Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
b3sV534MMf.dll

Overview

General Information

Sample name:b3sV534MMf.dll
renamed because original name is a hash value
Original sample name:4135a80b786a0e4504e17352362e6ecc754b4ce5.dll
Analysis ID:1558490
MD5:28de8c856e847f8097131e502fc75d8d
SHA1:4135a80b786a0e4504e17352362e6ecc754b4ce5
SHA256:657ffa1f45c97cdda48a5c2ea95eecdfdfeae68d9aac937c120b0ab063ea6e87
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
PE file has a writeable .text section
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to communicate with device drivers
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1312 cmdline: loaddll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1308 cmdline: rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 6780 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 6724 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 2896 cmdline: rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,GetColor MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7180 cmdline: rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7204 cmdline: rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7348 cmdline: rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7400 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 7488 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 7356 cmdline: rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7384 cmdline: rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 7812 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 7832 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7884 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 7948 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 7976 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 8020 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
b3sV534MMf.dllWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x37ff1:$x1: cracked by ximo
  • 0x380ab:$x1: cracked by ximo
  • 0x38165:$x1: cracked by ximo
  • 0x3821f:$x1: cracked by ximo
  • 0x382d9:$x1: cracked by ximo
  • 0x38393:$x1: cracked by ximo
  • 0x3844d:$x1: cracked by ximo
  • 0x38507:$x1: cracked by ximo
  • 0x3f64f:$x1: cracked by ximo
  • 0x436a2:$x1: cracked by ximo

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x37ff1:$x1: cracked by ximo
  • 0x380ab:$x1: cracked by ximo
  • 0x38165:$x1: cracked by ximo
  • 0x3821f:$x1: cracked by ximo
  • 0x382d9:$x1: cracked by ximo
  • 0x38393:$x1: cracked by ximo
  • 0x3844d:$x1: cracked by ximo
  • 0x38507:$x1: cracked by ximo
  • 0x3f64f:$x1: cracked by ximo
  • 0x436a2:$x1: cracked by ximo
15.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x37ff1:$x1: cracked by ximo
  • 0x380ab:$x1: cracked by ximo
  • 0x38165:$x1: cracked by ximo
  • 0x3821f:$x1: cracked by ximo
  • 0x382d9:$x1: cracked by ximo
  • 0x38393:$x1: cracked by ximo
  • 0x3844d:$x1: cracked by ximo
  • 0x38507:$x1: cracked by ximo
  • 0x3f64f:$x1: cracked by ximo
  • 0x436a2:$x1: cracked by ximo
3.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x37ff1:$x1: cracked by ximo
  • 0x380ab:$x1: cracked by ximo
  • 0x38165:$x1: cracked by ximo
  • 0x3821f:$x1: cracked by ximo
  • 0x382d9:$x1: cracked by ximo
  • 0x38393:$x1: cracked by ximo
  • 0x3844d:$x1: cracked by ximo
  • 0x38507:$x1: cracked by ximo
  • 0x3f64f:$x1: cracked by ximo
  • 0x436a2:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 2896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gc

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: b3sV534MMf.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: b3sV534MMf.dllReversingLabs: Detection: 78%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: b3sV534MMf.dllJoe Sandbox ML: detected
Source: b3sV534MMf.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,3_2_10007F3E
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.44 803Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.43 805Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.42 3204Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.4:49738 -> 174.139.6.44:803
Source: global trafficTCP traffic: 192.168.2.4:49739 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.4:49743 -> 174.139.6.42:3204
Source: global trafficTCP traffic: 192.168.2.4:49744 -> 174.139.6.43:805
Source: Joe Sandbox ViewIP Address: 202.108.0.52 202.108.0.52
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: VPLSNETUS VPLSNETUS
Source: Joe Sandbox ViewASN Name: VPLSNETUS VPLSNETUS
Source: global trafficTCP traffic: 192.168.2.4:49746 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.44
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.43
Source: unknownTCP traffic detected without corresponding DNS query: 174.139.6.42
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003F41 InternetReadFile,3_2_10003F41
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, 00000003.00000002.3422401937.0000000004B3D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:1530/u1129.html
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html&
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3427347038.000000000593A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3092158353.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4055115191.0000000010012000.00000040.00000001.01000000.00000003.sdmp, b3sV534MMf.dllString found in binary or memory: http://174.139.6.43:805/index.php
Source: rundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.php93
Source: rundll32.exe, 00000003.00000002.3427186245.000000000571D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3427347038.000000000593A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpC:
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpKP
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpMSBuild
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpN
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpStart
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpZ
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpcuments
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpi
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpi/P
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpiD
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpmls
Source: rundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpng
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phps
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpvorites
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpw
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.43:805/index.phpwnloads
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.44/
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.44/JtB
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3092158353.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4055115191.0000000010012000.00000040.00000001.01000000.00000003.sdmp, b3sV534MMf.dllString found in binary or memory: http://174.139.6.44:803/
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://174.139.6.44:803//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmJe2nte
Source: rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s&
Source: rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s2
Source: rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s7
Source: rundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3420272005.0000000000A6D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: b3sV534MMf.dll, type: SAMPLEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
PE file has a writeable .text section
Source: b3sV534MMf.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 70450000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 71420000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 723F0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 77040000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73D60000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73630000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74B50000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 733C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 746B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75450000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 763E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73830000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73900000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 747B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 751E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75570000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76860000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73540000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73980000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73A90000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74640000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75B70000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 764E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76610000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74AC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 734C0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73590000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 738B0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 739D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73B00000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74550000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74830000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75260000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 755F0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76530000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76660000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 738D0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 73B20000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74570000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74690000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 74D50000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75280000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75610000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 75BC0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 768E0000 page read and writeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008AAD: DeviceIoControl,3_2_10008AAD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003F63 ExitWindowsEx,3_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B2243_2_1000B224
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B70D3_2_1000B70D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100121ED3_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000AEC03_2_1000AEC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 303 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 672
Source: b3sV534MMf.dllBinary or memory string: OriginalFilenameSHDOCVW.DLLj% vs b3sV534MMf.dll
Source: b3sV534MMf.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
Source: b3sV534MMf.dll, type: SAMPLEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: b3sV534MMf.dllStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@42/10@3/6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000404F AdjustTokenPrivileges,3_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003FB7 CreateToolhelp32Snapshot,3_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12021651Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\174.139.6.42:3204
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\M174.139.6.42:3204
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7204
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\763f537e-c7a1-48da-a969-336a16847db1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,GetColor
Source: b3sV534MMf.dllReversingLabs: Detection: 78%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,GetColor
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 672
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 668
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,GetColorJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",GetColorJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002366D pushfd ; mov dword ptr [esp], E450DE37h3_2_1002ECC8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100283FA pushfd ; mov dword ptr [esp], B391D77Ah3_2_10028400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100283FA push eax; mov dword ptr [esp], 14991104h3_2_10028408
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1004701E pushfd ; mov dword ptr [esp], edi3_2_100475EC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10029023 push dword ptr [esp+30h]; retn 0034h3_2_10034E3B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021023 push dword ptr [esp+48h]; retn 004Ch3_2_10032573
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10027024 push dword ptr [esp+3Ch]; retn 0040h3_2_10027045
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F02D push dword ptr [esp+5Ch]; retn 0060h3_2_1002F03D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10023037 pushfd ; mov dword ptr [esp], esi3_2_1002C00B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F040 push dword ptr [esp+44h]; retn 0048h3_2_1002F074
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002105F push dword ptr [esp+3Ch]; retn 0044h3_2_10025F46
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1003506A push dword ptr [esp+44h]; retn 0048h3_2_1003507D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002105F push dword ptr [esp+3Ch]; retn 0044h3_2_10025F46
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002105F push dword ptr [esp+3Ch]; retn 0044h3_2_10025F46
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033C47 push dword ptr [esp+40h]; retn 0048h3_2_1002A6EF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10033C47 push dword ptr [esp+48h]; retn 004Ch3_2_10033C8A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002907B push dword ptr [esp+30h]; retn 0034h3_2_10031326
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021092 push dword ptr [esp+3Ch]; retn 0044h3_2_10025F46
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021097 push dword ptr [esp+3Ch]; retn 0044h3_2_10025F46
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002309C push esi; mov dword ptr [esp], 1CC44278h3_2_100230D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002309C push dword ptr [esp+34h]; retn 0038h3_2_100279AB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100350BD push dword ptr [esp+54h]; retn 0058h3_2_10037A41
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100270BD push dword ptr [esp+50h]; retn 0054h3_2_100207C2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002B0C7 push dword ptr [esp+5Ch]; retn 0060h3_2_1002B105
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100230D2 push esi; mov dword ptr [esp], 1CC44278h3_2_100230D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100350D7 push dword ptr [esp+3Ch]; retn 0040h3_2_100350E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001F0D5 push dword ptr [esp+40h]; retn 0044h3_2_1001F0F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002F0D8 push dword ptr [esp+48h]; retn 004Ch3_2_1002F125
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100350EB push dword ptr [esp+30h]; retn 0038h3_2_10035121
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100250ED push dword ptr [esp+40h]; retn 0044h3_2_10025103
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001F0F3 push dword ptr [esp+2Ch]; retn 0030h3_2_1002792A
Source: b3sV534MMf.dllStatic PE information: section name: .rsrc entropy: 6.804416992654808

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,FormatMessageA, \\.\PHYSICALDRIVE%d3_2_10008B7A

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: CreateFileA,DeviceIoControl,FormatMessageA, \\.\PHYSICALDRIVE%d3_2_10008B7A
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gcJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gcJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gcJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-18871
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1215Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 6412Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-18860
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1868Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5744Thread sleep count: 1215 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5744Thread sleep time: -2187000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5436Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7776Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7796Thread sleep time: -1260000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7772Thread sleep time: -1800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7792Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5436Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7920Thread sleep count: 106 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7920Thread sleep time: -31800000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7728Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5744Thread sleep count: 6412 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5744Thread sleep time: -11541600000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007F3E FindFirstFileA,FindNextFileA,Sleep,3_2_10007F3E
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.12.drBinary or memory string: VMware
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.3420002897.000000000057B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo8
Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.drBinary or memory string: vmci.sys
Source: Amcache.hve.12.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: rundll32.exe, 00000003.00000003.2029437842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.drBinary or memory string: VMware20,1
Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.44 803Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.43 805Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 174.139.6.42 3204Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping2
File and Directory Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory111
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Bootkit		111
Process Injection		1
Software Packing		Security Account Manager21
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets1
Process Discovery		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Remote System Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Bootkit		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Rundll32		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558490 Sample: b3sV534MMf.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 65 blogx.sina.com.cn 2->65 67 blog.sina.com.cn 2->67 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 4 other signatures 2->91 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 rundll32.exe 1 14 10->16         started        20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        28 5 other processes 10->28 24 cmd.exe 12->24         started        26 cmd.exe 14->26         started        dnsIp6 59 174.139.6.42, 3204 VPLSNETUS United States 16->59 61 174.139.6.43, 805 VPLSNETUS United States 16->61 63 3 other IPs or domains 16->63 71 System process connects to network (likely due to code injection or exploit) 16->71 73 Found evasive API chain (may stop execution after checking mutex) 16->73 75 Contains functionality to infect the boot sector 16->75 77 Creates an autostart registry key pointing to binary in C:\Windows 16->77 79 Uses ping.exe to sleep 20->79 81 Uses ping.exe to check the status of other devices and networks 20->81 30 rundll32.exe 20->30         started        83 Queries disk data (e.g. SMART data) 22->83 33 cmd.exe 22->33         started        35 conhost.exe 24->35         started        37 PING.EXE 24->37         started        39 conhost.exe 26->39         started        41 PING.EXE 26->41         started        43 WerFault.exe 22 16 28->43         started        45 WerFault.exe 16 28->45         started        signatures7 process8 signatures9 93 Queries disk data (e.g. SMART data) 30->93 47 cmd.exe 1 30->47         started        95 Uses ping.exe to sleep 33->95 50 conhost.exe 33->50         started        52 PING.EXE 33->52         started        process10 signatures11 97 Uses ping.exe to sleep 47->97 54 PING.EXE 1 47->54         started        57 conhost.exe 47->57         started        process12 dnsIp13 69 127.0.0.1 unknown unknown 54->69

