be23898a7ca290de0f5e000ccec9650aaf4368e9
Opcode Fuzzy Hash: 6dfb9da961e70475fd7f847a5874915236b3e6614d90c1a870618db8b11b8792
Instruction Fuzzy Hash: 4FF0286A20427ABD9210A6726C84DBBBACCDEE12F47E2467AF515D2041D815AC0181F0

Function 1001E8B0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 106stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1001E8B8

Part of subcall function 10020E70: _mbsicmp.MSVCRT ref: 10020E7B

Strings

.lzh, xrefs: 1001E96A
.zip, xrefs: 1001E91C
.zoo, xrefs: 1001E938
.tgz, xrefs: 1001E9B5
.arc, xrefs: 1001E951
.arj, xrefs: 1001E983
.gz, xrefs: 1001E99C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: _mbsicmpstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 374816253-51310709
Opcode ID: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
Instruction ID: a7750ba6201be3bd96256ed1aa53058d6e7dfdb32adcc3c4209802cf8e7f6fb8
Opcode Fuzzy Hash: f4bf0dd4d1edf962b3c713ab39717860004c21d73e0f3ba02671baab590c8203
Instruction Fuzzy Hash: D3317579D04289F7CF44CAE0AD8199D73A6EB12385F604865FD049F201E632FF80BBA5

Function 1000FBB6 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1000FBDA

Part of subcall function 100114B0: CoCreateInstance.COMBASE(00000000,10024578,1000FC00,1002B6A0,00000017), ref: 100114CC

Strings

kbstar, xrefs: 1000FE07
HTTP, xrefs: 1000FDC8

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: HTTP$kbstar
API String ID: 3519745914-2680672251
Opcode ID: c055f2331def5bf038289990834060b95847416c0c95277ab3e019e8c3a3d24e
Instruction ID: c3a8321b607e1ec655a761ab1389a6ee785db716c21e47efde926ca263a9be4b
Opcode Fuzzy Hash: c055f2331def5bf038289990834060b95847416c0c95277ab3e019e8c3a3d24e
Instruction Fuzzy Hash: 63A11574D00648DFDB08DFA4C995BEDBBB1FF58344F20815CE412AB292EB34AA45DB91

Function 1001904F Relevance: 10.6, APIs: 7, Instructions: 94COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 10019062
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019073
memcpy.MSVCRT(?,?,?), ref: 100190FA
_mbscpy.MSVCRT(00000000,00000000), ref: 1001914D
_mbscat.MSVCRT ref: 10019160
GetFileAttributesA.KERNEL32(00000000), ref: 1001916F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 10019183

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$_mbscat_mbscpymemcpy
String ID:
API String ID: 3659483993-0
Opcode ID: 401fb6a168ac80da8bdcaef0b1af1669b1b76f47dcf4406e61fa6151f8434c8d
Instruction ID: 9d745a1a41eb4a7a2a12bfbab4145b738384b9807def3fcce6aed419c037e121
Opcode Fuzzy Hash: 401fb6a168ac80da8bdcaef0b1af1669b1b76f47dcf4406e61fa6151f8434c8d
Instruction Fuzzy Hash: C7413579D04118ABCB19CFA4D894AEDBBB5EF59310F208699E9599B240D770EFC0CF90

Function 1000A617 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A65F
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 1000A671
_mbscat.MSVCRT ref: 1000A68C
_mbscat.MSVCRT ref: 1000A6A9

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Part of subcall function 1000A519: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556

Strings

XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000A677
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000A694

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryFileSystem_mbscat$CreateExistsPath
String ID: XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==
API String ID: 4049401565-2249354660
Opcode ID: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
Instruction ID: 12b72cb5e04ffb9a7e9ac27504f08d15284b6b879465d20345e618696946c61d
Opcode Fuzzy Hash: e51112dc785d1928c10711f1fc1f48a27090427b8d8f96e4dd1b392eaab60eb6
Instruction Fuzzy Hash: 9021F8FAC04208BBFB10D7A0DC45BCE7378DB14380F1086A5FB0996145EEB5ABC88B91