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
b3sV534MMf.dll79%ReversingLabsWin32.Backdoor.Zegost
b3sV534MMf.dll100%AviraTR/Farfli.ghwpt
b3sV534MMf.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://174.139.6.43:805/index.phpi/P0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpng0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpMSBuild0%Avira URL Cloudsafe
http://174.139.6.44:803//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmJe2nte0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpiD0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpZ0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html0%Avira URL Cloudsafe
http://174.139.6.43:805/index.php930%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpi0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpN0%Avira URL Cloudsafe
http://174.139.6.44:803/0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpw0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpC:0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpcuments0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpmls0%Avira URL Cloudsafe
http://107.163.56.110:1530/u1129.html0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpStart0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phps0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html&0%Avira URL Cloudsafe
http://174.139.6.44/JtB0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpvorites0%Avira URL Cloudsafe
http://174.139.6.44/0%Avira URL Cloudsafe
http://174.139.6.43:805/index.php0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpKP0%Avira URL Cloudsafe
http://174.139.6.43:805/index.phpwnloads0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    blog.sina.com.cn
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://blog.sina.com.cn/u/%s7rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://174.139.6.43:805/index.phpngrundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://174.139.6.43:805/index.phpiDrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://174.139.6.43:805/index.phpirundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://174.139.6.43:805/index.phpi/Prundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://174.139.6.43:805/index.phpMSBuildrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.163.56.110:18530/u1129.htmlrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://upx.sf.netAmcache.hve.12.drfalse
          		high
          http://blog.sina.com.cn/u/%srundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3420272005.0000000000A6D000.00000004.00000010.00020000.00000000.sdmpfalse
              		high
              http://174.139.6.43:805/index.phpZrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.php93rundll32.exe, 00000003.00000003.3286146158.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.44:803//joy.asp?sid=rungnejcrueXntG4Fe5vteX8v2LUicbtudb8mtiWmJe2nterundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.phpNrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.44:803/rundll32.exe, rundll32.exe, 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000009.00000002.3092158353.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4055115191.0000000010012000.00000040.00000001.01000000.00000003.sdmp, b3sV534MMf.dllfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.phpC:rundll32.exe, 00000003.00000002.3427186245.000000000571D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3427347038.000000000593A000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.phpStartrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.phpcumentsrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.56.110:1530/u1129.htmlrundll32.exe, 00000003.00000002.3422401937.0000000004B3D000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://174.139.6.43:805/index.phpmlsrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://blog.sina.com.cn/u/%s&rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://174.139.6.43:805/index.phpwrundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.44/JtBrundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://107.163.56.110:18530/u1129.html&rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.43:805/index.phpsrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.44/rundll32.exe, 00000003.00000002.3421283523.0000000002C2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.43:805/index.phpwnloadsrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.43:805/index.phprundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.3427347038.000000000593A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3421283523.0000000002CEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3092158353.0000000010012000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.4055115191.0000000010012000.00000040.00000001.01000000.00000003.sdmp, b3sV534MMf.dllfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.43:805/index.phpvoritesrundll32.exe, 00000003.00000002.3421283523.0000000002CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://174.139.6.43:805/index.phpKPrundll32.exe, 00000003.00000002.3421283523.0000000002C8A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://blog.sina.com.cn/u/%s2rundll32.exe, 00000003.00000002.3432902402.00000000077EC000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  202.108.0.52
                  		blogx.sina.com.cnChina
                  		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                  107.163.56.110
                  		unknownUnited States
                  		20248TAKE2UStrue
                  174.139.6.44
                  		unknownUnited States
                  		35908VPLSNETUStrue
                  174.139.6.43
                  		unknownUnited States
                  		35908VPLSNETUStrue
                  174.139.6.42
                  		unknownUnited States
                  		35908VPLSNETUStrue

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1558490
                  Start date and time:2024-11-19 14:20:18 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 23s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:33
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:b3sV534MMf.dll
                  renamed because original name is a hash value
                  Original Sample Name:4135a80b786a0e4504e17352362e6ecc754b4ce5.dll
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winDLL@42/10@3/6
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 91%
                  • Number of executed functions: 35
                  • Number of non-executed functions: 19
                  Cookbook Comments:
                  • Found application associated with file extension: .dll
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.42.73.29, 20.189.173.8
                  • Excluded domains from analysis (whitelisted): self-events-data.trafficmanager.net, onedscolprdwus07.westus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, self.events.data.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: b3sV534MMf.dll

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:21:16API Interceptor1461010x Sleep call for process: rundll32.exe modified
                  08:21:23API Interceptor1x Sleep call for process: loaddll32.exe modified
                  08:23:31API Interceptor2x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                  • blog.sina.com.cn/u/5655029807
                  k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                  • blog.sina.com.cn/u/5655029807
                  5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                  • blog.sina.com.cn/u/5655029807
                  107.163.56.110MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                      Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                        02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                          abc.dllGet hashmaliciousUnknownBrowse
                            174.139.6.44MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                              174.139.6.43MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                174.139.6.42MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  blogx.sina.com.cn33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  81mieek02V.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  http://zeuso.ccGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CHINA169-BJChinaUnicomBeijingProvinceNetworkCN33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  81mieek02V.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  owari.mips.elfGet hashmaliciousUnknownBrowse
                                  • 111.193.177.206
                                  owari.x86.elfGet hashmaliciousUnknownBrowse
                                  • 60.194.199.155
                                  VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                  • 202.108.0.52
                                  hmips.elfGet hashmaliciousMiraiBrowse
                                  • 111.196.123.227
                                  VPLSNETUSMYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                  • 174.139.6.42
                                  JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  FaIJ2e7ZM4.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  8cv7XxmqSG.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  32YBHccuG9.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  xX1k6Ghe8s.elfGet hashmaliciousMiraiBrowse
                                  • 98.126.6.62
                                  i486.elfGet hashmaliciousMiraiBrowse
                                  • 174.139.206.64
                                  NoERE2024000013833.exeGet hashmaliciousAgentTeslaBrowse
                                  • 74.119.238.7
                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                  • 174.139.206.51
                                  arm7.elfGet hashmaliciousUnknownBrowse
                                  • 98.126.6.24
                                  VPLSNETUSMYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                  • 174.139.6.42
                                  JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  FaIJ2e7ZM4.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  8cv7XxmqSG.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  32YBHccuG9.dllGet hashmaliciousUnknownBrowse
                                  • 98.126.40.18
                                  xX1k6Ghe8s.elfGet hashmaliciousMiraiBrowse
                                  • 98.126.6.62
                                  i486.elfGet hashmaliciousMiraiBrowse
                                  • 174.139.206.64
                                  NoERE2024000013833.exeGet hashmaliciousAgentTeslaBrowse
                                  • 74.119.238.7
                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                  • 174.139.206.51
                                  arm7.elfGet hashmaliciousUnknownBrowse
                                  • 98.126.6.24
                                  TAKE2US33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.241.193
                                  MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.110
                                  JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.43.161
                                  yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.240
                                  46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.43.236
                                  01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.43.235
                                  oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.251
                                  gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.240
                                  Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.240
                                  OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                  • 107.163.56.251

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\1.txt

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:ISO-8859 text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):545
                                  Entropy (8bit):4.294829216447718
                                  Encrypted:false
                                  SSDEEP:12:8E2V6mEWfe1Vmb3xyE+QGJ03P2nIupppppppppA:8E2V6mEWm1V83AE+QGJ03P2nIupppppA
                                  MD5:20D452BA42B131C7715F2B70226BD18F
                                  SHA1:880D3D514C5B01C14952B5BE7E1204E3AFEFCB0B
                                  SHA-256:0817036301F37A595D703849942A72F38B1DFDF2AB58C27951D13E90AAB6116B
                                  SHA-512:68F97AF0DC1846F9C55DC2541E95C04613AF9D118397C8169B10D77FE7C3F8BC726B0852AB6D9C36BE1A76F731F34631C616D292FC1B6355C606761199FA1037
                                  Malicious:false
                                  Preview:..2024-11-21 11:24..iOffset....2024-11-22 06:22..iOffset....2024-11-23 02:00..iOffset....2024-11-23 21:38..iOffset....2024-11-24 19:11..iOffset....2024-11-25 17:09..iOffset....2024-11-27 14:20..iOffset....2024-11-28 16:18..iOffset....2024-12-01 08:49..iOffset....2024-12-03 00:52..iOffset....2024-12-05 01:05..iOffset....2024-12-10 08:01..iOffset....2024-12-20 16:52..iOffset....2024-12-26 05:35..iOffset....2034-07-21 19:56..iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset..

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_d72391a1-0057-4f8a-aec9-13bcc5ddd162\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9501327138575276
                                  Encrypted:false
                                  SSDEEP:192:qqihipwOg30BU/wjeTlW6ZYzuiFxZ24IO8dci:KhivgEBU/wjex7YzuiFxY4IO8dci
                                  MD5:270264767AA2E2A110A04B8DB4105F77
                                  SHA1:A4347646CCC49A3F98B12CC0CEC5E8A4C041A8FA
                                  SHA-256:7D89EA7B90743162C65B895E245ABBD37C84A944CBF1627991C580FA82BE5ABE
                                  SHA-512:D7ADC8F077853ECD7810DC93BC0A2A83447693216BAD8194EB7D6161E26D1F2C3C703A30FC5367E6BC294FC4F9517CC52F8135B43F5607C4714A29D64A9CD2EF
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.0.8.1.2.8.6.8.7.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.0.8.2.9.7.4.3.7.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.2.3.9.1.a.1.-.0.0.5.7.-.4.f.8.a.-.a.e.c.9.-.1.3.b.c.c.5.d.d.d.1.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.7.9.3.c.e.d.-.3.2.9.d.-.4.d.7.e.-.8.e.5.3.-.6.2.1.0.0.2.4.9.c.0.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.2.4.-.0.0.0.1.-.0.0.1.4.-.5.9.7.f.-.4.f.e.c.8.5.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_fa7a985e-ae7d-4121-8b55-6115f8b96465\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.9500609877784236
                                  Encrypted:false
                                  SSDEEP:192:9pi8Or30BU/wjeTlWaZYzuiFWZ24IO8dci:ziNrEBU/wjexbYzuiFWY4IO8dci
                                  MD5:4C6B04F06633C067D289B35100D8BAAA
                                  SHA1:5BFFEF7DBF944566970BC9888EC8B87701DF9236
                                  SHA-256:A004B5E42082476FCA7A3424EC2BCB9B70921FC157C35DCEB79012B2B904DECE
                                  SHA-512:4760B70054FABDA11384CA3335FBB49C7BF718EA41903E658713A949854676D73F8C82FFEBDD847BF6A1B91A370346CCF4944B4C20FE835A03321700248DBA53
                                  Malicious:false
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.0.8.4.9.3.0.4.3.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.0.8.5.3.6.7.9.2.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.a.9.8.5.e.-.a.e.7.d.-.4.1.2.1.-.8.b.5.5.-.6.1.1.5.f.8.b.9.6.4.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.a.5.e.8.8.4.-.c.f.9.3.-.4.5.d.8.-.8.5.8.c.-.e.9.b.3.3.3.c.e.4.2.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.8.-.0.0.0.1.-.0.0.1.4.-.0.f.c.8.-.2.f.e.e.8.5.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER61B8.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:21:22 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):46060
                                  Entropy (8bit):1.972564757559395
                                  Encrypted:false
                                  SSDEEP:192:RvQFZwnXUXa+CO5H4z1LlRh5/pd7QozDDGEloY06:hSZwjK5Hy1Lld/pd7HDGEO6
                                  MD5:BAF4466F6321998663186A6524FF760E
                                  SHA1:5218022972D2E854DAADBF9E050A85784014EF79
                                  SHA-256:2F8FCDF10020075E8EF5A576CBA87416357C442ECF5DEBE62F5D16487446C72A
                                  SHA-512:52B11BB92A5E8F0BB56BAF2AE4FA9052385CDFC2EA4F004ADCBC28300495386577E11133A219C8E0C1D88679BEB6F07EF4C27A5F1532EF94D4ABCE731A492B0A
                                  Malicious:false
                                  Preview:MDMP..a..... ........<g........................................V/..........T.......8...........T...............$...........L...........8...............................................................................eJ..............GenuineIntel............T.......$....<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6718.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8274
                                  Entropy (8bit):3.6942061461833755
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJnMP6qo6Yr160gmfTZhprQ89bXFsf0j9m:R6lXJE6N6Yp60gmfTZxXefP
                                  MD5:A51F03B049C5228ED22954FABE755CD6
                                  SHA1:B651CE1129CE37FFB8916C9BC069C267E225B6B5
                                  SHA-256:8B4084F30E8FF212B0BC7E54F9B1B90CE9F3AC5BDAF516E7234B1E5D230A34E8
                                  SHA-512:914B99E53C3C9B0D4630EB8C7151A0D80394F4956FFED291E34BABB378C090A1BCB947743B8774DEDA21A1FBC087C6D8E7116C4A9428E5267672E436E95D308D
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.0.4.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6758.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4654
                                  Entropy (8bit):4.463009927202668
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsHJg77aI9WZWpW8VYWYm8M4JCdPSF++q8/A26A1GScSxd:uIjfpI7Yo7VCJGrA1J3xd
                                  MD5:7B505C43385EE48EC5109B1B7C19F506
                                  SHA1:C9CF2FC9CA77A1808619B767C8C70E1056674583
                                  SHA-256:07FB9834707E47BCA6595CB42E570BE96AFC22DAC71DDD69AD2C3755C1D50284
                                  SHA-512:FD068BEEC2A2E8648D7FDF16BE4404BDD837808AFA1964E7E6C4D4E5EED4A5BAA3DFAF79852C495DE0923A00F0B66C820382C5AAC4C7262A3D7BDD42FA9E0199
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FE1.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:21:25 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):44538
                                  Entropy (8bit):2.0069766522026904
                                  Encrypted:false
                                  SSDEEP:192:iNAdFZwsMXUXablvO5H4TX9U6Mi/lIPeIY0c7g6hE6bG3:mATZwsKblm5HSX9ZMi/lI23nm
                                  MD5:28D25DE9B860D1C0B14D7BE24676F397
                                  SHA1:C3390136674262255AB8675BBD443AF056D1298C
                                  SHA-256:666A80C3A06C622E44E0865213724341CAAF20E96DFDE2E25490CE8493D688CB
                                  SHA-512:6F6940BF04974A76F6FDFA15E155FC9BAE003F2ECA23D59410AA4B4FDED0B3CE0FE8D6E3CACB2192AC0A5368E16D1EAD959BE4B5E9F9CFC922FEF94C928C5039
                                  Malicious:false
                                  Preview:MDMP..a..... ........<g........................................V/..........T.......8...........T...............Z...........L...........8...............................................................................eJ..............GenuineIntel............T............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER708E.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8270
                                  Entropy (8bit):3.6953182307591685
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJd5666YTQ76j4gmfTZhprG89b4nsf3Im:R6lXJz666YM76j4gmfTZD4sfd
                                  MD5:E2231A98F039DEF343653301B29AE908
                                  SHA1:EB41FBCA7920926A1C59585AC23995A48FB11764
                                  SHA-256:83DB1AF00DBD0A6113C74CF8A56F9C39844D475D8AB7E6CB43ED14D20CD6B2B5
                                  SHA-512:92CA76D51DBAF91039A659E98D6ECFCB653D925D13CF7D5E0B3747DEC18B9A91F40668DE771EDA25AB4A2927CABDE529B5695E0690AD924068C2C26F3BE1EDDE
                                  Malicious:false
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.4.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER70CE.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4654
                                  Entropy (8bit):4.464471239442059
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsHJg77aI9WZWpW8VY6sYm8M4JCdPSFJ+q8/A0hGScS4d:uIjfpI7Yo7VrpJB8hJ34d
                                  MD5:4C752F3B6A4BBBDC90A4AA237199D9B2
                                  SHA1:4E9359D43A86AE1E7128532FDA0CC80BE431B96B
                                  SHA-256:14249EB5D5AE63A8C60287500F3A0B900F81799003DB7FBC696B777A7D86144C
                                  SHA-512:55C5DA7F9B23FA75D15ADF754B965342686B7C3B1B05CC63D17CE96B972D066F8E0BCEEE5B4266CE67BF5746298C019D2ED1D5C6327E596315F4899A4CC6DA94
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.4662622230137305
                                  Encrypted:false
                                  SSDEEP:6144:3IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:4XD94+WlLZMM6YFHT+G
                                  MD5:42761F45B343B66D08FE691F149A7CA3
                                  SHA1:84D545EDD2106185D343ED31CA85FABAC0AFBAA5
                                  SHA-256:8B7A626F126DD8293BAF806E2D72F2E900F907931B9C6C5C44D94FD9316E7486
                                  SHA-512:38194F46F7AAAA689537D04C5A782134163AB9A06EA51BF1C3D0CBC583DFFCB85A05A3926FE9E35CEB84F2D872BD9BDF3B0513E657E819089A634A93E8E55771
                                  Malicious:false
                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.6..:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows, PECompact2 compressed
                                  Entropy (8bit):6.5937427390560135
                                  TrID:
                                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                  • Generic Win/DOS Executable (2004/3) 0.20%
                                  • DOS Executable Generic (2002/1) 0.20%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:b3sV534MMf.dll
                                  File size:307'834 bytes
                                  MD5:28de8c856e847f8097131e502fc75d8d
                                  SHA1:4135a80b786a0e4504e17352362e6ecc754b4ce5
                                  SHA256:657ffa1f45c97cdda48a5c2ea95eecdfdfeae68d9aac937c120b0ab063ea6e87
                                  SHA512:2a3bafdcd8efeb511d4889f943648175513710f495af6408392752623d662ba98052e9b03a5fa70a6d5f36ddc0f4e7bf108721cc31171a722d4b3fa796171044
                                  SSDEEP:6144:NuezXQ8wsFPhmNsCBk5mizL5rC5rgRMLt6wVVNrBqFdEJRKgY:LzA8wsFPEsC+5dzL5rC5rgRML4wVVN8H
                                  TLSH:D9649E51337252F5D4DB0A32AE29EB2EE77064109CECDD52DF8315852CE344AFA9938B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