Function 10006C88 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 10006CC5
GetFileSize.KERNEL32(?,00000000), ref: 10006CEA
6D0F2DD0.MFC42(00000000), ref: 10006CF7
memset.MSVCRT ref: 10006D35
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,?,?,00000000), ref: 10006D59
CloseHandle.KERNEL32(?,00000000), ref: 10006DA7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleReadSizememset
String ID:
API String ID: 849667651-0
Opcode ID: e8a2dfce9241006138db4926ca1fd13238bdd5d4b532caef50076c5b0f3e2930
Instruction ID: 20d629e5142875753669a35d1e811c0194670abf32d4287b49ac12e2b780f710
Opcode Fuzzy Hash: e8a2dfce9241006138db4926ca1fd13238bdd5d4b532caef50076c5b0f3e2930
Instruction Fuzzy Hash: DA316179A00294ABEB25CF54CC85BCAB375FB4C341F1085D5FA49A7284D6B4AAD4CF50

Function 1000883B Relevance: 10.6, APIs: 7, Instructions: 67memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000885E
GlobalAlloc.KERNEL32(00000040,-00000001), ref: 1000887C
memset.MSVCRT ref: 10008892
_mbscpy.MSVCRT(00000000,00000000), ref: 100088A2
memset.MSVCRT ref: 100088D6
_mbscpy.MSVCRT(00000000,00000001), ref: 100088E9
GlobalFree.KERNEL32(00000000), ref: 100088F5

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Global_mbscpymemset$AllocFreestrlen
String ID:
API String ID: 3317734596-0
Opcode ID: f45d5ceaf1e5b0f6367cab85ba0a1253f357690d66b4acb8c6414236b1e8fa04
Instruction ID: 371cdc15c4be44a3cd0437dc71fa5aaac8cd8a0fdcd6f9490a1cbaeabdbd2086
Opcode Fuzzy Hash: f45d5ceaf1e5b0f6367cab85ba0a1253f357690d66b4acb8c6414236b1e8fa04
Instruction Fuzzy Hash: A3219DB9D00208FBEB04CFD4D885B9DBBB4FF44304F50C158EA046B345D671AB948B95

Function 1000600B Relevance: 10.6, APIs: 7, Instructions: 63memorythreadsynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000214), ref: 1000601E
CreateThread.KERNEL32(00000000,00000000,Function_00005FD3,?,00000000,00000000), ref: 10006040
WaitForSingleObject.KERNEL32(?,00000064), ref: 1000604F
TerminateThread.KERNEL32(?,00000000), ref: 10006067
CloseHandle.KERNEL32(?), ref: 10006071
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000104,00000000,00000000), ref: 100060A0
HeapFree.KERNEL32(00000000,00000000,?), ref: 100060B3

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: HeapThread$AllocateByteCharCloseCreateFreeHandleMultiObjectSingleTerminateWaitWide
String ID:
API String ID: 4251336913-0
Opcode ID: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction ID: 97dbfb0626745b3a13ce99f142d6799707a3ad8bdba7c53ac94dcc1e3c2afbb3
Opcode Fuzzy Hash: 7c4b1b83bf59831e45f4423d261fbac2e77e5f9a5ffc5ece3e70e6b213313125
Instruction Fuzzy Hash: 3B21BAB4A40218BFFB04DBD4CC8AF6E7775EB48701F208558FB15AB2D0C671AA51CB54

Function 10008F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008F76

Strings

C:\Users\user\Desktop, xrefs: 10008F23
%s\lang.ini, xrefs: 10008F28
search, xrefs: 10008FD6
http://, xrefs: 10008FBD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-2691734327
Opcode ID: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
Instruction ID: 60212f5056ad82ff0ae5ea45a156ac378cfaaf25f5a26cee64a353fcc168191f
Opcode Fuzzy Hash: be59e332c173b8a5ceace86f63752d4cd59112b78e0c4a578100695009e00cb7
Instruction Fuzzy Hash: 9D21C8759042097BEB60C674DC02FDB7369EB24380F5045B4BB88E6185EBB5FB848B95

Function 1000D747 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1000D75F
srand.MSVCRT ref: 1000D766
rand.MSVCRT ref: 1000D76F
rand.MSVCRT ref: 1000D7BA