                                  File Icon

                                  Icon Hash:7ae282899bbab082

                                  Static PE Info

                                  General

                                  Entrypoint:0x1003c7e7
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x10000000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                                  DLL Characteristics:
                                  Time Stamp:0x565E7E2A [Wed Dec 2 05:14:18 2015 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:e68f6ce4fad6e16f1060136013578ef2

                                  Entrypoint Preview

                                  Instruction
                                  call 00007FE6305481D0h
                                  pushfd
                                  mov byte ptr [edi-01h], 00000000h
                                  lahf
                                  jmp 00007FE63054F146h
                                  lea esp, dword ptr [esp+2Ch]
                                  ja 00007FE63054AA2Ah
                                  clc
                                  push esi
                                  clc
                                  cmc
                                  imul edx, edx, 0000000Ah
                                  bt cx, 0006h
                                  call 00007FE63054EAB9h
                                  scasb
                                  cli
                                  jns 00007FE630549376h
                                  xchg eax, ebp
                                  or al, A3h
                                  outsd
                                  sub eax, 2E68A76Ah
                                  popad
                                  cmp esi, edi
                                  stosb
                                  arpl word ptr [edx+edx], sp
                                  cwde
                                  add byte ptr [ebx], dh
                                  mov ecx, F931ECB0h
                                  fcomp3 st(7)
                                  neg dword ptr [esi]
                                  push esp
                                  dec byte ptr [edi]
                                  outsd
                                  fild qword ptr [edi+7369282Eh]
                                  adc dword ptr [ebx-17h], edx
                                  xor dword ptr [esi], ebx
                                  dec eax
                                  imul dword ptr [edi+09B273BCh]
                                  retf 1D1Bh
                                  dec edi
                                  sbb dword ptr [edx-3751134Ch], esi
                                  mov ebx, 49984820h
                                  in eax, dx
                                  movsd
                                  fdecstp
                                  mov cl, 56h
                                  xlatb
                                  push ss
                                  iretd
                                  or byte ptr [ebx+62h], cl
                                  dec edx
                                  movsd
                                  cmpsd
                                  jbe 00007FE6305493F2h
                                  std
                                  jno 00007FE630549337h
                                  xor eax, 5EF4DB8Ah
                                  les esi, fword ptr [ebp-19CAF247h]
                                  clc
                                  sub ebp, edx
                                  inc ecx
                                  mov ebx, 26422BC8h
                                  push esi
                                  and eax, A755A9C5h
                                  fsubr dword ptr [ebp+47322F99h]
                                  xchg eax, esp
                                  mov dl, 5Dh
                                  enter 4489h, 24h
                                  and al, C6h
                                  inc esp
                                  and al, 08h
                                  inc esp
                                  mov byte ptr [esp], cl
                                  pushfd
                                  push dword ptr [esp]
                                  push dword ptr [esp+2Ch]
                                  retn 0030h
                                  adc dword ptr [ebx+00h], eax

                                  Rich Headers

                                  Programming Language:
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ C ] VS98 (6.0) build 8168
                                  • [C++] VS98 (6.0) build 8168
                                  • [RES] VS98 (6.0) cvtres build 1720
                                  • [LNK] VS98 (6.0) imp/exp build 8168

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x4b4fc0x63.rsrc
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3ba600x118.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x4e8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x16a0.text
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x4a0000x49600a96619345afc837efb52794823a02534False0.624823653109029data6.591507115633169IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x4b0000x20000x18001bf51ba21035870b8724a79f96a556c7False0.794921875data6.804416992654808IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .reloc0x4d0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_DIALOG0x4a0000xb2dataEnglishUnited States0.7191011235955056
                                  RT_DIALOG0x4a0b80xb2dataEnglishUnited States0.7191011235955056
                                  RT_STRING0x4a1700x2a2dataEnglishUnited States0.37388724035608306
                                  RT_VERSION0x4b1180x3d0dataEnglishUnited States0.4764344262295082

                                  Imports

                                  DLLImport
                                  MFC42.DLL
                                  MSVCRT.dllmemcpy
                                  KERNEL32.dllSetFilePointer
                                  USER32.dllwsprintfA
                                  ADVAPI32.dllAdjustTokenPrivileges
                                  WS2_32.dllhtons
                                  SHLWAPI.dllStrStrIA
                                  ole32.dllCoInitializeSecurity
                                  OLEAUT32.dllSysFreeString
                                  MSVCP60.dll?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
                                  NETAPI32.dllNetbios
                                  KERNEL32.dllGetModuleFileNameW
                                  KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                  Exports

                                  NameOrdinalAddress
                                  GetColor10x10008645
                                  InputFile20x1000678b
                                  PrintFile30x1000443d

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2024 14:21:18.043709993 CET49738803192.168.2.4174.139.6.44
                                  Nov 19, 2024 14:21:18.109107018 CET4973918530192.168.2.4107.163.56.110
                                  Nov 19, 2024 14:21:19.047017097 CET49738803192.168.2.4174.139.6.44
                                  Nov 19, 2024 14:21:19.109510899 CET4973918530192.168.2.4107.163.56.110
                                  Nov 19, 2024 14:21:21.047030926 CET49738803192.168.2.4174.139.6.44
                                  Nov 19, 2024 14:21:21.109527111 CET4973918530192.168.2.4107.163.56.110
                                  Nov 19, 2024 14:21:25.062658072 CET49738803192.168.2.4174.139.6.44
                                  Nov 19, 2024 14:21:25.132925987 CET4973918530192.168.2.4107.163.56.110
                                  Nov 19, 2024 14:21:33.062710047 CET49738803192.168.2.4174.139.6.44
                                  Nov 19, 2024 14:21:33.140842915 CET4973918530192.168.2.4107.163.56.110
                                  Nov 19, 2024 14:21:40.082081079 CET497433204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:21:41.078468084 CET497433204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:21:43.078372955 CET497433204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:21:43.252254963 CET49744805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:43.252532005 CET49745805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:44.265870094 CET49745805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:44.265872002 CET49744805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:46.265880108 CET49745805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:46.265881062 CET49744805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:46.652245998 CET4974680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:47.078577995 CET497433204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:21:47.253612995 CET49747805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:47.364893913 CET49748805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:47.365425110 CET4974980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:48.265891075 CET49747805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:48.359642029 CET4974980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:48.375253916 CET49748805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:50.266021013 CET49747805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:50.359643936 CET4974980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:50.390896082 CET49748805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:51.258402109 CET49750805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:51.535480022 CET49751805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:51.536098957 CET4975280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:52.265901089 CET49750805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:52.547167063 CET49751805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:52.547367096 CET4975280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:54.265938997 CET49750805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:54.607287884 CET49751805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:54.607790947 CET4975280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:55.078434944 CET497433204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:21:55.267950058 CET49754805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:55.382906914 CET49755805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:55.383697033 CET4975680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:56.312813997 CET49754805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:56.390953064 CET49755805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:56.390964031 CET4975680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:58.406589031 CET49754805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:58.406588078 CET49755805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:58.406662941 CET4975680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:21:59.532591105 CET49758805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:59.649398088 CET49759805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:21:59.653146029 CET4976080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:00.547288895 CET49758805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:00.656625986 CET4976080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:00.703474998 CET49759805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:01.190318108 CET497613204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:02.203469992 CET497613204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:02.547250032 CET49758805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:02.656621933 CET4976080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:02.703485012 CET49759805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:03.673880100 CET49762805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:03.674550056 CET49763805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:03.676060915 CET4976480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:04.219088078 CET497613204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:04.694473982 CET49762805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:04.812853098 CET49763805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:04.812983990 CET4976480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:06.704320908 CET49762805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:06.812856913 CET49763805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:06.813098907 CET4976480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:07.673007965 CET49765805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:07.787035942 CET49767805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:07.789345980 CET4976880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:08.234750986 CET497613204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:08.672230005 CET49765805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:08.797277927 CET49767805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:08.797281981 CET4976880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:10.687927961 CET49765805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:10.797385931 CET49767805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:10.797610044 CET4976880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:11.691502094 CET49769805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:11.803848982 CET49770805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:11.804934025 CET4977180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:12.687882900 CET49769805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:12.812922001 CET49770805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:12.812922001 CET4977180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:14.687899113 CET49769805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:14.812908888 CET49770805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:14.812908888 CET4977180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:15.689158916 CET49773805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:15.823456049 CET4977480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:15.824022055 CET49775805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:16.234893084 CET497613204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:16.703532934 CET49773805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:16.828531981 CET4977480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:16.828658104 CET49775805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:18.719187975 CET49773805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:18.844171047 CET4977480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:18.844422102 CET49775805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:19.755863905 CET49776805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:19.869724035 CET4977780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:19.869975090 CET49778805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:20.766108036 CET49776805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:20.875413895 CET49778805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:20.875413895 CET4977780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:22.347388029 CET497793204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:22.766118050 CET49776805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:22.891022921 CET49778805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:22.891022921 CET4977780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:23.359796047 CET497793204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:23.788973093 CET49780805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:23.896883965 CET4978180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:23.897645950 CET49782805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:24.781688929 CET49780805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:24.906667948 CET4978180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:24.906667948 CET49782805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:25.375446081 CET497793204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:26.781694889 CET49780805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:26.908896923 CET4978180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:26.922377110 CET49782805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:27.782551050 CET49789805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:27.899569035 CET49790805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:27.901606083 CET4979180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:28.797382116 CET49789805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:28.891063929 CET49790805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:28.891149044 CET4979180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:29.375475883 CET497793204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:30.812959909 CET49789805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:30.906727076 CET49790805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:30.906770945 CET4979180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:31.798799038 CET49793805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:31.933974981 CET49794805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:31.936225891 CET4979580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:32.797346115 CET49793805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:32.937966108 CET49794805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:32.938004017 CET4979580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:34.797346115 CET49793805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:34.937966108 CET49794805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:34.938014984 CET4979580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:35.814255953 CET49796805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:35.933948040 CET49797805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:35.939815044 CET4979880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:36.828588009 CET49796805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:36.922354937 CET49797805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:36.937979937 CET4979880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:37.391107082 CET497793204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:38.828592062 CET49796805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:38.923222065 CET49797805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:38.937994003 CET4979880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:39.830739975 CET49800805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:39.943835974 CET49801805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:39.945286989 CET4980280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:40.844254017 CET49800805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:40.953623056 CET4980280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:40.953670025 CET49801805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:42.859869003 CET49800805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:42.953681946 CET49801805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:42.969317913 CET4980280192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:43.518017054 CET498033204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:43.860842943 CET49804805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:44.346401930 CET49805805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:44.348786116 CET4980680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:44.531785011 CET498033204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:44.875524044 CET49804805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:45.359916925 CET49805805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:45.359961033 CET4980680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:46.547421932 CET498033204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:46.875504971 CET49804805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:47.359935045 CET4980680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:47.359935045 CET49805805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:47.861368895 CET49812805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:47.986105919 CET49813805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:48.312623978 CET4981480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:48.875562906 CET49812805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:49.000534058 CET49813805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:49.313018084 CET4981480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:50.563422918 CET498033204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:50.875546932 CET49812805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:51.016174078 CET49813805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:51.313059092 CET4981480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:51.877054930 CET49815805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:51.994679928 CET49816805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:52.012778044 CET4981780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:52.891268969 CET49815805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:52.984940052 CET49816805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:53.016176939 CET4981780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:54.906857967 CET49815805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:54.984945059 CET49816805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:55.031802893 CET4981780192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:55.892921925 CET49818805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:56.006154060 CET49819805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:56.007213116 CET4982080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:56.906794071 CET49818805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:57.016304016 CET49819805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:57.016432047 CET4982080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:58.578743935 CET498033204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:22:58.906861067 CET49818805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:59.016277075 CET4982080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:22:59.016486883 CET49819805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:22:59.910170078 CET49823805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:00.020482063 CET49824805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:00.021430016 CET4982580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:00.922462940 CET49823805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:01.031882048 CET4982580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:01.034564972 CET49824805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:02.938076973 CET49823805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:03.047446966 CET4982580192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:03.047549963 CET49824805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:03.909010887 CET49828805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:04.055325031 CET49829805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:04.056952953 CET4983080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:04.689764023 CET498313204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:04.922575951 CET49828805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:05.047468901 CET49829805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:05.063086987 CET4983080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:05.813116074 CET498313204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:06.922611952 CET49828805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:07.110605001 CET4983080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:07.235358000 CET49829805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:07.813091040 CET498313204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:08.055629969 CET49832805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:08.056571007 CET4983380192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:08.056895971 CET49834805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:09.219501019 CET49834805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:09.219608068 CET49832805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:09.219669104 CET4983380192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:10.679543972 CET49835805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:10.679543972 CET4983680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:10.680649996 CET49837805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:11.735001087 CET49835805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:11.735019922 CET4983680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:11.735019922 CET49837805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:11.895657063 CET498313204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:13.734982014 CET49835805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:13.734997034 CET4983680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:13.734997988 CET49837805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:14.811294079 CET49838805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:14.811691999 CET49839805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:14.812732935 CET4984080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:15.828783035 CET49838805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:15.828778028 CET4984080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:15.906874895 CET49839805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:17.909171104 CET49839805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:17.922538042 CET4984080192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:17.922542095 CET49838805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:18.879826069 CET49841805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:19.144808054 CET49843805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:19.324598074 CET4984480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:19.906924009 CET498313204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:20.031896114 CET49841805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:20.219415903 CET49843805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:20.406887054 CET4984480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:22.032097101 CET49841805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:22.313294888 CET49843805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:22.516294003 CET4984480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:22.907874107 CET49845805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:22.992968082 CET4984680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:23.024702072 CET49847805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:24.018640995 CET49845805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:24.031920910 CET4984680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:24.031920910 CET49847805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:26.016294003 CET49845805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:26.018054962 CET498483204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:26.031910896 CET4984680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:26.032002926 CET49847805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:26.924649000 CET49849805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:27.048959017 CET49850805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:27.053303957 CET4985180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:27.100670099 CET498483204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:28.031930923 CET49849805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:28.235040903 CET49850805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:28.235166073 CET4985180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:29.219448090 CET498483204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:30.032660961 CET49849805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:30.235071898 CET49850805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:30.235071898 CET4985180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:30.927350998 CET49852805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:31.041491985 CET49853805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:31.043530941 CET4985480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:32.031994104 CET49852805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:32.219455004 CET49853805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:32.219455004 CET4985480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:33.219695091 CET498483204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:34.034806013 CET49852805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:34.219439983 CET49853805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:34.238692045 CET4985480192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:34.933223009 CET49857805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:35.061311007 CET4985880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:35.061567068 CET49859805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:36.016367912 CET49857805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:36.235090971 CET4985880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:36.235090971 CET49859805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:38.016365051 CET49857805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:38.328840971 CET4985880192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:38.328970909 CET49859805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:39.108556986 CET49860805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:39.111231089 CET4986180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:39.112771034 CET49862805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:40.219491959 CET49860805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:40.219491959 CET4986180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:40.235111952 CET49862805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:41.219506979 CET498483204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:42.219486952 CET49860805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:42.219486952 CET4986180192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:42.328857899 CET49862805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:43.133724928 CET49864805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:43.244712114 CET49865805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:43.245973110 CET4986680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:44.219487906 CET49864805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:44.330220938 CET4986680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:44.407018900 CET49865805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:46.219691992 CET49864805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:46.328850985 CET4986680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:46.487813950 CET49865805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:47.142712116 CET49867805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:47.259228945 CET49868805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:47.259228945 CET4986980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:47.340723038 CET498703204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:48.220505953 CET49867805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:48.328883886 CET498703204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:48.354809046 CET49868805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:48.354866982 CET4986980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:50.219502926 CET49867805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:50.329339981 CET498703204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:50.407031059 CET49868805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:50.407114983 CET4986980192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:51.160871983 CET49871805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:51.276133060 CET49872805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:51.858613968 CET4987380192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:52.205133915 CET49871805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:52.313324928 CET49872805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:53.016411066 CET4987380192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:54.219526052 CET49871805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:54.328885078 CET498703204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:23:54.370300055 CET49872805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:55.181091070 CET49874805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:55.400453091 CET49875805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:55.402904987 CET4987680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:56.219517946 CET49874805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:56.490305901 CET49875805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:56.490335941 CET4987680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:58.219543934 CET49874805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:58.610158920 CET49875805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:58.610256910 CET4987680192.168.2.4202.108.0.52
                                  Nov 19, 2024 14:23:59.192003012 CET49877805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:23:59.310776949 CET49879805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:00.219593048 CET49877805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:00.328912973 CET49879805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:02.219551086 CET49877805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:02.422688007 CET498703204192.168.2.4174.139.6.42
                                  Nov 19, 2024 14:24:02.422699928 CET49879805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:03.330281973 CET49881805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:03.332714081 CET49882805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:04.328973055 CET49882805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:04.328963041 CET49881805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:06.328938007 CET49881805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:06.328944921 CET49882805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:10.330240011 CET49881805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:10.330290079 CET49882805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:18.344631910 CET49881805192.168.2.4174.139.6.43
                                  Nov 19, 2024 14:24:18.344660997 CET49882805192.168.2.4174.139.6.43