Strings

3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6, xrefs: 1000D754

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$CountTicksrand
String ID: 3ept4x7um2ql1d9vfa08or5nwcihzbkgsyz6
API String ID: 3923125369-3761970555
Opcode ID: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
Instruction ID: 5baca46d6ec9984475ff302e343ac5961955fe47c9a6e1e459158899833a3c7c
Opcode Fuzzy Hash: 89df79a13d55d1c13e4613ecbe5ccd4efd4d3428256a0b84ea665a0490cafec1
Instruction Fuzzy Hash: 3E11B830815108EFDB00EFA8D894A9EBBB6FF44320F30419AE909E7345D331AA51DB60

Function 100067AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32filestringCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 100067C8
strlen.MSVCRT ref: 100067DB
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100067EC
CloseHandle.KERNEL32(656C6261), ref: 100067F6

Strings

d=TRUE, xrefs: 100067D6

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleWritestrlen
String ID: d=TRUE
API String ID: 1350020999-2436624125
Opcode ID: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
Instruction ID: 9091ae99ca244d77819b183989e1c27e630e4a4cabccf0d25adc0486f95204c4
Opcode Fuzzy Hash: fceca9798fc01192b2dcacfd83b9fc19f9e747afa2fa14385b2acdc7239c0ac7
Instruction Fuzzy Hash: C5F082B9640208BBE710DBE4DCC6F9A777CAB48700F108144FF09A7280DA70A944CBA4

Function 1001ED1E Relevance: 7.7, APIs: 5, Instructions: 155fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001ED93
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 1001EDF5
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 1001EE7C
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 1001EEAC
CloseHandle.KERNEL32(00000000), ref: 1001EEC8

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Create$CloseHandleMappingPointerView
String ID:
API String ID: 1737989552-0
Opcode ID: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction ID: 743c727af9f4ebea276fef19f0abd475d21ef0e9be5fc3ab0a1b21c44a59574f
Opcode Fuzzy Hash: 0358ff90798f16207cc0b2d9917ece2de8aef665082186868d1e4a743e807b98
Instruction Fuzzy Hash: 0561C874A0024ADFEB14CF54C545BAEB7F1FB48715F208659E8156B382C771DE81CBA1

Function 10008377 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(00000001), ref: 100083C5
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 10008408
6D0F2DD0.MFC42(00000001), ref: 1000846D
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000), ref: 10008493
CloseHandle.KERNEL32(00000000), ref: 100084EA

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseHandleMemoryProcessQueryReadVirtual
String ID:
API String ID: 1621033003-0
Opcode ID: 9b9acf709f20c80de02105381c9210ab493a883fb7fbe75462a8264bb3135514
Instruction ID: 4ce35375b4bad31ba0a910ff1afeab1654858517ab5a746a47daf2776de4f8ea
Opcode Fuzzy Hash: 9b9acf709f20c80de02105381c9210ab493a883fb7fbe75462a8264bb3135514
Instruction Fuzzy Hash: 8B51E3B5E00219AFEB14CFD8D981AAEB7B5FF88340F208129E945A7354D774AA81CF50

Function 1000A519 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000A556
memset.MSVCRT ref: 1000A597
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 1000A5BB
CloseHandle.KERNEL32(?), ref: 1000A607

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleReadmemset
String ID:
API String ID: 1934991721-0
Opcode ID: 05b567c9856d8dc71aa1cd1537ca95858c2db371d4679b3c43396c213425bc9f
Instruction ID: 6a49061c0ed4d4591c571688064297fdf5beefa6cff065268dfcbfb052794fb4
Opcode Fuzzy Hash: 05b567c9856d8dc71aa1cd1537ca95858c2db371d4679b3c43396c213425bc9f
Instruction Fuzzy Hash: F2216275A00255ABEB21CB54CC81FDA7374FB4C382F1045A5FB49A7284D6B0AAC48F54

Function 1000F63B Relevance: 7.5, APIs: 5, Instructions: 43processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F64F
Process32First.KERNEL32(00000000,00000128), ref: 1000F672
Process32Next.KERNEL32(00000000,00000128), ref: 1000F687
lstrcmpiA.KERNEL32(00000000,?), ref: 1000F6A0
CloseHandle.KERNEL32(00000000,00000000,00000128,00000002,00000000), ref: 1000F6B9