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 19, 2024 14:21:46.303427935 CET6487153192.168.2.41.1.1.1
                                  Nov 19, 2024 14:21:46.649912119 CET53648711.1.1.1192.168.2.4
                                  Nov 19, 2024 14:22:47.991146088 CET6121453192.168.2.41.1.1.1
                                  Nov 19, 2024 14:22:48.311491966 CET53612141.1.1.1192.168.2.4
                                  Nov 19, 2024 14:23:51.278502941 CET6478553192.168.2.41.1.1.1
                                  Nov 19, 2024 14:23:51.823559046 CET53647851.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Nov 19, 2024 14:21:46.303427935 CET192.168.2.41.1.1.10x6529Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 14:22:47.991146088 CET192.168.2.41.1.1.10xd317Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                  Nov 19, 2024 14:23:51.278502941 CET192.168.2.41.1.1.10xe4c7Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 19, 2024 14:21:46.649912119 CET1.1.1.1192.168.2.40x6529No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 14:21:46.649912119 CET1.1.1.1192.168.2.40x6529No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 14:22:48.311491966 CET1.1.1.1192.168.2.40xd317No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 14:22:48.311491966 CET1.1.1.1192.168.2.40xd317No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                  Nov 19, 2024 14:23:51.823559046 CET1.1.1.1192.168.2.40xe4c7No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                  Nov 19, 2024 14:23:51.823559046 CET1.1.1.1192.168.2.40xe4c7No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\loaddll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:loaddll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll"
                                  Imagebase:0x840000
                                  File size:126'464 bytes
                                  MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,GetColor
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",#1
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:08:21:14
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x670000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:08:21:17
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,InputFile
                                  Imagebase:0x800000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:08:21:20
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe C:\Users\user\Desktop\b3sV534MMf.dll,PrintFile
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:08:21:21
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 672
                                  Imagebase:0xc30000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:13
                                  Start time:08:21:23
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:08:21:23
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",InputFile
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:08:21:23
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:rundll32.exe "C:\Users\user\Desktop\b3sV534MMf.dll",PrintFile
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:08:21:24
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:08:21:24
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:08:21:24
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 668
                                  Imagebase:0xc30000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:20
                                  Start time:08:21:24
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x670000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:24
                                  Start time:08:21:46
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:25
                                  Start time:08:21:46
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:26
                                  Start time:08:21:47
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:27
                                  Start time:08:21:47
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x670000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:28
                                  Start time:08:21:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\b3sV534MMf.dll",GetColor
                                  Imagebase:0xac0000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:29
                                  Start time:08:21:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                  Imagebase:0x240000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:30
                                  Start time:08:21:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:31
                                  Start time:08:21:55
                                  Start date:19/11/2024
                                  Path:C:\Windows\SysWOW64\PING.EXE
                                  Wow64 process (32bit):true
                                  Commandline:ping 127.0.0.1 -n 3
                                  Imagebase:0x670000
                                  File size:18'944 bytes
                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.5%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:1.1%
                                    Total number of Nodes:268
                                    Total number of Limit Nodes:11
                                    execution_graph 18584 10007101 18585 10007118 18584->18585 18589 100071a6 Sleep 18585->18589 18590 100071f7 wsprintfA 18585->18590 18593 10005c4c 18585->18593 18608 10003ef4 18585->18608 18611 100061bd 18585->18611 18589->18585 18630 1000570f 18590->18630 18594 10003ef4 wvsprintfA 18593->18594 18595 10005c86 18594->18595 18640 10003f72 PathFileExistsA 18595->18640 18597 10005c92 18598 10005c9d 18597->18598 18599 10005c99 18597->18599 18641 10004015 CreateFileA 18598->18641 18599->18585 18601 10005cbb 18601->18599 18642 10004035 ReadFile 18601->18642 18603 10005cd6 18643 10003f92 CloseHandle 18603->18643 18605 10005cdc 18644 10003f7d StrStrIA 18605->18644 18607 10005ce9 18607->18599 18645 10003ee1 wvsprintfA 18608->18645 18610 10003f06 18610->18585 18612 100061dd 18611->18612 18646 10003f0a InternetOpenA 18612->18646 18614 100061e4 18624 100061ee 18614->18624 18647 10003f24 InternetOpenUrlA 18614->18647 18616 10006206 18617 10006210 18616->18617 18618 10006219 18616->18618 18648 10003f58 InternetCloseHandle 18617->18648 18620 10006276 18618->18620 18626 1000621f 18618->18626 18651 10003f58 InternetCloseHandle 18620->18651 18622 10006216 18652 10003f58 InternetCloseHandle 18622->18652 18624->18585 18627 1000626c 18626->18627 18649 10003f41 InternetReadFile 18626->18649 18650 10003f92 CloseHandle 18627->18650 18629 10006274 18629->18620 18631 1000571c 18630->18631 18632 10005724 wsprintfA 18631->18632 18653 10005318 18632->18653 18634 10005776 wsprintfA wsprintfA 18655 1002ac12 18634->18655 18636 100057da PrintFile 18638 10005802 18636->18638 18637 10005841 18637->18589 18638->18637 18639 1000581f CreateThread 18638->18639 18639->18637 18657 10005620 18639->18657 18640->18597 18641->18601 18642->18603 18643->18605 18644->18607 18645->18610 18646->18614 18647->18616 18648->18622 18649->18626 18650->18629 18651->18622 18652->18624 18654 10005325 18653->18654 18654->18634 18656 1002ac17 18655->18656 18656->18636 18659 1000564e ctype 18657->18659 18658 100056f3 ctype 18659->18658 18661 100053b7 18659->18661 18662 100053c4 18661->18662 18663 100055e0 18662->18663 18664 10005416 wsprintfA 18662->18664 18665 1000545e wsprintfA 18662->18665 18666 100054b3 wsprintfA 18662->18666 18667 100054d0 PrintFile 18662->18667 18668 10005520 rand rand rand rand rand 18662->18668 18669 10005579 wsprintfA 18662->18669 18670 100055a9 Sleep 18662->18670 18663->18659 18664->18662 18665->18662 18666->18662 18667->18662 18668->18662 18669->18662 18670->18662 18671 10006dc4 18673 10006dce 18671->18673 18672 10006ec4 18673->18672 18674 10003ef4 wvsprintfA 18673->18674 18675 10006e8f 18674->18675 18676 10003ef4 wvsprintfA 18675->18676 18677 10006eb8 18676->18677 18679 10006290 18677->18679 18680 100062a2 18679->18680 18689 10003f0a InternetOpenA 18680->18689 18682 100062a9 18683 100062da 18682->18683 18690 10003f24 InternetOpenUrlA 18682->18690 18683->18672 18685 100062c4 18691 10003f58 InternetCloseHandle 18685->18691 18687 100062d4 18692 10003f58 InternetCloseHandle 18687->18692 18689->18682 18690->18685 18691->18687 18692->18683 18809 10008567 Sleep 18810 1000858a 18809->18810 18811 100061bd 5 API calls 18810->18811 18812 100085b1 18811->18812 18813 100085ba Sleep 18812->18813 18814 100085c3 18812->18814 18813->18813 18815 100085df wsprintfA 18814->18815 18818 10006840 18815->18818 18819 1000685e 18818->18819 18822 10028534 18819->18822 18823 1002853a 18822->18823 18824 1002b64e 18822->18824 18827 1003748f 18823->18827 18828 100381ac 18827->18828 18829 10037498 CreateThread 18828->18829 18830 1003749d 18829->18830 18831 10005de7 18838 1000409d RegQueryValueExA 18831->18838 18833 10005e16 18839 10004092 RegCloseKey 18833->18839 18835 10005e1e 18836 10003ef4 wvsprintfA 18835->18836 18837 10005e89 18836->18837 18838->18833 18839->18835 18840 10005eaa 18841 10005edb 18840->18841 18842 10003ef4 wvsprintfA 18841->18842 18843 10005ee1 18841->18843 18842->18843 18844 100044ad 18845 100044ca 18844->18845 18846 100044d9 GetExtendedUdpTable 18845->18846 18847 100044ef 18846->18847 18848 10004509 GetExtendedUdpTable 18847->18848 18849 10004504 18847->18849 18848->18849 18693 100064d5 18694 100064d8 18693->18694 18697 10006461 18693->18697 18695 100064e9 wsprintfA 18694->18695 18696 10006508 18695->18696 18710 10003f0a InternetOpenA 18696->18710 18699 1000652b 18700 100066d0 18699->18700 18711 10003f24 InternetOpenUrlA 18699->18711 18702 1000654b 18702->18700 18706 10006559 ctype 18702->18706 18704 100065bf MultiByteToWideChar 18704->18706 18705 100065d7 MultiByteToWideChar 18705->18706 18706->18704 18706->18705 18707 10006647 18706->18707 18712 10003f41 InternetReadFile 18706->18712 18708 100066df wsprintfA 18707->18708 18709 100066b0 ctype 18707->18709 18708->18709 18709->18700 18710->18699 18711->18702 18712->18706 18713 10006ed6 18716 10006cf7 18713->18716 18726 10003ff7 GetShortPathNameA 18716->18726 18718 10006d32 18727 1000406c RegCreateKeyExA 18718->18727 18720 10006d60 wsprintfA 18721 10006d9a 18720->18721 18728 100040d4 RegSetValueExA 18721->18728 18723 10006db3 18729 10004092 RegCloseKey 18723->18729 18725 10006dbe 18726->18718 18727->18720 18728->18723 18729->18725 18730 10008417 18731 1000838e Sleep 18730->18731 18733 10008303 18731->18733 18732 10005c4c 6 API calls 18732->18733 18733->18731 18733->18732 18734 10003ef4 wvsprintfA 18733->18734 18735 100061bd 5 API calls 18733->18735 18736 1000839f 18733->18736 18734->18733 18735->18733 18737 100083ef 18736->18737 18739 100083df wsprintfA 18736->18739 18741 1000720e 18737->18741 18739->18737 18742 10007218 18741->18742 18744 1000726f 18742->18744 18769 1000756c 18742->18769 18770 10007a62 18742->18770 18744->18769 18774 1000504d 18744->18774 18746 100072b4 18747 10007404 18746->18747 18778 10007ccb 18746->18778 18749 10007ccb MultiByteToWideChar 18747->18749 18747->18769 18751 100074a5 18749->18751 18750 100072fb 18750->18747 18752 1000504d MultiByteToWideChar 18750->18752 18753 1000504d MultiByteToWideChar 18751->18753 18751->18769 18754 1000731d SafeArrayCreate VariantInit SafeArrayCreate VariantInit 18752->18754 18755 100074ca 18753->18755 18758 1000504d MultiByteToWideChar 18754->18758 18757 1000504d MultiByteToWideChar 18755->18757 18759 100074d9 SafeArrayCreate 18757->18759 18761 10007392 18758->18761 18762 10007519 18759->18762 18764 1000504d MultiByteToWideChar 18761->18764 18763 1000504d MultiByteToWideChar 18762->18763 18765 1000752f 18763->18765 18766 100073cb 18764->18766 18767 1000504d MultiByteToWideChar 18765->18767 18768 1000504d MultiByteToWideChar 18766->18768 18767->18769 18768->18747 18771 10007a6c 18770->18771 18772 10007ab6 18771->18772 18773 1000504d MultiByteToWideChar 18771->18773 18772->18744 18773->18772 18775 10005057 18774->18775 18777 10005078 18775->18777 18782 100050f5 18775->18782 18777->18746 18779 10007cd5 18778->18779 18780 1000504d MultiByteToWideChar 18779->18780 18781 10007ce9 18779->18781 18780->18781 18781->18750 18785 1000d0ae 18782->18785 18784 1000510c 18784->18777 18786 1000d0bd 18785->18786 18788 1000d0b9 18785->18788 18787 1000d0d6 MultiByteToWideChar 18786->18787 18787->18788 18788->18784 18850 100087b7 18856 10004482 18850->18856 18853 100087c0 Sleep CreateThread Sleep CreateThread 18854 100087e6 Sleep 18853->18854 18861 10006a6e 18853->18861 18855 100087eb 18854->18855 18857 1000448d 18856->18857 18860 100040ba RegOpenKeyExA 18857->18860 18859 100044a4 18859->18853 18859->18854 18860->18859 18862 10006a82 18861->18862 18871 10003ece CreateMutexA 18862->18871 18864 10006aa3 GetLastError 18865 10006b0b 18864->18865 18866 10006ab4 18864->18866 18868 10006ae1 CreateThread 18866->18868 18869 10006ad8 Sleep 18866->18869 18872 10006499 18866->18872 18870 10006b02 18868->18870 18869->18866 18870->18869 18871->18864 18873 100064a3 18872->18873 18874 100064e9 wsprintfA 18873->18874 18875 10006508 18874->18875 18888 10003f0a InternetOpenA 18875->18888 18877 1000652b 18878 100066d0 18877->18878 18889 10003f24 InternetOpenUrlA 18877->18889 18878->18866 18880 1000654b 18880->18878 18884 10006559 ctype 18880->18884 18882 100065bf MultiByteToWideChar 18882->18884 18883 100065d7 MultiByteToWideChar 18883->18884 18884->18882 18884->18883 18885 10006647 18884->18885 18890 10003f41 InternetReadFile 18884->18890 18886 100066df wsprintfA 18885->18886 18887 100066b0 ctype 18885->18887 18886->18887 18887->18878 18888->18877 18889->18880 18890->18884 18891 100019b7 18892 100019bc 18891->18892 18895 1002bab6 18892->18895 18896 1002babb 18895->18896 18897 1002bac0 Sleep 18896->18897 18898 10033b63 18897->18898 18899 100081f7 18900 10008200 18899->18900 18902 10007f3e 9 API calls 18900->18902 18903 1000825f Sleep 18900->18903 18904 1000400a GetDriveTypeA 18900->18904 18902->18900 18903->18900 18904->18900 18905 100084bb 18907 10008465 18905->18907 18906 10008557 Sleep 18906->18907 18907->18906 18908 1000858c 18907->18908 18909 100061bd 5 API calls 18908->18909 18910 100085b1 18909->18910 18911 100085c3 18910->18911 18912 100085ba Sleep 18910->18912 18913 100085df wsprintfA 18911->18913 18912->18912 18914 10006840 CreateThread 18913->18914 18915 10008602 18914->18915 18789 10006ede 18791 10006eeb 18789->18791 18790 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 18790->18791 18791->18790 18792 10006f1f Sleep 18791->18792 18793 10006f2c 18791->18793 18792->18791 18794 10005c4c 6 API calls 18793->18794 18795 10003ef4 wvsprintfA 18793->18795 18796 100061bd 5 API calls 18793->18796 18797 10007053 Sleep 18793->18797 18798 10007092 wsprintfA 18793->18798 18799 100070c8 PrintFile PrintFile 18793->18799 18794->18793 18795->18793 18796->18793 18797->18793 18798->18793 18799->18793 18800 10006b1f 18801 10006b3c 18800->18801 18808 10003ece CreateMutexA 18801->18808 18803 10006b50 GetLastError 18804 10006b90 18803->18804 18805 10006b61 CreateThread 18803->18805 18806 10006b7c 18805->18806 18807 10006b83 Sleep 18806->18807 18807->18805 18808->18803