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 868014591-0
Opcode ID: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction ID: 6a087116852af621f6414e876448160d89c161c3e2a286ec7096f0195759277d
Opcode Fuzzy Hash: 1038135582eb3e37ab3ad8b6535064ad8d133c26625a9f4578617d57f1eb2694
Instruction Fuzzy Hash: AA014CB5D00208EBEB10EFE0CC85BEDB7B8EB08384F50848CA509A7254D7756B84DF50

Function 10008E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005304: PathFileExistsA.SHLWAPI(10008E68,?,10008E68,00000000,?,?,?), ref: 1000530B

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 10008E96

Strings

C:\Users\user\Desktop, xrefs: 10008E43
http://, xrefs: 10008EDD
%s\lang.ini, xrefs: 10008E48

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-4272537799
Opcode ID: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
Instruction ID: 524591cf8a4eee935b205e257a8c60c4d1d170a2f2a088a70314005468ca3b98
Opcode Fuzzy Hash: e8b56968c5584ac666961f005e415167df33ef20945c2fef5e91b7dddfcd262a
Instruction Fuzzy Hash: CD21DAB5D04248B7EB20C664DC41FCB7368DB54790F1045A4FB89A61C5EBB1BBC48F95

Function 1000F85D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57timeCOMMON

Download Yara Rule

APIs

Part of subcall function 10005EBA: GetCurrentProcess.KERNEL32(00000028,?), ref: 10005EC6
Part of subcall function 10005EBA: OpenProcessToken.ADVAPI32(00000000), ref: 10005ECD

Part of subcall function 100055B0: OpenProcess.KERNEL32(?,?,?), ref: 100055BF

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 1000F8A3

Strings

SeDebugPrivilege, xrefs: 1000F865

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$OpenTimer$Concurrency::details::platform::__CreateCurrentQueueToken
String ID: SeDebugPrivilege
API String ID: 3835064167-2896544425
Opcode ID: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
Instruction ID: fc672c7b5ca9b149f1a5e930f45fef3a2c969a6d647dd8d1ed25485d67561eb1
Opcode Fuzzy Hash: 55189b5de16f3dbe4dcc7aac7187496ce3e63eb901566924b5465bcc2ab1bb6a
Instruction Fuzzy Hash: 381182B5E40305BBFB10DBA08C46FDE7674EB04741F104568FB04BA2C5EA7166508755

Function 1000E4A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100), ref: 1000E4DB
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 1000E525
DeviceIoControl.KERNEL32(000000FF,00222000,00000000,00000400,00000000,00000000,?,00000000), ref: 1000E55F

Strings

\\.\moon, xrefs: 1000E4E7

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharControlCreateDeviceFileMultiWide
String ID: \\.\moon
API String ID: 1446495253-2167628891
Opcode ID: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
Instruction ID: 23935ab2004618820c7cb13d6f81c44a57c65e4e46a841ae29926b98e247d94e
Opcode Fuzzy Hash: 9dce533a4f7932ddd941590fedf0fa382a3659c265b8dca9cabde0e0e6ffcda3
Instruction Fuzzy Hash: D71136B4550228BAE720DB54CC85FD57778EB44710F1086A9F708B72D0E7B02B86CF99

Function 10009296 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringtimeCOMMON

Download Yara Rule

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMTD ref: 100092DB

Part of subcall function 1000584F: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,00000000,10008E9B,?,10008E9B,00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000586E

strlen.MSVCRT ref: 10009303

Strings

C:\Users\user\Desktop, xrefs: 1000929F
%s\lang.ini, xrefs: 100092A4

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3442345488-2679580386
Opcode ID: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
Instruction ID: 5c2cb0c0f0112b76a52748a175c0b0866aa9ac7b40e06f3532cdc33e9dc0b8a8
Opcode Fuzzy Hash: e823f6641858293d945c9e7909958a6a4b2b0520b96349cccdf13bb565fdb5a4
Instruction Fuzzy Hash: C40148F9D0021867EB20DB64DC46FCA7378DB14740F4086A4BA88671C5EAB5BBC48FD5

Function 1001EF73 Relevance: 6.1, APIs: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