                                    Executed Functions

                                    Function 10007F3E Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 230COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %s\%s$*.*$.$12021651$174.139.6.43:805/index.php$L2ltYWdlLnBocA==$NPKI$P
                                    • API String ID: 0-3152428263
                                    • Opcode ID: e83cbb7ce683d5171164fb005deed9e300ede837ebf357770279583dc42bb93f
                                    • Instruction ID: afc7814580d48a7676e1bb84efd507c43e14b796dcde495971179b2b3bbe2c4c
                                    • Opcode Fuzzy Hash: e83cbb7ce683d5171164fb005deed9e300ede837ebf357770279583dc42bb93f
                                    • Instruction Fuzzy Hash: 87718F7690425DBEEB51D7A4DC45FEEB7BCEF48290F1004E6E608E6041EB749B898F21
                                    Function 10008B7A Relevance: 5.1, Strings: 4, Instructions: 125COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 12021651$C:\Users\user\Desktop$C:\Users\user\Desktop\b3sV534MMf.dll$\\.\PHYSICALDRIVE%d
                                    • API String ID: 0-1713663353
                                    • Opcode ID: e0116ed2b988a9dc7d34c9a1f1eefb8bfd1d5af49d1360a5db21c19b3a86c223
                                    • Instruction ID: 0f2a881c0ba3978bc0576c9cf3dbb33b30f55d0b098a5ea06b62feb8b8cf0b11
                                    • Opcode Fuzzy Hash: e0116ed2b988a9dc7d34c9a1f1eefb8bfd1d5af49d1360a5db21c19b3a86c223
                                    • Instruction Fuzzy Hash: D931D0B65401187EF715D6A0DD82FFF336CEB01294F104265FA54AA0C1EA78AF0A87B5
                                    Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 3332741929-0
                                    • Opcode ID: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                    • Instruction ID: ca46abfd3f4ae67059df7024880e3d5c8c44562ed1dec37196b9e10746ab925e
                                    • Opcode Fuzzy Hash: 1e956e5b503a472c93e19a4642fd5130f6607d7bc175f230498bf039bbf47dc4
                                    • Instruction Fuzzy Hash: D5A00136408212ABDA42AB50CD48D4AFFA2BBA8781F02C819F19980034CB32C5A5EB12
                                    Function 10008AAD Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cff75e7fe589ecd24971b98b24c5b9315f543cd1c40e81c60cd2a41a51bcc4e6
                                    • Instruction ID: 493b1b29979d5d8ed0c3f261c20b4ca22d9c43e3e0870ceab011e7372302cd5e
                                    • Opcode Fuzzy Hash: cff75e7fe589ecd24971b98b24c5b9315f543cd1c40e81c60cd2a41a51bcc4e6
                                    • Instruction Fuzzy Hash: 2EF0366229E3C26DE31287285841BD6FF956B76314F0CDBCDB1D81B283C1A584D8C7B6
                                    Function 10006EDE Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174sleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(0000EA60), ref: 10006F24
                                    • Sleep.KERNEL32 ref: 10007059
                                    • wsprintfA.USER32 ref: 1000709D
                                    • PrintFile.B3SV534MMF(00000000,?,00000000), ref: 100070D6
                                    • PrintFile.B3SV534MMF(00000000,?,00000000,?,00000000), ref: 100070E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FilePrintSleep$wsprintf
                                    • String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://174.139.6.43:805/index.php$iOffset
                                    • API String ID: 1547040302-151153007
                                    • Opcode ID: 6b3fb956b1b31f50ccfb7c7703921a19242a907f830c663297b5379c06271bd6
                                    • Instruction ID: 8dfa040b4042d5a949b98b170938a078f1726f0d921d1e03628392f43cd5410d
                                    • Opcode Fuzzy Hash: 6b3fb956b1b31f50ccfb7c7703921a19242a907f830c663297b5379c06271bd6
                                    • Instruction Fuzzy Hash: EA51D9B6D04359BAF722D760CC56FCF77ACEB083C1F2045A5F208E6086DA75AB808E55
                                    Function 100064D5 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 283timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 99 100064d5-100064d6 100 10006461-1000646c 99->100 101 100064d8-100064d9 99->101 107 10006472-1000647c call 100217b0 100->107 108 1000646d call 10021426 100->108 102 100064df-10006530 call 10001000 wsprintfA call 1000cc9e call 1000ccec call 10003f0a 101->102 103 100064da call 1000ccec 101->103 122 10006536-10006546 call 10003f24 102->122 123 1000677e-10006780 102->123 103->102 112 10006481-10006484 107->112 108->107 114 10006492 112->114 115 10006486-10006490 call 1002b8db 112->115 118 10006494-10006498 114->118 115->118 126 1000654b-10006553 122->126 124 100066d0-100066de 123->124 126->123 127 10006559-1000658a call 1003440f call 1000ccf2 call 10033159 126->127 134 1000658f-100065b0 call 1000ccec call 10003f41 127->134 139 100065b6-100065b9 134->139 140 10006647-1000669c call 1000ccf2 call 1002f3bd call 1000ccf2 call 10027437 call 1003585c 134->140 139->140 142 100065bf-10006642 MultiByteToWideChar call 1000cc9e MultiByteToWideChar call 1002340c call 1000cc9e call 1002fbca call 1000cc98 call 1000ccf2 call 10020080 call 1000cc98 139->142 162 100066a4-100066ae call 1000ccf2 140->162 163 1000669e 140->163 142->134 168 100066b0-100066cd call 10033c47 call 1001dc34 162->168 169 100066df-100066fa wsprintfA call 1000ccf2 162->169 163->162 168->124 179 100066fc-100066fe 169->179 181 10006700-10006706 179->181 182 10006721-10006737 call 1000cc98 call 10023250 179->182 184 10006718 181->184 185 10006708-10006716 181->185 190 10006761-10006779 call 1002b4c2 call 1002dbd9 182->190 191 10006739-1000675d call 1002a534 call 1002f6c2 182->191 186 1000671b-1000671f 184->186 185->186 186->179 190->123 191->190
                                    APIs
                                    • wsprintfA.USER32 ref: 100064F7
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                      • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                      • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,?,00000000,10017B8C,00000000), ref: 100065C8
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,00000000,?,?,?,000000FF,?,?,?,?,?,00000000,10017B8C), ref: 100065E6
                                    • wsprintfA.USER32 ref: 100066E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                    • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                    • API String ID: 4077377486-2496724313
                                    • Opcode ID: 3cf509de175d1bafa7ecc4d4b79c9f88d87fe85883615ef4302368c40025d449
                                    • Instruction ID: a3645680fa3df20bd134621aa3cc8f71b16a9f1173e4a3834ed7d3f1afc37bd0
                                    • Opcode Fuzzy Hash: 3cf509de175d1bafa7ecc4d4b79c9f88d87fe85883615ef4302368c40025d449
                                    • Instruction Fuzzy Hash: 0981E1B6801218BEFB01DBA4DC82EFF7B6DDF05394F244159F904BB186DA356E4187A1
                                    Function 10006CF7 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 72timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                      • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                    • wsprintfA.USER32 ref: 10006D88
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006DAE
                                      • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,10015738,?,?,10006DB3,?,10015738,00000000,00000001,?,00000001,?), ref: 100040E9
                                      • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
                                    • String ID: %s "%s",GetColor$C:\Users\user\Desktop\b3sV534MMf.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
                                    • API String ID: 1762869224-566355842
                                    • Opcode ID: c596956d60ca18c86f8c347a2a9999c70d74b52254da84de320ef44d1e342eb9
                                    • Instruction ID: fc49ecc0cde6da7ef2fb6a4f98208201b60ef311f6de46faaa851482017432d5
                                    • Opcode Fuzzy Hash: c596956d60ca18c86f8c347a2a9999c70d74b52254da84de320ef44d1e342eb9
                                    • Instruction Fuzzy Hash: 021182B694421CBEFB11D7A4DC86FEA776CEB14354F1004A1F704B9085DAB16FD88AA4
                                    Function 10006499 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • wsprintfA.USER32 ref: 100064F7
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                      • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                      • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,?,?,?,?,?,00000000,10017B8C,00000000), ref: 100065C8
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,?,?,000000FF,00000000,?,?,?,000000FF,?,?,?,?,?,00000000,10017B8C), ref: 100065E6
                                    • wsprintfA.USER32 ref: 100066E9
                                    Strings
                                    • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000651A
                                    • aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==, xrefs: 100064DF
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
                                    • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==
                                    • API String ID: 4077377486-782189213
                                    • Opcode ID: 50c8f770b4c5d3b43effb56a947a7a92a223db9dd6af337e75ca1dc64f755a1f
                                    • Instruction ID: 9ebbffcf6faf3d5af311395f9aa38a975852c0fd016f763e1c36b953c1b761f9
                                    • Opcode Fuzzy Hash: 50c8f770b4c5d3b43effb56a947a7a92a223db9dd6af337e75ca1dc64f755a1f
                                    • Instruction Fuzzy Hash: 22414CB6C0021DBEFF01DBA4CC82DFF7A7DEB08394F204165F518A6196DA356E408AA1
                                    Function 10008567 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 83sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep$wsprintf
                                    • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log$wINsTA0\dEFauLT
                                    • API String ID: 3195947292-2583752392
                                    • Opcode ID: 52d64d1be171e9efc5b51aece66d8205c40ec15e3b0680b0258c64f3a6b005f6
                                    • Instruction ID: 50e96591f79335c1e8b45cffc21f133aa4dd079f5b5086e8394058b99137be6a
                                    • Opcode Fuzzy Hash: 52d64d1be171e9efc5b51aece66d8205c40ec15e3b0680b0258c64f3a6b005f6
                                    • Instruction Fuzzy Hash: 5F219076C0011CBEEB12EBE4CC45EDFBB7CEF48390F140466F604BA141EA756A458BA1
                                    Function 1000838D Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 95sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 384 1000838d-1000839a call 10005c4c Sleep 389 10008353 384->389 390 1000834a-10008351 384->390 391 10008358-1000838c call 10003ef4 call 1000ccec call 100061bd 389->391 390->391 391->384 398 1000839f-100083a3 391->398 399 100083c1-100083cb call 1000ccf2 398->399 400 100083a5-100083af 398->400 406 100083cd-100083dd call 1000cde2 399->406 407 100083ef-10008411 call 1000720e call 10001000 call 1003141c 399->407 402 100083b1-100083b5 400->402 403 100083b7 400->403 405 100083bb-100083bf 402->405 403->405 405->399 405->400 406->407 412 100083df-100083ec wsprintfA 406->412 412->407
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: 127.0.0.1$8.8.8.8$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://174.139.6.43:805/index.php
                                    • API String ID: 1749205058-3980729192
                                    • Opcode ID: 8be8db1dc05f112c527003b6dacf39840429743c9606b8861592cf895ce67054
                                    • Instruction ID: e8d6c46d509b70771ad05a902953c63f24a8652204ea5db2457c6af9c5b48fe8
                                    • Opcode Fuzzy Hash: 8be8db1dc05f112c527003b6dacf39840429743c9606b8861592cf895ce67054
                                    • Instruction Fuzzy Hash: 4021F1B6904255BAF716D360CC96F8F3BACEB456C1F2444A5F244A9087EBB5EB808A11
                                    Function 10005DE7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52timeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                      • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(?,?,?,?,?,?), ref: 100040B2
                                      • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CloseFormatQueryTimeValue___crt
                                    • String ID: %u MB$12021651$@$ProcessorNameString
                                    • API String ID: 271660946-1881400266
                                    • Opcode ID: d88d79eaefbc45251d36645f7e55bfef7bd552ee592ace3b6ec4bcdae5631418
                                    • Instruction ID: ee32c36273931c3467c2a54d194341e3fec3a2fdf5d0efd58eb21727ef661a29
                                    • Opcode Fuzzy Hash: d88d79eaefbc45251d36645f7e55bfef7bd552ee592ace3b6ec4bcdae5631418
                                    • Instruction Fuzzy Hash: 5011A0B6800248AAEF11DBA0CC41FDE7B6CEF00204F188499F615A6046EF35B7498B55
                                    Function 100087B7 Relevance: 7.5, APIs: 5, Instructions: 27sleepthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(000927C0), ref: 100087C5
                                    • CreateThread.KERNEL32(?,?,Function_00006A6E), ref: 100087D1
                                    • Sleep.KERNEL32(00001388,?,?,Function_00006A6E), ref: 100087D8
                                    • CreateThread.KERNEL32(?,?,1000841C,?,?,?,?,?,Function_00006A6E), ref: 100087E4
                                    • Sleep.KERNEL32(000000FF), ref: 100087E8
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep$CreateThread
                                    • String ID:
                                    • API String ID: 3220764680-0
                                    • Opcode ID: 9857e69c7aa5c04d87c58b36f69020f73a70e859f82f10bb09c527f9e2964423
                                    • Instruction ID: 97d8cae0da7006b7316437b6fdaa94dcad4298e965bed5c2a5e4c1c08e9363ca
                                    • Opcode Fuzzy Hash: 9857e69c7aa5c04d87c58b36f69020f73a70e859f82f10bb09c527f9e2964423
                                    • Instruction Fuzzy Hash: 6AD0C9E478835D3CB520B2B60CC9CBF0C0DEBD46FC3264651F669600CE9D808E0089B2
                                    Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 474 100044ad-100044ed call 10037a5a call 1002f53f GetExtendedUdpTable 479 100044f4-10004502 call 10030421 474->479 480 100044ef-100044f2 474->480 481 10004504-10004507 479->481 485 10004509-10004518 GetExtendedUdpTable 479->485 480->479 480->481 484 1000455f-10004563 481->484 486 1000451a-1000451c 485->486 487 1000451e-10004520 485->487 486->484 488 10004522 487->488 489 1000454b-10004556 call 1002d8ba call 100283fa 487->489 491 10004525-10004535 call 100370d1 488->491 496 1000455b-1000455c 489->496 497 10004541-10004548 491->497 498 10004537-1000453d 491->498 496->484 497->489 498->491 499 1000453f 498->499 499->489
                                    APIs
                                    • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,GetExtendedUdpTable,00000000,iphlpapi.dll), ref: 100044E9
                                    • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,?,00000000,GetExtendedUdpTable,00000000,iphlpapi.dll), ref: 10004513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExtendedTable
                                    • String ID: GetExtendedUdpTable$iphlpapi.dll
                                    • API String ID: 2407854163-1809394930
                                    • Opcode ID: 664a43c313f4c8ab79249adf4d7776a04b759f7de6a74d0a6a2c4c7939920573
                                    • Instruction ID: b5b37be831cb72ff93c13f38fb64547689303bea2de322210ff5a5e2846739fc
                                    • Opcode Fuzzy Hash: 664a43c313f4c8ab79249adf4d7776a04b759f7de6a74d0a6a2c4c7939920573
                                    • Instruction Fuzzy Hash: 3F21F9B5900914BFEB20DBA8CC85DAF77FCEF81395B21055AF551D7086EB30AE818664
                                    Function 10006A6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64sleepthreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    • GetLastError.KERNEL32 ref: 10006AA8
                                      • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                      • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                    • Sleep.KERNEL32(0002BF20,00000000,00000000,?,00000000,000000FF,?,?,1000687E,00000000), ref: 10006ADD
                                    • CreateThread.KERNEL32(?,?,1000687E,00000000), ref: 10006AF1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create$ErrorFormatLastMutexSleepThreadTime___crtwsprintf
                                    • String ID: 5762479093
                                    • API String ID: 3244495550-3483958698
                                    • Opcode ID: c292ee69dc6425c3148df60cbde27f5695175c813395b8fde47a3e8ddae9763d
                                    • Instruction ID: 422baab63c08c1e54c6da26f7362cfa22c888ea5658382f1eeaf6102145cc144
                                    • Opcode Fuzzy Hash: c292ee69dc6425c3148df60cbde27f5695175c813395b8fde47a3e8ddae9763d
                                    • Instruction Fuzzy Hash: BB0168B59403187BF220F3708CCACBF3A5DDB963E0F200139F9049A18BDA25EC044272
                                    Function 10008482 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 113sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(000493E0,00000000,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 1000855C
                                    • Sleep.KERNEL32(001B7740), ref: 100085BF
                                    Strings
                                    • svchsot.exe, xrefs: 10008524
                                    • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                    • API String ID: 3472027048-2214221337
                                    • Opcode ID: fd576de4b3fc3feadcb3bb963780c1a9551cd14ce5fde572fcf076f684463ebd
                                    • Instruction ID: b7cf586044e2671ffdd42329cb688930c4320023932569c53e4af711d715d841
                                    • Opcode Fuzzy Hash: fd576de4b3fc3feadcb3bb963780c1a9551cd14ce5fde572fcf076f684463ebd
                                    • Instruction Fuzzy Hash: 0131FBB680425CBEEB12DBA0CD85DEF7BBCFF09285B1400A2F541E6006E671AF449B71
                                    Function 10007101 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • http://174.139.6.43:805/index.php, xrefs: 1000716B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: http://174.139.6.43:805/index.php
                                    • API String ID: 1749205058-3195113140
                                    • Opcode ID: 59a894dbdb0a2aae870c8481ffe35e669776b9c8fa737a1a1a936e2fa149482d
                                    • Instruction ID: 6e35aeaf06452b137760d0cb28982c4119741183e15c1229ce18836c51c33211
                                    • Opcode Fuzzy Hash: 59a894dbdb0a2aae870c8481ffe35e669776b9c8fa737a1a1a936e2fa149482d
                                    • Instruction Fuzzy Hash: 132129B6D046557AF724D368CC56FCF3BACEF053D0F2000A6F608A50C6E679AE818A11
                                    Function 100084BB Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(000493E0,00000000,?,00000000,80000002,00000000,00000000,000F003F,?), ref: 1000855C
                                    • Sleep.KERNEL32(001B7740), ref: 100085BF
                                    Strings
                                    • svchsot.exe, xrefs: 10008524
                                    • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 1000846F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                    • API String ID: 3472027048-2214221337
                                    • Opcode ID: 72445ef8a4ded9d5fc185bdf9991e8c0518eef41a36dbfaae2350b6009e1f532
                                    • Instruction ID: 49c026a31a7b763a0aa51d95342cc4f24ac29f13658c43b6c248d16b497c3765
                                    • Opcode Fuzzy Hash: 72445ef8a4ded9d5fc185bdf9991e8c0518eef41a36dbfaae2350b6009e1f532
                                    • Instruction Fuzzy Hash: CC3196B680015DBEEB11DBA0CD85DEFB7BCFB09285F1440A2F645E6005DA35AF849BA1
                                    Function 10006B1F Relevance: 4.5, APIs: 3, Instructions: 47sleepthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    • GetLastError.KERNEL32 ref: 10006B55
                                    • CreateThread.KERNEL32(?,?,1000687E), ref: 10006B6B
                                    • Sleep.KERNEL32(00002710,00000000,00000000,?,00000000,000000FF,?,?,1000687E), ref: 10006B88
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create$ErrorLastMutexSleepThread
                                    • String ID:
                                    • API String ID: 145085098-0
                                    • Opcode ID: 170fc673015a53e62389e4e05a4f6a211bd5cee69549bab6bee49d7e8617ce6f
                                    • Instruction ID: 72cad43286caf886e094a07264cc0548bb137ceabefc554c7101d4208cc1579f
                                    • Opcode Fuzzy Hash: 170fc673015a53e62389e4e05a4f6a211bd5cee69549bab6bee49d7e8617ce6f
                                    • Instruction Fuzzy Hash: BEF0F6B58052607AF621B3755C8EDAF3E6CDFC67E4F200139F509D60CADA54E94581B2
                                    Function 100069F2 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 43sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32 ref: 10006AA8
                                    • Sleep.KERNEL32(0002BF20,00000000,00000000,?,00000000,000000FF,?,?,1000687E,00000000), ref: 10006ADD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ErrorLastSleep
                                    • String ID: 5762479093
                                    • API String ID: 1458359878-3483958698
                                    • Opcode ID: 1df4263f7db79390f94cad6d6f30531637e587d7cd8f8beb535f42523eefeb4a
                                    • Instruction ID: b14aca41d51b256f78105d68b34805587476813ad00675fb894e2a90b3c36f4e
                                    • Opcode Fuzzy Hash: 1df4263f7db79390f94cad6d6f30531637e587d7cd8f8beb535f42523eefeb4a
                                    • Instruction Fuzzy Hash: 7DF0FCA69443507FF301E3708C87DAF379DDF577D0B254068F5009E14BE6109C054672
                                    Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                    Strings
                                    • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FormatInternetOpenTime___crt
                                    • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                    • API String ID: 483802873-1756078650
                                    • Opcode ID: c2cbce892976d4b1007170d2a4a46ac64bb505d69b85d8154e6bdc3861738b06
                                    • Instruction ID: f0c3526304c825564c5c4eb44b26f53dc373e74deb03e814873fed5b313e77ee
                                    • Opcode Fuzzy Hash: c2cbce892976d4b1007170d2a4a46ac64bb505d69b85d8154e6bdc3861738b06
                                    • Instruction Fuzzy Hash: 1C21C575D0014DBAEF21DB55DC45D9F7B7DDB852D0F20807AF608E6045DA319A818660
                                    Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                      • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                    Strings
                                    • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InternetOpen$FormatTime___crt
                                    • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                    • API String ID: 1165476586-1918919809
                                    • Opcode ID: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                    • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                    • Opcode Fuzzy Hash: 5c4a45e9f88b1cdcaa63395fc832ffbcbaa15b587116e0ae30a38edddbb0ae5c
                                    • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                    Function 100081F7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: C:\Program Files
                                    • API String ID: 3472027048-1387799010
                                    • Opcode ID: 9c12519ba8f92ada5ea338270599224c826a3e176a5bdac3043c0311ba39c226
                                    • Instruction ID: ff1306f0a4f1ac59270128d03767b5ad6af54f96c84c5a7b76bd668247e82245
                                    • Opcode Fuzzy Hash: 9c12519ba8f92ada5ea338270599224c826a3e176a5bdac3043c0311ba39c226
                                    • Instruction Fuzzy Hash: 60F02276906AA1E6F701DFA458C068F776DFF122A1B210026F940BF046D7B59A4147E2
                                    Function 10006A58 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(0002BF20,00000000,00000000,?,00000000,000000FF,?,?,1000687E,00000000), ref: 10006ADD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: 5762479093
                                    • API String ID: 3472027048-3483958698
                                    • Opcode ID: a26036ad016d7c9e7ae796b905a858889943a9e54840ed55f1f4de09bb6151af
                                    • Instruction ID: c70fe16bf65d4ebafc1be4ec70161536b021d68c1a422e5c9178506ebaefb377
                                    • Opcode Fuzzy Hash: a26036ad016d7c9e7ae796b905a858889943a9e54840ed55f1f4de09bb6151af
                                    • Instruction Fuzzy Hash: 5AE026B67847287AF212E2315C4395B3A8ADF223E67148020F501E804BE761E94045F2
                                    Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D60,?,10006D60,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                    • Instruction ID: 2e24eff2bcdac0d7bb79d22e3b0edd8e416dbe054c2d5b18b585679418e55d12
                                    • Opcode Fuzzy Hash: 8241c048834319a8777681939fd791c1f2bb79611796acde0cc24ef85fc7be79
                                    • Instruction Fuzzy Hash: 8DD0AE3200014EFBCF025F81ED05CDA3F6AFB0C2A9B068254FA1825030C777D9B1AB91
                                    Function 1003748F Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateThread
                                    • String ID:
                                    • API String ID: 2422867632-0
                                    • Opcode ID: ad270d2bd068476132eed9c0890dd0f41c6575f8d5f58fc5ce26e06ee558db0d
                                    • Instruction ID: 71c3a9970c7d6d96de73f33e6f2bdf1ab161db2225937d05d9eb6bc3fd0978d2
                                    • Opcode Fuzzy Hash: ad270d2bd068476132eed9c0890dd0f41c6575f8d5f58fc5ce26e06ee558db0d
                                    • Instruction Fuzzy Hash: 59C08C7900A600FFA20AD7A7FC434AE6AA1DCC4260FA08548B09827D118E38B9514E52
                                    Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Open
                                    • String ID:
                                    • API String ID: 71445658-0
                                    • Opcode ID: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                    • Instruction ID: 17287b262fc42a8ef4c3757039caf17c8ec33028492a73a8645d3109de99ba33
                                    • Opcode Fuzzy Hash: a195baf415497c3f6e756206114371a6254dc762b0ba02df47c96a08b610d07e
                                    • Instruction Fuzzy Hash: 40C0013200420EFBCF025F81EC058DA3F2AFB082A1B008010FE1804030C773D9B1EBA1
                                    Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InternetOpen
                                    • String ID:
                                    • API String ID: 2038078732-0
                                    • Opcode ID: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                    • Instruction ID: b95a3e5d4d1581b579a43ffb785aa3053a804adf9b6b5080047aec5b24f95343
                                    • Opcode Fuzzy Hash: 8fdbf6ddd27a1d6b462f044f687e1b09091a90aa3cf3341bbc8376c5064c6b07
                                    • Instruction Fuzzy Hash: 32C0013200020EFBCF025F81EC058DA7F2AFB092A0B008010FA1804031C733D971AB95
                                    Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,10006B50,?,?,?,00000202,?), ref: 10003EDA
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                    • Instruction ID: 0bba5641deb9fc7c6708226b57f3740a3060a6e77b98bc1f4937df3feb83fb0f
                                    • Opcode Fuzzy Hash: f03030767440787e5e8ee563cbeb237b89049fd46284869140ae0419c91515a8
                                    • Instruction Fuzzy Hash: 51B0093A408220BFDF025F90DD4880ABBA2BB88362F24C958F6A941031C7328420EB02
                                    Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: NamePathShort
                                    • String ID:
                                    • API String ID: 1295925010-0
                                    • Opcode ID: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                    • Instruction ID: 299f2b121c0b8d63d2f16659a91a8a26a6eb1e7383ee0b7c2fbbf344de06ce20
                                    • Opcode Fuzzy Hash: b2e0d57d01f7aa481c28775ec103b2c79e6903a2f37fda92ba0980fa6487b9be
                                    • Instruction Fuzzy Hash: BCB0097A509210BFDF025B91DE4880ABBA2AB89321F10C958F2A940031C7328520EB12
                                    Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FirstProcess32
                                    • String ID:
                                    • API String ID: 2623510744-0
                                    • Opcode ID: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                    • Instruction ID: d0469a6573cf8832cc4e791a541241725128130187f64684ac8c75673cb250d8
                                    • Opcode Fuzzy Hash: 4be810b948c5642b78a3303991c31d5753e2f497cabb41971bfbf009a223d646
                                    • Instruction Fuzzy Hash: B8A00176509612ABDA42AB51CE4884ABEA2FBA8381F01C819F18940434CB3284A5EB12
                                    Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • Process32Next.KERNEL32(0000005C,0000005C), ref: 1000411D
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: NextProcess32
                                    • String ID:
                                    • API String ID: 1850201408-0
                                    • Opcode ID: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                    • Instruction ID: 2ceb7d0ae5350f2ffb1294a1e21229299d690b4e3dcfc0507f8b466183483048
                                    • Opcode Fuzzy Hash: 96d6b844675e51e99f82aec0d05e68cf0a3385db677bffcb7afb410fd8c547f0
                                    • Instruction Fuzzy Hash: B1A00136408612ABDA42AB50CD4884ABEA2FBA8381F11C819F18941034CB3684A5EB12
                                    Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDriveTypeA.KERNEL32(?,1000824C,10015938), ref: 1000400E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: DriveType
                                    • String ID:
                                    • API String ID: 338552980-0
                                    • Opcode ID: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                    • Instruction ID: e310fc801df329cbdffcf5e880badee8d9e0b58f708c6ac467addbfbb1e58057
                                    • Opcode Fuzzy Hash: 2ee3dedfe077572030ca3591167bf26a544b4eb7bba9e94adf73c1260513ac4d
                                    • Instruction Fuzzy Hash: 029002305055119BDE015B10CE4940A7E71AB84701B00C4A4E04541130C7328810EE01
                                    Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.KERNEL32(?,10006DBE,?), ref: 10004096
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                    • Instruction ID: c461232d01f39555025ee1551a6f08c036cd225bd5518e59674b318f5e785400
                                    • Opcode Fuzzy Hash: 2d988dbd5b15decafcf846d532543195a702f6c68f6a27351b5815321025a744
                                    • Instruction Fuzzy Hash: 799002705055119BDE415B11CF494097AA5AB84701B008458E04A41030C7318810EA01
                                    Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID:
                                    • API String ID: 1174141254-0
                                    • Opcode ID: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                    • Instruction ID: df56204a28902bd86cd8e7b59e1535f4ff11cbe2af3c274bf077f84441daad3a
                                    • Opcode Fuzzy Hash: 6dc1e466dda3ac71b59e7395498c1fa1529f77b3beb14a38e7d5df6994b7eb4f
                                    • Instruction Fuzzy Hash: 869002705051109BDF015B11CF494497A65AB84701B00855CF05A41431C7318910EA01
                                    Function 10008417 Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID:
                                    • API String ID: 1749205058-0
                                    • Opcode ID: 556947e3ce337b3b0b687775f34b152472cb1fc700a18dab62916dd140d410ee
                                    • Instruction ID: e0f405a6295bc0021ca29f9cf2c982baf8811236296f7b974faba122b9606113
                                    • Opcode Fuzzy Hash: 556947e3ce337b3b0b687775f34b152472cb1fc700a18dab62916dd140d410ee
                                    • Instruction Fuzzy Hash: CD01B176C05658BAFB22C760CC11BCB7BACFB08280F1049A1E248A5096DB74AB448F00

                                    Non-executed Functions

                                    Function 1000B224 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                    • Instruction ID: 6c5504f13a17a8b4553fb93f6e314e3eb43bbcef24ba1366296fc093faca9512
                                    • Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                    • Instruction Fuzzy Hash: 13D1F2311046896EDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771
                                    Function 1000AEC0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                    • Instruction ID: a9c7f45465d92fcd6248bf8d3b75336943ce7982e690b294f387925eaf45448f
                                    • Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                    • Instruction Fuzzy Hash: 6F9143311046896EDB21CFAD8C80EFFBBBCAF06A40F840549FE85C7642D255E92DA771
                                    Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: FileInternetRead
                                    • String ID:
                                    • API String ID: 778332206-0
                                    • Opcode ID: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                    • Instruction ID: 66c4406e5843dae4aa23aa47ff20fa86481cf42106c3819bfbf8a2f6b8e79ef1
                                    • Opcode Fuzzy Hash: 17794e789735475d89bbd1f9c593eb9d99e0ec2b66a06d8a24d179cffc3f724c
                                    • Instruction Fuzzy Hash: 20B00872519392ABDF02DF91CD4482ABAA6BB89301F084C5CF2A540071C7328428EB02
                                    Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitWindowsEx.USER32(000000BC,000000BC), ref: 10003F6B
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: ExitWindows
                                    • String ID:
                                    • API String ID: 1089080001-0
                                    • Opcode ID: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                    • Instruction ID: a0a7e03ceb7acd9bb0d3454ea8bb5ca0f40435505fc546ba40186378cb909d0a
                                    • Opcode Fuzzy Hash: ddd05c4d22fa51185853cbc8baa1bf28f6a18d545d76c7cc1a4f4cf3c1112b8e
                                    • Instruction Fuzzy Hash: 81A00175509222EBDE025B51CE4888ABEA6AB88381F008858F28940031C77284A2EB02
                                    Function 100121ED Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: '
                                    • API String ID: 0-1997036262
                                    • Opcode ID: 6f443eddfc8222ff2f5f800cc829f9353839bebc9c3e7457bd0cbed3613cd613
                                    • Instruction ID: f389f15fd0a8877f73eb6a91fb6ffbaafb7a2d8a217a3cbe01a0a4cb358a3832
                                    • Opcode Fuzzy Hash: 6f443eddfc8222ff2f5f800cc829f9353839bebc9c3e7457bd0cbed3613cd613
                                    • Instruction Fuzzy Hash: 5581276940E3D19FC7438B785CF91823FA2AE1B24434F09DAC4C09F4B7E1995D49C7A2
                                    Function 1000B70D Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                    • Instruction ID: 9e0b5d620d62c11970e9cc848d1ca02f4ed839136e4bfa4bb83daef4b24ba54e
                                    • Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                    • Instruction Fuzzy Hash: AA313A33E2C6B607E324DF7E4C84025F7D6EB8A06275A8779DE88E7255D128EC518BD0
                                    Function 1000720E Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 358COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007338
                                    • VariantInit.OLEAUT32(?), ref: 1000734D
                                    • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007368
                                    • VariantInit.OLEAUT32(?), ref: 10007377
                                      • Part of subcall function 10007A62: VariantInit.OLEAUT32(?), ref: 10007AA1
                                    • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007505
                                    • VariantInit.OLEAUT32(?), ref: 10007513
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant$ArrayCreateSafe
                                    • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=$p=<u
                                    • API String ID: 2640012081-3655912496
                                    • Opcode ID: 166749451ec1508bf59700e092c3af7201e4401a2a9ec7d4452531bb1519d429
                                    • Instruction ID: 9d002e7adf09fdf71323f72db342d1bc3075542c080a75d13bd0d318768fde2d
                                    • Opcode Fuzzy Hash: 166749451ec1508bf59700e092c3af7201e4401a2a9ec7d4452531bb1519d429
                                    • Instruction Fuzzy Hash: 2ED17F74D00219EFEB15CFA4C8809EEBBB8FF49781F104019F419AB259DB75AA45CFA1
                                    Function 100053B7 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 226sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 10005437
                                    • wsprintfA.USER32 ref: 1000549E
                                    • wsprintfA.USER32 ref: 100054BC
                                    • PrintFile.B3SV534MMF(?,?,?,?,00000000), ref: 100054DE
                                    • rand.MSVCRT ref: 10005538
                                    • rand.MSVCRT ref: 10005543
                                    • rand.MSVCRT ref: 1000554E
                                    • rand.MSVCRT ref: 10005559
                                    • rand.MSVCRT ref: 10005564
                                    • wsprintfA.USER32 ref: 10005582
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000061,?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,00000009,00000000), ref: 100055AE
                                    Strings
                                    • %s\%s, xrefs: 10005431
                                    • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                    • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                    • c:\windows\system32\drivers\%s, xrefs: 10005498
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: rand$wsprintf$FilePrintSleep
                                    • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                    • API String ID: 2577056782-455112146
                                    • Opcode ID: 8d814943ede8a0ded33f20e92e1f5805c3cf556b27fcf436b6769411b698c126
                                    • Instruction ID: 82889d552a462bf185d714c7d3d8cd771ce47005269810554c025dd8bf44c487
                                    • Opcode Fuzzy Hash: 8d814943ede8a0ded33f20e92e1f5805c3cf556b27fcf436b6769411b698c126
                                    • Instruction Fuzzy Hash: E7613973940258BFEB10DB64CC46FEE776EEB84351F184466F608AB181CAB1EA858B50
                                    Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID: %s\%s$%s\version.txt$12021651$12021651$174.139.6.42:3204$C:\Users\user\Desktop$C:\Users\user\Desktop\12021651$C:\Users\user\Desktop\b3sV534MMf.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BBEA1588$M%s$M174.139.6.42:3204
                                    • API String ID: 2111968516-1065473168
                                    • Opcode ID: b670a70032b59a39dd4e75addf7983aeef193788df8b5767d71336893f906c59
                                    • Instruction ID: 2622bda390c1fc69688ed133630b74a7e87bc192078dfd3625eba7e1b50de2c8
                                    • Opcode Fuzzy Hash: b670a70032b59a39dd4e75addf7983aeef193788df8b5767d71336893f906c59
                                    • Instruction Fuzzy Hash: 79214876600319BBF210E7959C41F9F3B9CCF852E6F01412AFB04AE185DB72E9858A72
                                    Function 10004DE1 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 10004EC5
                                    • VariantInit.OLEAUT32(?), ref: 10004ECB
                                    • VariantInit.OLEAUT32(?), ref: 10004ED1
                                    • VariantInit.OLEAUT32(?,?,?,WQL,?,?), ref: 10005009
                                    • VariantInit.OLEAUT32(?,?,?,WQL,?,?), ref: 1000500F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant
                                    • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$p=<u$svchost.exe$svchost.exe -k NetworkService
                                    • API String ID: 1927566239-3501905436
                                    • Opcode ID: 0da7957a48b5a39ea88ddb39b7bee5f93250a08a3b71e554fd3c967710fc5538
                                    • Instruction ID: f90636b10a7337c2a5a872a63f2ead223ed2d5a9c72937338c4d651b313ba435
                                    • Opcode Fuzzy Hash: 0da7957a48b5a39ea88ddb39b7bee5f93250a08a3b71e554fd3c967710fc5538
                                    • Instruction Fuzzy Hash: 2F8129B2900249AFEF04CFE4C8849EEBBB9FF49350F114569F516AB294DB31AE45CB50
                                    Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103filethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 1000574F
                                    • wsprintfA.USER32 ref: 100057B1
                                    • wsprintfA.USER32 ref: 100057C5
                                    • PrintFile.B3SV534MMF(?,?,?,?,00000000,?,?,?,?,?,?,?,10016AD0,00000000,00080000), ref: 100057E8
                                    • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000), ref: 10005835
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf$CreateFilePrintThread
                                    • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                    • API String ID: 1788855648-1421401311
                                    • Opcode ID: a213fb8c8922784ab3c06b997f3ea2f857694b863c8a4d83c7139e0280cac0f2
                                    • Instruction ID: 28a3424c43d880dab5bccd7007b6d6d5217b25d19112805f30e3ba200c1ee7d2
                                    • Opcode Fuzzy Hash: a213fb8c8922784ab3c06b997f3ea2f857694b863c8a4d83c7139e0280cac0f2
                                    • Instruction Fuzzy Hash: 9D31BB72910238BBEB21D7A4CC45FCF7B6CEB08356F0404A6F708FA051DB75AAC58A91
                                    Function 10004351 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 78COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                    • API String ID: 0-3916765701
                                    • Opcode ID: a4d6dded159f046c25e693c99690a910910f1a199705c8da070720c34925021f
                                    • Instruction ID: fe88ff4f4a2ba1e8cf0b189abc1debd098fa27393324e90b19e2d405f5e50096
                                    • Opcode Fuzzy Hash: a4d6dded159f046c25e693c99690a910910f1a199705c8da070720c34925021f
                                    • Instruction Fuzzy Hash: DE11E2BA0002187AFB21EB74AC46FDF3A5CDF507A1F210161FA4468086CEB6EAC04568
                                    Function 10004391 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 61sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleep$wsprintf
                                    • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==
                                    • API String ID: 3195947292-2191795975
                                    • Opcode ID: 6e03216eeb2a8fb36a3462989fe8955f81af108459bf6b6e60ff2a3b6874ac74
                                    • Instruction ID: a8aa3844fab9e21a99a7d3e1679ae8e0c29cd9a59e52682f97805e2f5805e0d3
                                    • Opcode Fuzzy Hash: 6e03216eeb2a8fb36a3462989fe8955f81af108459bf6b6e60ff2a3b6874ac74
                                    • Instruction Fuzzy Hash: 9001C4B65002587BEF12AB70DC86FDE3B5DEF44394F104451F644A9092CEB5EDC04A64
                                    Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                    • API String ID: 1721638100-2510504628
                                    • Opcode ID: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                    • Instruction ID: 275623b6bb4d38d455d16e038d1f67d5d5eba5b08857937f3fa6caa2442e2442
                                    • Opcode Fuzzy Hash: 628b499e9a68a97e2ed47c29d2a86c48c529a9e8e13b1be541f5ff1dba026eb1
                                    • Instruction Fuzzy Hash: 131104769041197EFB21DAA4CC42FDB776CDB14384F0085B1FA48B6080EA71AF884660
                                    Function 10004630 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: wsprintf
                                    • String ID: %s\%s$.$\*.*
                                    • API String ID: 2111968516-2210278135
                                    • Opcode ID: b25ff04f038f720622f88d5534156cbd27d2e1f8617f74dc2531a989b65ec00c
                                    • Instruction ID: 683538f7eec48923da7b8d13486b14582c2964fd5ec070a7e611c26c670eb571
                                    • Opcode Fuzzy Hash: b25ff04f038f720622f88d5534156cbd27d2e1f8617f74dc2531a989b65ec00c
                                    • Instruction Fuzzy Hash: 655191B680425CBBEF11DFA4CC46EDE7B7DEF05380F0144A5FA08A6055DB70AB849B65
                                    Function 100087F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 32sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • C:\Users\user\Desktop, xrefs: 1000880B
                                    • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008810
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: Sleepwsprintf
                                    • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                    • API String ID: 1749205058-3359968284
                                    • Opcode ID: 66a9ce85892f9329b91f459de07680a1dd55e73f2aaeff98105d7350e625594f
                                    • Instruction ID: 965344b6c88be0343068e8971810c2bf4f2ae0e85ab05c2aaa4b824111ab2e12
                                    • Opcode Fuzzy Hash: 66a9ce85892f9329b91f459de07680a1dd55e73f2aaeff98105d7350e625594f
                                    • Instruction Fuzzy Hash: 4BF0AEB2500199ABEB11CB64DC85BEB376CFF08284F040875F715F5051DBB09EC48A55
                                    Function 10007A62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: InitVariant
                                    • String ID: $p=<u
                                    • API String ID: 1927566239-2520713026
                                    • Opcode ID: 390db24222ace8c8f4c7a0dd0452aa1db35f677c827bbe28e411cf0bddaf2bf3
                                    • Instruction ID: 0318de303bb8448969fbaf99b11e2c77d0245d43348cbae189f38b54ec35a164
                                    • Opcode Fuzzy Hash: 390db24222ace8c8f4c7a0dd0452aa1db35f677c827bbe28e411cf0bddaf2bf3
                                    • Instruction Fuzzy Hash: 19419375D002599FEF04DFA4C985AEEB7F8FF09284F10446DE91AA3245DB38AE04CB61
                                    Function 10005D43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                      • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                      • Part of subcall function 10004035: ReadFile.KERNEL32(?,?,?,00000000,10005CD6,?,10005CD6,00000000,?,?,?,00000000), ref: 10004047
                                      • Part of subcall function 10003F92: CloseHandle.KERNEL32(?,1000597F,75BF8400,75BF8400,00000000,C:\Users\user\Desktop,0000005C,C:\Users\user\Desktop,C:\Users\user\Desktop\b3sV534MMf.dll), ref: 10003F96
                                      • Part of subcall function 10003F7D: StrStrIA.SHLWAPI(?,?,10005CE9,?,http://,00000000,00000000,?,?,?,00000000), ref: 10003F85
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateFileTimer$CloseConcurrency::details::platform::__HandleQueueRead
                                    • String ID: http://$search
                                    • API String ID: 2951256540-4044578368
                                    • Opcode ID: 9e6e4ca6741ed5e007112af3b910463a043c3e26c2793888b7e088ada7bab67f
                                    • Instruction ID: 9f63b41622fab1ff82f924877dfa164aae2497f5c9a9996aa7f2a54ef5475ee4
                                    • Opcode Fuzzy Hash: 9e6e4ca6741ed5e007112af3b910463a043c3e26c2793888b7e088ada7bab67f
                                    • Instruction Fuzzy Hash: 75F0C276904019BAFB21DAA4CC41FEF376CDB002D5F108162FA18A90D5EA329E9146A0
                                    Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                      • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3485228797.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                    • Associated: 00000003.00000002.3485198869.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485265903.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485302140.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485346150.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485394896.000000001003A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000003.00000002.3485433446.000000001004B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                    Similarity
                                    • API ID: CreateTimer$Concurrency::details::platform::__FileQueue
                                    • String ID: %s\lang.ini$C:\Users\user\Desktop
                                    • API String ID: 3486561800-1738621931
                                    • Opcode ID: 91917efd60eee5a4c7f72a7cce19e0cd623d68f546c36473dca52c4ca7f31dab
                                    • Instruction ID: dfcc7b63688ca43a2c74d680eb54bb4daf041f1c606f04c7c9245eb5a67af0f6
                                    • Opcode Fuzzy Hash: 91917efd60eee5a4c7f72a7cce19e0cd623d68f546c36473dca52c4ca7f31dab
                                    • Instruction Fuzzy Hash: A3F046768001187AF620D665CC07FEF3E6CDB857E0F104121FA08E90C4EB75AAC196E0