6D0F2DD0.MFC42(000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001EFD4
memcpy.MSVCRT(00000000,?,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F000
memcpy.MSVCRT(1002B35C,00004000,000000FF,?,1001FADC,?,000000FF,?,00004000), ref: 1001F092
WriteFile.KERNEL32(00000000,00004000,000000FF,000000FF,00000000,?,1001FADC,?,000000FF,?,00004000), ref: 1001F0CC

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy$FileWrite
String ID:
API String ID: 3457131274-0
Opcode ID: 9cfdf7cfb5550f0cc81e26796b1b2b241f269773cb08eea1854e19296a06212f
Instruction ID: 4bd6022a4a2ec37f9ae3b9a4e2ff67f1137577e8ba2bc2d6a42e4c9f344f74e1
Opcode Fuzzy Hash: 9cfdf7cfb5550f0cc81e26796b1b2b241f269773cb08eea1854e19296a06212f
Instruction Fuzzy Hash: 4651BAB8E00109DFCB44CF98D491AAEBBB6FF98314F508559E9099B346D771E981CF90

Function 10016729 Relevance: 6.1, APIs: 4, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100167A3
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001), ref: 100167D0
6D0F2DD0.MFC42(00000020), ref: 100167E7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 1001684C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pointer$Create
String ID:
API String ID: 250661774-0
Opcode ID: 34497b7eea5c4bd5da3bf1c0850f289f167b8ed7439fc06372f490cb469e61c6
Instruction ID: f591f9a745d53ad3dfe22ef2f77011fbbab233b3b6c88462e3b6b178e94e5e56
Opcode Fuzzy Hash: 34497b7eea5c4bd5da3bf1c0850f289f167b8ed7439fc06372f490cb469e61c6
Instruction Fuzzy Hash: C4510B74E0424AEFDB11CF54C895B9EBBB1FB09304F108699EC216B381C7B5DA85CB91

Function 100184CC Relevance: 6.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 100184FF
strlen.MSVCRT ref: 1001850E
_mbscat.MSVCRT ref: 10018544
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1001855C

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryFilePointer_mbscatstrlen
String ID:
API String ID: 345282596-0
Opcode ID: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
Instruction ID: d652d1c918226deb8dbb541e2e319e9dea9985361b2032265780a00324afeef0
Opcode Fuzzy Hash: 11613a86f7ef6ccb1823d9a6ffd8c8377e3c6033db4f259f26be16f8b67c7ce5
Instruction Fuzzy Hash: 5C318275D0064ADBDB00CF94C881BAE7BB6EF45300F144569F515AB281D330EBD1CB91

Function 1000C063 Relevance: 6.1, APIs: 4, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 1000C06D

Part of subcall function 1000BEF7: malloc.MSVCRT ref: 1000BF0F

strlen.MSVCRT ref: 1000C0A2
toupper.MSVCRT ref: 1000C0F0
tolower.MSVCRT ref: 1000C129

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: strlen$malloctolowertoupper
String ID:
API String ID: 1610385915-0
Opcode ID: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
Instruction ID: 7a5db7ae6677982574b2aec189b42e08800268808c8d6061b8b5cfc946dd9c0f
Opcode Fuzzy Hash: 3031cbe58d1370803702243996a180456ff070ffe73ccb5f96b58183e148b611
Instruction Fuzzy Hash: 45317C75D0428CEBDB04CFA8C8D0AAEBBB5EF42245F2441D9D841AB306C635AB90DB45

Function 10011150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(10010E30,?), ref: 10011190
SafeArrayAccessData.OLEAUT32(10010E30,00000000), ref: 100111AD
SafeArrayUnaccessData.OLEAUT32(10010E30), ref: 10011217
refcount_ptr.LIBCPMTD ref: 10011227

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccessVartyperefcount_ptr
String ID:
API String ID: 643252218-0
Opcode ID: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
Instruction ID: 2d86a0b6451a645c637edffcb08906b081acf8c9fc1e69a33f2e972db292452b
Opcode Fuzzy Hash: 3b3fe23d2f5eb5c6268ffe4ceadee3182b40b81b390c65d7c874f3fb6bc5dae2
Instruction Fuzzy Hash: 7231ED75D00109EFCB08CF94C995BEEBBB5FF48310F208159E525AB281DB35AA45CBA1

Function 1000C5F0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 37sleepstringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 1000C5F9
memset.MSVCRT ref: 1000C613
Sleep.KERNEL32(0000EA60), ref: 1000C63A

Strings

found~!, xrefs: 1000C5F0

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepmemsetstrstr
String ID: found~!
API String ID: 2489989216-3563639675
Opcode ID: 7b5aaeb3123f134392a08eeec08c5f4db540c4159c269349746db3e2c74e285a
Instruction ID: 8119cc500c20e04b94a5d0cf1617a111049eef5a0b8ea3278fea11a9d42b8372
Opcode Fuzzy Hash: 7b5aaeb3123f134392a08eeec08c5f4db540c4159c269349746db3e2c74e285a
Instruction Fuzzy Hash: F0F068B6E00108EBEB14CBD4DD86F9FB378EB98201F1045D4FA09A7241EA71AF559F51

Function 1000BD79 Relevance: 6.0, APIs: 4, Instructions: 33sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000B74E,?,00000000,00000000), ref: 1000BDAC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000BDBB
CloseHandle.KERNEL32(?), ref: 1000BDC5
Sleep.KERNEL32(00000064), ref: 1000BDCD

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleSleepThreadWait
String ID:
API String ID: 422747524-0
Opcode ID: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction ID: b9f77b51fdc0ce5c79c26bcc87bcad786e5d67b6ada7f4622830d9e7383a6a42
Opcode Fuzzy Hash: 10cae54d753047885dafb503133400631415932ed754353f801354fb98f1c1ee
Instruction Fuzzy Hash: A8F03074A40208BBF704DFE4CD8AF9D7B75EB54711F208154FB059A2C4D7715A518B61

Function 100061D7 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,10006283,?), ref: 100061E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 100061FF
CloseHandle.KERNEL32(00000000), ref: 1000620D

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandleOpenTerminate
String ID:
API String ID: 2026632969-0
Opcode ID: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction ID: c3b055f7a518f1452caa67d907e4e45609d189d3ebd99e836d77498bd3e4c8c9
Opcode Fuzzy Hash: 3346a770a5624940685d264461f88c5fe553c2350b940db3d8f2111e499f6289
Instruction Fuzzy Hash: 6AF05875A44218FBE710DBE4DD88B5E7BA8EB0C381F308958FA05D7240D6309A819B50

Function 1000D353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000D39D
sprintf.MSVCRT ref: 1000D3B6

Strings

cmd /c ping 127.0.0.1 -n 3&del "%s", xrefs: 1000D3AA

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileModuleNamesprintf
String ID: cmd /c ping 127.0.0.1 -n 3&del "%s"
API String ID: 1461247384-535577241
Opcode ID: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
Instruction ID: a6b8e271a6fb293dd042ad0264e0da81425d7f8170d8075a503821407d4c08d6
Opcode Fuzzy Hash: 620f4682e5601b0232d7558068d39c4614f5703bc50ed6a87eb18a28d36fc5f0
Instruction Fuzzy Hash: A8F0C27291021C7BEB11C7A8CCA5BD6B7BCAB54300F4001E5E70CA6181EFB52B9C8F91

Function 1000F7FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 1000F809
GetLocalTime.KERNEL32(?), ref: 1000F842

Strings

-, xrefs: 1000F81B

Memory Dump Source

Source File: 00000004.00000002.2705587454.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2705563403.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010027000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705587454.0000000010047000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705681344.0000000010049000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2705699363.000000001004A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: LocalTime
String ID: -
API String ID: 481472006-2547889144
Opcode ID: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction ID: 54c5f6dbd1dfb4096c870d722f7c1ff444cf4a43efea41441fbe41cbc9c571be
Opcode Fuzzy Hash: 826a066efadd576a896ad869d34b41f6dda7a69dcbf37a7f77cb9f4679c72261
Instruction Fuzzy Hash: 47F04471D0120AEBEB14DFA4C6856FDB7B4EF40740F20C1ADD801AB648DA34AB09FB52

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oQy3XhO4cX.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7CA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA2C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA6C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Windows Analysis Report
oQy3XhO4cX.dll

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre