Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PqZ6GU98Eh.dll

Overview

General Information

Sample name:PqZ6GU98Eh.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:1769d1508eb64a59d5a06a4c590aeed13052e173.dll.exe
Analysis ID:1558493
MD5:5e7eabdb5af832e2b542ae28665276e9
SHA1:1769d1508eb64a59d5a06a4c590aeed13052e173
SHA256:2b19db48c09781c68cc147cdd979e440bb4a66d506f27c5040ef2d2018a9b941
Tags:dllexeuser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for sample
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3416 cmdline: loaddll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2024 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 1408 cmdline: rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5260 cmdline: rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5856 cmdline: rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InvCMAP MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1528 cmdline: rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 7328 cmdline: rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InputFile MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7336 cmdline: rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 7388 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 7452 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 7344 cmdline: rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",PrintFile MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 7436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rundll32.exe (PID: 8100 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 8124 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6920 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 4268 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 400 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7376 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PqZ6GU98Eh.dllWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x1fb8c:$x1: cracked by ximo
  • 0x21cad:$x1: cracked by ximo

Unpacked PEs

SourceRuleDescriptionAuthorStrings
16.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x2c905:$x1: cracked by ximo
  • 0x2c9c1:$x1: cracked by ximo
  • 0x2ca7d:$x1: cracked by ximo
  • 0x2cb39:$x1: cracked by ximo
  • 0x2cbf5:$x1: cracked by ximo
  • 0x2ccb1:$x1: cracked by ximo
  • 0x2cd6d:$x1: cracked by ximo
  • 0x2ce29:$x1: cracked by ximo
  • 0x4d881:$x1: cracked by ximo
  • 0x4f9a2:$x1: cracked by ximo
9.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x2c905:$x1: cracked by ximo
  • 0x2c9c1:$x1: cracked by ximo
  • 0x2ca7d:$x1: cracked by ximo
  • 0x2cb39:$x1: cracked by ximo
  • 0x2cbf5:$x1: cracked by ximo
  • 0x2ccb1:$x1: cracked by ximo
  • 0x2cd6d:$x1: cracked by ximo
  • 0x2ce29:$x1: cracked by ximo
  • 0x4d881:$x1: cracked by ximo
  • 0x4f9a2:$x1: cracked by ximo
7.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x2c905:$x1: cracked by ximo
  • 0x2c9c1:$x1: cracked by ximo
  • 0x2ca7d:$x1: cracked by ximo
  • 0x2cb39:$x1: cracked by ximo
  • 0x2cbf5:$x1: cracked by ximo
  • 0x2ccb1:$x1: cracked by ximo
  • 0x2cd6d:$x1: cracked by ximo
  • 0x2ce29:$x1: cracked by ximo
  • 0x4d881:$x1: cracked by ximo
  • 0x4f9a2:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5856, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmap

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: PqZ6GU98Eh.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: PqZ6GU98Eh.dllReversingLabs: Detection: 89%
Machine Learning detection for sample
Source: PqZ6GU98Eh.dllJoe Sandbox ML: detected
Source: PqZ6GU98Eh.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*d~ source: rundll32.exe, 00000007.00000003.2016664061.0000000003508000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000007.00000003.2016732941.0000000003521000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: rundll32.exe, 00000007.00000003.3662487482.00000000064AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2657631283.00000000064AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**@ source: rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000007.00000003.2016622709.00000000064A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*y\*.*== source: rundll32.exe, 00000007.00000003.3301274775.00000000064FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3300587756.00000000064FE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,7_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,7_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,9_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,9_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,16_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,16_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.251 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.252 23588Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.160.131.251 ports 1,5,6,8,9,18659
Source: global trafficTCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.7:49706 -> 107.160.131.251:18659
Source: global trafficTCP traffic: 192.168.2.7:49707 -> 107.163.56.110:18530
Source: global trafficTCP traffic: 192.168.2.7:49733 -> 107.160.131.252:23588
Source: Joe Sandbox ViewIP Address: 202.108.0.52 202.108.0.52
Source: Joe Sandbox ViewIP Address: 107.163.56.110 107.163.56.110
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: global trafficTCP traffic: 192.168.2.7:49759 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.251
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: unknownTCP traffic detected without corresponding DNS query: 107.160.131.252
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000490F WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,closesocket,WSACleanup,7_2_1000490F
Source: global trafficDNS traffic detected: DNS query: host123.zz.am
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, rundll32.exe, 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.251:18659/
Source: rundll32.exe, 00000007.00000003.1582709299.0000000003495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.251:18659//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWnte4mdu
Source: rundll32.exe, rundll32.exe, 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.160.131.252:23588/article.php
Source: rundll32.exe, 00000007.00000002.3760112251.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.php.
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.php?
Source: rundll32.exe, 00000007.00000002.3771573379.0000000005FBD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3771794103.00000000061DA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpC:
Source: rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2494306123.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpF
Source: rundll32.exe, 00000007.00000002.3760112251.00000000034CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpH
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpM
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpS
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpT
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpZ
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpa
Source: rundll32.exe, 00000007.00000002.3771794103.00000000061DA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpd
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phpk
Source: rundll32.exe, 00000007.00000002.3760112251.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.phprams
Source: rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.160.131.252:23588/article.php~
Source: rundll32.exe, 00000007.00000002.3771573379.0000000005FBD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3771502515.0000000005F3D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.160.13I
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.56.110:18530/u1129.htmlr
Source: rundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s%
Source: rundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%sProgramDataProg
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2494306123.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.0000000003525000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.00000000034EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3260593837.0000000006499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000007.00000002.3771982277.00000000063FD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093$
Source: rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/57624790930
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093;
Source: rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093D
Source: rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093H
Source: rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093Z
Source: rundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093n
Source: rundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3772061280.0000000006480000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3381146165.0000000006483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ni
Source: rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093niT
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093niV
Source: rundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939251188.0000000006487000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939855292.0000000006487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093ni_
Source: rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093r
Source: rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093t
Source: rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.0000000003525000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093x
Source: rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.0000000003521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093z-
Source: rundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093zA
Source: rundll32.exe, 00000007.00000003.2939251188.0000000006487000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939855292.0000000006487000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093zT
Source: rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093zV
Source: rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5762479093zr
Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: PqZ6GU98Eh.dll, type: SAMPLEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 16.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: 7.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008ABE: DeviceIoControl,7_2_10008ABE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003F63 ExitWindowsEx,7_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10003F63 ExitWindowsEx,9_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_10003F63 ExitWindowsEx,16_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B0027_2_1001B002
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B0AE7_2_1001B0AE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B2357_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B2B67_2_1001B2B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000AED17_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B71E7_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B0029_2_1001B002
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B0AE9_2_1001B0AE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B2359_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B2B69_2_1001B2B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000AED19_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B71E9_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1001B00216_2_1001B002
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1001B0AE16_2_1001B0AE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1000B23516_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1001B2B616_2_1001B2B6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1000AED116_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1000B71E16_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10009136 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 900 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000CDA0 appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 676
Source: PqZ6GU98Eh.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: PqZ6GU98Eh.dll, type: SAMPLEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@37/10@49/5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008B8B sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy,7_2_10008B8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100042A2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,7_2_100042A2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000404F AdjustTokenPrivileges,7_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100051D3 #823,#823,#823,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,7_2_100051D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000404F AdjustTokenPrivileges,9_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100051D3 #823,#823,#823,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,9_2_100051D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100042A2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,9_2_100042A2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1000404F AdjustTokenPrivileges,16_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_100051D3 #823,#823,#823,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,16_2_100051D3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_100042A2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,16_2_100042A2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003FB7 CreateToolhelp32Snapshot,7_2_10003FB7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004D36 _EH_prolog,memset,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,wcscat,VariantInit,VariantInit,VariantInit,VariantInit,strcpy,_strcmpi,strcpy,StrStrIA,VariantClear,VariantClear,VariantClear,CoUninitialize,7_2_10004D36
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\12051805Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7344
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\host123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Mhost123.zz.am:6658
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1528
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b88b2bff-78ee-498a-ac6e-fe08548ccedfJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InputFile
Source: PqZ6GU98Eh.dllReversingLabs: Detection: 89%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InputFile
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InvCMAP
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 676
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InputFile
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 676
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InvCMAPJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,PrintFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InputFileJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAPJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",PrintFileJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*d~ source: rundll32.exe, 00000007.00000003.2016664061.0000000003508000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000007.00000003.2016732941.0000000003521000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: rundll32.exe, 00000007.00000003.3662487482.00000000064AA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2657631283.00000000064AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**@ source: rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.* source: rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\*.* source: rundll32.exe, 00000007.00000003.2016622709.00000000064A6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*y\*.*== source: rundll32.exe, 00000007.00000003.3301274775.00000000064FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3300587756.00000000064FE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100044AD LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,7_2_100044AD
Source: initial sampleStatic PE information: section where entry point is pointing to: .desa1
Source: PqZ6GU98Eh.dllStatic PE information: section name: .desa0
Source: PqZ6GU98Eh.dllStatic PE information: section name: .desa1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004F80A pushfd ; mov dword ptr [esp], edi7_2_10055F3A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100531E3 push dword ptr [esp+30h]; retn 0034h7_2_10053229
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C1F4 push dword ptr [esp+34h]; retn 0038h7_2_1001C203
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100379F6 push dword ptr [esp+48h]; retn 004Ch7_2_10052BD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004E1F2 push dword ptr [esp+34h]; retn 0038h7_2_1004E20D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004E1FC push dword ptr [esp+34h]; retn 0038h7_2_1004E20D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10056A51 pushfd ; mov dword ptr [esp], 00000000h7_2_10056AB6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10055A61 push dword ptr [esp+2Ch]; retn 0030h7_2_10057305
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10055AB1 push dword ptr [esp+2Ch]; retn 0030h7_2_10057305
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10055373 push D507178Ch; mov dword ptr [esp], ecx7_2_10055C88
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C40B push dword ptr [esp+44h]; retn 0048h7_2_1001C475
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1003740F push dword ptr [esp+30h]; retn 0044h7_2_10037420
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C40F push dword ptr [esp+44h]; retn 0048h7_2_1001C475
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CC53 pushfd ; mov dword ptr [esp], ebx7_2_1001CC77
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C453 push dword ptr [esp+44h]; retn 0048h7_2_1001C475
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CD20 push eax; ret 7_2_1000CD4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10037D5E push dword ptr [esp+3Ch]; retn 0040h7_2_10037D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004EDA5 pushfd ; mov dword ptr [esp], edi7_2_10055F3A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BDBF pushfd ; mov dword ptr [esp], ebx7_2_1001CC77
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10055E26 push dword ptr [esp+20h]; retn 0024h7_2_10055FF3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004F6CC push dword ptr [esp+08h]; retn 000Ch7_2_1004F6D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10037711 push dword ptr [esp+3Ch]; retn 0040h7_2_10037D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1004DF9C push ecx; retf 7_2_1004DF9D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B7AF push dword ptr [esp+2Ch]; retn 0030h7_2_1001CB21
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B7DB push dword ptr [esp+2Ch]; retn 0030h7_2_1001CB21
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1004F80A pushfd ; mov dword ptr [esp], edi9_2_10055F3A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100531E3 push dword ptr [esp+30h]; retn 0034h9_2_10053229
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001C1F4 push dword ptr [esp+34h]; retn 0038h9_2_1001C203
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100379F6 push dword ptr [esp+48h]; retn 004Ch9_2_10052BD8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1004E1F2 push dword ptr [esp+34h]; retn 0038h9_2_1004E20D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1004E1FC push dword ptr [esp+34h]; retn 0038h9_2_1004E20D
Source: PqZ6GU98Eh.dllStatic PE information: section name: .desa1 entropy: 7.8977885745474365

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d7_2_10008B8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d9_2_10008B8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d16_2_10008B8B

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d7_2_10008B8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d9_2_10008B8B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,memset,strcpy,memset,strcpy, \\.\PHYSICALDRIVE%d16_2_10008B8B
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmapJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmapJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmapJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BB82 rdtsc 7_2_1001BB82
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 6107Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.3 %
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3892Thread sleep count: 6107 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3892Thread sleep time: -10992600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7724Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1476Thread sleep count: 37 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4256Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7988Thread sleep time: -1620000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7876Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7872Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1912Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1912Thread sleep time: -9300000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7980Thread sleep time: -3000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7728Thread sleep time: -7200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4256Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,7_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,7_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,9_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,9_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_10004630 strcpy,strcat,FindFirstFileA,wsprintfA,strlen,#825,FindNextFileA,FindClose,16_2_10004630
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_10007F4F lstrcpyA,lstrcatA,lstrcatA,lstrcatA,FindFirstFileA,FindNextFileA,lstrcpyA,lstrcatA,lstrcatA,_strcmpi,PathIsDirectoryA,#823,strcpy,strchr,strchr,strchr,strchr,strcpy,atoi,CreateDirectoryA,Sleep,FindClose,16_2_10007F4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100051D3 #823,#823,#823,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,strlen,sscanf,7_2_100051D3
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 1800000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: Amcache.hve.12.drBinary or memory string: VMware
Source: rundll32.exe, 00000007.00000002.3755610770.0000000002F3B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000007.00000002.3760112251.00000000034AC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1582709299.00000000034A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000007.00000003.1637693970.0000000003267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: rundll32.exe, 00000007.00000003.3564519215.00000000034D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.cdxmlps
Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.drBinary or memory string: vmci.sys
Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.drBinary or memory string: VMware20,1
Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ons\\VMwareHostO
Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
Source: rundll32.exe, 00000007.00000003.3564519215.00000000034D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmls_
Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000007.00000002.3760112251.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1582709299.00000000034A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BB82 rdtsc 7_2_1001BB82
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000443D PrintFile,CreateFileA,strlen,LdrInitializeThunk,WriteFile,CloseHandle,9_2_1000443D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100044AD LoadLibraryA,GetProcAddress,GetExtendedUdpTable,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,7_2_100044AD

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.251 18659Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.160.131.252 23588Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.56.110 18530Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C049 GetLocalTime,SystemTimeToFileTime,7_2_1000C049
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005ACA memset,GetVersionExA,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,strcpy,sprintf,7_2_10005ACA
Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000490F WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,closesocket,WSACleanup,7_2_1000490F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000490F WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,closesocket,WSACleanup,9_2_1000490F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_1000490F WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,memset,recvfrom,memset,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,memcpy,memcpy,htons,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htons,memcpy,htonl,memcpy,htons,memcpy,inet_addr,memcpy,memcpy,sendto,closesocket,closesocket,closesocket,WSACleanup,16_2_1000490F

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job11
Registry Run Keys / Startup Folder		1
Access Token Manipulation		3
Obfuscated Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Bootkit		111
Process Injection		1
Software Packing		Security Account Manager114
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Registry Run Keys / Startup Folder		1
DLL Side-Loading		NTDS31
Security Software Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Masquerading		LSA Secrets31
Virtualization/Sandbox Evasion		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Bootkit		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Rundll32		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558493 Sample: PqZ6GU98Eh.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 51 host123.zz.am 2->51 53 blogx.sina.com.cn 2->53 55 blog.sina.com.cn 2->55 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 2 other signatures 2->83 9 loaddll32.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 rundll32.exe 1 14 9->15         started        19 rundll32.exe 9->19         started        21 cmd.exe 1 9->21         started        27 5 other processes 9->27 23 cmd.exe 11->23         started        25 cmd.exe 13->25         started        dnsIp6 59 107.163.56.110, 18530 TAKE2US United States 15->59 61 107.160.131.251, 18659 AS40676US United States 15->61 63 2 other IPs or domains 15->63 65 System process connects to network (likely due to code injection or exploit) 15->65 67 Creates an autostart registry key pointing to binary in C:\Windows 15->67 69 Queries disk data (e.g. SMART data) 15->69 29 cmd.exe 1 19->29         started        71 Uses ping.exe to sleep 21->71 73 Uses ping.exe to check the status of other devices and networks 21->73 32 rundll32.exe 21->32         started        34 conhost.exe 23->34         started        36 PING.EXE 23->36         started        38 conhost.exe 25->38         started        40 PING.EXE 25->40         started        75 Contains functionality to infect the boot sector 27->75 42 WerFault.exe 22 16 27->42         started        44 WerFault.exe 16 27->44         started        signatures7 process8 signatures9 85 Uses ping.exe to sleep 29->85 46 PING.EXE 29->46         started        49 conhost.exe 29->49         started        process10 dnsIp11 57 127.0.0.1 unknown unknown 46->57

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PqZ6GU98Eh.dll89%ReversingLabsWin32.Backdoor.Zegost
PqZ6GU98Eh.dll100%AviraTR/ATRAPS.Gen
PqZ6GU98Eh.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.160.131.252:23588/article.phpF0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpC:0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.php~0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpM0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.htmlr0%Avira URL Cloudsafe
http://107.163.56.110:18530/u1129.html0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpH0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpk0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.php?0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.php.0%Avira URL Cloudsafe
http://107.160.131.251:18659/0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpd0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpa0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.php0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpZ0%Avira URL Cloudsafe
http://107.160.131.251:18659//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWnte4mdu0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phprams0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpS0%Avira URL Cloudsafe
http://107.160.131.252:23588/article.phpT0%Avira URL Cloudsafe
http://107.160.13I0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    host123.zz.am
    		unknown
    		unknownfalse
      		unknown
      blog.sina.com.cn
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://blog.sina.com.cn/u/5762479093nrundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://blog.sina.com.cn/u/5762479093zVrundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://107.160.131.252:23588/article.phpHrundll32.exe, 00000007.00000002.3760112251.00000000034CA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://107.163.56.110:18530/u1129.htmlrrundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://107.160.131.252:23588/article.phpMrundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://blog.sina.com.cn/u/5762479093zTrundll32.exe, 00000007.00000003.2939251188.0000000006487000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939855292.0000000006487000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://blog.sina.com.cn/u/5762479093trundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://blog.sina.com.cn/u/5762479093rrundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://blog.sina.com.cn/u/57624790930rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://107.160.131.252:23588/article.phpFrundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2494306123.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.163.56.110:18530/u1129.htmlrundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.160.131.252:23588/article.phpC:rundll32.exe, 00000007.00000002.3771573379.0000000005FBD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3771794103.00000000061DA000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.12.drfalse
                      		high
                      http://blog.sina.com.cn/u/5762479093Zrundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://blog.sina.com.cn/u/%srundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://blog.sina.com.cn/u/5762479093rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2494306123.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.0000000003525000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.00000000034EB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3260593837.0000000006499000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://107.160.131.252:23588/article.php?rundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://107.160.131.252:23588/article.php~rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://blog.sina.com.cn/u/5762479093$rundll32.exe, 00000007.00000002.3771982277.00000000063FD000.00000004.00000010.00020000.00000000.sdmpfalse
                              		high
                              http://blog.sina.com.cn/u/%sProgramDataProgrundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://107.160.131.252:23588/article.phpkrundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://blog.sina.com.cn/u/5762479093zrrundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://blog.sina.com.cn/u/5762479093Hrundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://107.160.131.252:23588/article.php.rundll32.exe, 00000007.00000002.3760112251.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://blog.sina.com.cn/u/5762479093nirundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3772061280.0000000006480000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3381146165.0000000006483000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://107.160.131.252:23588/article.phparundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3623242753.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3622431383.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://107.160.131.251:18659/rundll32.exe, rundll32.exe, 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://blog.sina.com.cn/u/5762479093zArundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://107.160.131.252:23588/article.phprundll32.exe, rundll32.exe, 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://107.160.131.252:23588/article.phpdrundll32.exe, 00000007.00000002.3771794103.00000000061DA000.00000004.00000010.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://blog.sina.com.cn/u/5762479093niTrundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://blog.sina.com.cn/u/%s%rundll32.exe, 00000007.00000002.3758630598.0000000003390000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://blog.sina.com.cn/u/5762479093niVrundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://107.160.131.252:23588/article.phpZrundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2697799741.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://blog.sina.com.cn/u/5762479093zrundll32.exe, 00000007.00000003.3421178447.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.0000000003521000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://107.160.131.251:18659//joy.asp?sid=rungnejcodjgn0uWFe5vteX8v2LUicbtudb8mtiWnte4mdurundll32.exe, 00000007.00000003.1582709299.0000000003495000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://blog.sina.com.cn/u/5762479093;rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://blog.sina.com.cn/u/5762479093xrundll32.exe, 00000007.00000003.1729398285.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808352739.0000000003524000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100074466.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3564519215.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3100153419.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1849335084.0000000003525000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2537192119.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://107.160.13Irundll32.exe, 00000007.00000002.3771573379.0000000005FBD000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3771502515.0000000005F3D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://107.160.131.252:23588/article.phpSrundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1808406627.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://blog.sina.com.cn/u/5762479093Drundll32.exe, 00000007.00000003.3582242143.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://107.160.131.252:23588/article.phpTrundll32.exe, 00000007.00000003.3140565267.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858296222.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818743078.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2016732941.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2858806576.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729230318.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3024327408.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3140034350.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2938863340.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2779233177.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3762151334.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2818402463.000000000351C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1729431286.000000000351C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://107.160.131.252:23588/article.phpramsrundll32.exe, 00000007.00000002.3760112251.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://blog.sina.com.cn/u/5762479093ni_rundll32.exe, 00000007.00000003.3300874384.0000000006483000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939251188.0000000006487000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2939855292.0000000006487000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://blog.sina.com.cn/u/5762479093z-rundll32.exe, 00000007.00000002.3760112251.000000000343A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          107.160.131.251
                                                          		unknownUnited States
                                                          		40676AS40676UStrue
                                                          202.108.0.52
                                                          		blogx.sina.com.cnChina
                                                          		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                                          107.160.131.252
                                                          		unknownUnited States
                                                          		40676AS40676UStrue
                                                          107.163.56.110
                                                          		unknownUnited States
                                                          		20248TAKE2UStrue

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1558493
                                                          Start date and time:2024-11-19 14:21:19 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 9m 11s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:36
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:PqZ6GU98Eh.dll
                                                          (renamed file extension from exe to dll, renamed because original name is a hash value)
                                                          Original Sample Name:1769d1508eb64a59d5a06a4c590aeed13052e173.dll.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winDLL@37/10@49/5
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 80
                                                          • Number of non-executed functions: 159
                                                          Cookbook Comments:
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.65.92
                                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, onedsblobprdcus17.centralus.cloudapp.azure.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • VT rate limit hit for: PqZ6GU98Eh.dll

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:22:23API Interceptor721126x Sleep call for process: rundll32.exe modified
                                                          08:22:27API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                          08:25:06API Interceptor2x Sleep call for process: WerFault.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                                          • blog.sina.com.cn/u/5655029807
                                                          k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                                          • blog.sina.com.cn/u/5655029807
                                                          5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                                                          • blog.sina.com.cn/u/5655029807
                                                          107.163.56.110b3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                            MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                              81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                  02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                                                    abc.dllGet hashmaliciousUnknownBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      blogx.sina.com.cnb3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      AS40676US81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.160.131.254
                                                                      Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.160.131.254
                                                                      Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                                                      • 41.216.183.30
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 45.61.137.33
                                                                      QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 45.61.137.33
                                                                      QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      CHINA169-BJChinaUnicomBeijingProvinceNetworkCNb3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                      • 202.108.0.52
                                                                      owari.mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 111.193.177.206
                                                                      owari.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 60.194.199.155
                                                                      AS40676US81mieek02V.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.160.131.254
                                                                      Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.160.131.254
                                                                      Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                                                      • 41.216.183.30
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 45.61.137.33
                                                                      QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      e8HOp8k5Kj.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                                                      • 45.61.137.33
                                                                      QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                                                      • 45.61.137.33
                                                                      TAKE2USb3sV534MMf.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.56.110
                                                                      NaRZIOq3O8.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.241.193
                                                                      33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.241.193
                                                                      MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.56.110
                                                                      JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.43.161
                                                                      yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.56.240
                                                                      46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.43.236
                                                                      01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.43.235
                                                                      oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.56.251
                                                                      gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                                                      • 107.163.56.240

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\1.txt

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):608
                                                                      Entropy (8bit):4.259122531986323
                                                                      Encrypted:false
                                                                      SSDEEP:12:8cbwWX40ezgeQjn9sHnuY1ppppppppppppppppppppA:8awWorzPQjn9sHnXpppppppppppppppq
                                                                      MD5:4AB3DB35B3C1BFAE4747F3C35A6313C7
                                                                      SHA1:451FE65CB76BAB611D3B93C24160A383D0A3F308
                                                                      SHA-256:9E90B700B811744A61352722F94B89A2EC752604BAD44339F69F4B73C039DA92
                                                                      SHA-512:BD52755863A756A6A4E1591965C1B69D4D7C83407EBBC4E9D2D9EAB87DB699790986D6FC5F9B1AD72D0B19D071391BE23D942D4D721FF521C6E36B6B1FDAB8CF
                                                                      Malicious:false
                                                                      Preview:..2024-11-21 11:37..iOffset....2024-11-23 04:08..iOffset....2024-11-23 23:16..iOffset....2024-11-24 20:44..iOffset....2024-11-25 17:37..iOffset....2024-11-27 14:33..iOffset....2024-11-28 17:31..iOffset....2024-12-01 10:19..iOffset....2024-12-05 04:26..iOffset....2024-12-07 23:39..iOffset....2024-12-11 16:39..iOffset....2024-12-21 15:38..iOffset....2025-03-10 04:04..iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset....iOffset..

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d2d6a05f617930bde2d4c76b2a5555e299272ba9_7522e4b5_26efc610-0b78-4fc4-b200-7282954e483b\Report.wer

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):0.9511927230693336
                                                                      Encrypted:false
                                                                      SSDEEP:192:3miuO130BU/wjeTDWaZYzuiFfZ24IO8dci:2iv1EBU/wje3bYzuiFfY4IO8dci
                                                                      MD5:912B59BC4C803F8DB3A1BDBA45B0897C
                                                                      SHA1:60B3E11806F616E32CBB6781FD41DE9197183874
                                                                      SHA-256:1530EC29567FF1AF42DEF91E30BDABD5F429B1B65AF2B6C17FF265424A90FEDF
                                                                      SHA-512:B38B26CF12A96C751DBE75013EB74E9D35B65FA74D5AFD8272110C96A10EE69A0450876B51D6DBF11B2179196FCAECE3C80B0D6848E8681325976F9329DBD13F
                                                                      Malicious:false
                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.1.4.7.9.1.1.1.1.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.1.4.8.6.2.9.8.5.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.e.f.c.6.1.0.-.0.b.7.8.-.4.f.c.4.-.b.2.0.0.-.7.2.8.2.9.5.4.e.4.8.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.d.7.9.4.8.b.-.3.c.e.e.-.4.e.3.3.-.b.e.1.5.-.f.b.c.6.a.0.9.4.2.9.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.0.-.0.0.0.1.-.0.0.1.4.-.0.3.1.e.-.f.e.1.3.8.6.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fee72e296cfe876676a0f903eac30ffbede4e6_7522e4b5_7fd52f26-cbb6-4a21-8c14-7ac7d860689b\Report.wer

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):0.9517538086454127
                                                                      Encrypted:false
                                                                      SSDEEP:192:VxriqOTFv0BU/wjeTjW6ZYzuiFWZ24IO8dciq:7riLxcBU/wjeX7YzuiFWY4IO8dci
                                                                      MD5:827468760487CB99A9FE5A325C850989
                                                                      SHA1:254607826161487386D6EF7716146CE4D1E1B973
                                                                      SHA-256:65410D5B457CC4B9F99F113AD9FB928239B3BF90594719C122CB4EF49F8C7411
                                                                      SHA-512:681EF9C061ADEA921D9BBE87EE71A019B232953B7EDFDAAC4BCD32AE72200D8625A16B1F399AE8F62F460907EBB72684B71DF7D24F17774EBE986AA865C0270C
                                                                      Malicious:false
                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.4.9.6.1.4.4.5.8.6.9.9.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.4.9.6.1.4.5.7.4.3.2.5.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.d.5.2.f.2.6.-.c.b.b.6.-.4.a.2.1.-.8.c.1.4.-.7.a.c.7.d.8.6.0.6.8.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.e.6.8.f.f.0.-.6.0.0.c.-.4.0.6.5.-.b.d.8.e.-.9.3.d.9.8.8.7.7.2.8.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.f.8.-.0.0.0.1.-.0.0.1.4.-.8.3.b.3.-.1.a.1.2.8.6.3.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD95A.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:22:25 2024, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):43440
                                                                      Entropy (8bit):2.0592940369021573
                                                                      Encrypted:false
                                                                      SSDEEP:192:1m1AYzZGDXtXwfO5H4OKnjRn1Zuw5WshHhzKkWlL:0ZzZG/5HnKnjVLuw0shHWlL
                                                                      MD5:0605F71948A69AE05108EA800F16BE9B
                                                                      SHA1:B327338C8F678D58B661F6CF39BED6C146F5E02F
                                                                      SHA-256:46F169AA397329174CADAF7CDF0067C1C6881CD477471440E8D22DE10FA72673
                                                                      SHA-512:FFEB4FA412EE02ED291BB3C4B3130E005CC4D0F42FCA940FF3273F48F8FECAD90AFB8F1EF60A6CF878676DAE1DCA0F3853650BCD4BD17EBF12D0FD8335AC4134
                                                                      Malicious:false
                                                                      Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T..........................L...........8...............................................................................eJ..............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD04.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8274
                                                                      Entropy (8bit):3.6936211693366414
                                                                      Encrypted:false
                                                                      SSDEEP:192:R6l7wVeJb56h9nf6Y6u6Z6gmfTxwprt89bbrsf7Jm:R6lXJV6z6YD6Z6gmfTxfbwf4
                                                                      MD5:4CE4472394129D4B7CD035B74D9AA9B1
                                                                      SHA1:59551DE41068425B6D9152CCECD079D736B1D3DB
                                                                      SHA-256:A237347365D705432DF17B8D5C98662055D696BB5735DC217621A1AE528AFC31
                                                                      SHA-512:2C8C88450610BA6C1E6B1F6B96EAD8F47DF67B3768355B407F9914B5879C23034602939E9619B5E591D4DFA968ECD94C3320B0ADB70125B20319CA38A0FB5BDD
                                                                      Malicious:false
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.2.8.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD25.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4654
                                                                      Entropy (8bit):4.463492655663348
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zsYJg77aI9zAWpW8VY0Ym8M4JCdPOF34W+q8/AA3GScSad:uIjfeI7d57VUJD4W43J3ad
                                                                      MD5:26AF9BE3F696A14999811DBE01EEDDDB
                                                                      SHA1:C88105F35A07C3238127BAEC291AFDB457328E71
                                                                      SHA-256:50736FB3CAE0580BF813DB2EC7B4F23C3365845164ECDB50546BD88CF99A7B70
                                                                      SHA-512:ADA8ED19575B5B6FC287E94E8EB0F2048E37655829FFC9EDE5D50A171C713C576AEE27B844F5CABB46D547ACE75ECF17888A4302E9355CE2C28FCF8D58A15A05
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE65A.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Tue Nov 19 13:22:28 2024, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):43846
                                                                      Entropy (8bit):2.058283206385215
                                                                      Encrypted:false
                                                                      SSDEEP:192:Q7xY9Zm3DXtXrM2O5H4+83/ya3Pv1gppyQjHsN:V9Zm31MB5H3M/v3Pv6ppu
                                                                      MD5:16E7B2052BC92CDDE2836832F5105CE3
                                                                      SHA1:B6CD8609F3DC3EB23F26EAA4F0C7423AE21ACB4E
                                                                      SHA-256:07E90E5E9FE6BCDAB61EF30324EE729F9365DD57A19BDD2447A82105F56A32B9
                                                                      SHA-512:925D31294EB4451A26A1096E51B18211B67D780F8DD437C13C566EB60E09F595552C3ECD1C00B9EBE4A4F4D7836B83587D846CFCC461820FEA553739EF3F5A99
                                                                      Malicious:false
                                                                      Preview:MDMP..a..... .........<g........................................V/..........T.......8...........T...........................L...........8...............................................................................eJ..............GenuineIntel............T.............<g.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE83F.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8268
                                                                      Entropy (8bit):3.6918054171461514
                                                                      Encrypted:false
                                                                      SSDEEP:192:R6l7wVeJx56hCD6YKQH6zgmfTZwprO89buGsfH6m:R6lXJP6G6YvH6zgmfTZSulfr
                                                                      MD5:7136058C5F15943AE07F24D1D1578C2C
                                                                      SHA1:17C7EA066B131731BCF22FFCD94AAD273F03DBC1
                                                                      SHA-256:F6D7713B78D9044BFEC6259BA106FF626C04E70676247896A9C4D155BE95B666
                                                                      SHA-512:2DC19D9C1721BE9677A2B25209DF1DEC210CF60D80D38F49D43A87E8845442D222E35FD4C09B3CA52B289FB1B8F1E11F8FE18C1218F5678FD5FFA5ED19B94FB7
                                                                      Malicious:false
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.4.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE860.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4654
                                                                      Entropy (8bit):4.461515937367322
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zsYJg77aI9zAWpW8VYDYm8M4JCdPSFRE+q8/A8GScSNd:uIjfeI7d57VPJZEUJ3Nd
                                                                      MD5:63D13A025C712434D235CEB686C4F417
                                                                      SHA1:50088EF8018AD393638322579A61B92FC61E9248
                                                                      SHA-256:1E637526F7F89F3F3301A1F72EEAD279318503A3B40AFFDF63277087A1B8F27E
                                                                      SHA-512:E1ACBC81B896238898143D9FE47913F25A4B9E4D428BE016F367B0943C2A92ECFBA2D13405666F7D8337999A1854DDDE068609F79D9FBE8A27EA7A85E45B9768
                                                                      Malicious:false
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="594985" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                      Category:dropped
                                                                      Size (bytes):1835008
                                                                      Entropy (8bit):4.4174470536467085
                                                                      Encrypted:false
                                                                      SSDEEP:6144:Ccifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNo5+:vi58oSWIZBk2MM6AFBWo
                                                                      MD5:B41C4BB5E1C3C8C6FA1FD1EC42D68770
                                                                      SHA1:A1B3DB57D0D64A8B32E4339BA3BB124FDB6829DD
                                                                      SHA-256:91BB064995DAFDC78B538009E91057A7D09AD14FF940D42B85B0410364653D70
                                                                      SHA-512:458066144E6276B11A4FE7325950423D9115103890E8A71B4D29523F434C35D49E9DDA478A88C4C74A95C2125CE211DA884EE92D06E928D1A7BC54AD4D0C7D26
                                                                      Malicious:false
                                                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&.L..:...............................................................................................................................................................................................................................................................................................................................................c[&........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.624619412185055
                                                                      TrID:
                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.38%
                                                                      • DOS Executable Borland Pascal 7.0x (2037/25) 0.20%
                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                      • Lumena CEL bitmap (63/63) 0.01%
                                                                      File name:PqZ6GU98Eh.dll
                                                                      File size:172'147 bytes
                                                                      MD5:5e7eabdb5af832e2b542ae28665276e9
                                                                      SHA1:1769d1508eb64a59d5a06a4c590aeed13052e173
                                                                      SHA256:2b19db48c09781c68cc147cdd979e440bb4a66d506f27c5040ef2d2018a9b941
                                                                      SHA512:73406e7a2584b6a4a67e6c0659e3db91e7eefd35d0d4e49b79a14f89444bef1fb94ecb85464b91129cfb54264f4c972b0abd47c5310a5370678969866c9a8260
                                                                      SSDEEP:3072:S7V3SNXUq1/6D9sqWccAkxZbd3KScuk+pxEodfSBaMKslWR:S7eX/1wSSyxd5lJpVdfSBaMKCK
                                                                      TLSH:29F302A26F048CF4F41E47711923C95EFF2825EB876D4542FBDAE1C62D322646C582FA
                                                                      File Content Preview:MZ.............................................................................................................................................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:7ae282899bbab082

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x10051bad
                                                                      Entrypoint Section:.desa1
                                                                      Digitally signed:false
                                                                      Imagebase:0x10000000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:0
                                                                      OS Version Minor:0
                                                                      File Version Major:0
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:0
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:477b33aa85ee02251983b9517e70ab7c

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      pushad
                                                                      jmp 00007F564C847DB6h
                                                                      dec di
                                                                      dec al
                                                                      rcr cl, cl
                                                                      sub edi, ebx
                                                                      xor al, 08h
                                                                      push 3B5755DAh
                                                                      shr di, cl
                                                                      movzx cx, bl
                                                                      call 00007F564C8319E4h
                                                                      pushad
                                                                      pushfd
                                                                      imul edx, edx, 0000000Ah
                                                                      clc
                                                                      call 00007F564C8476B7h
                                                                      fdivr st(0), st(0)
                                                                      and byte ptr [ebx-5Ch], bl
                                                                      sbb al, 25h
                                                                      cmp eax, 5E2977B3h
                                                                      cwde
                                                                      xchg eax, ebp
                                                                      adc eax, eax
                                                                      inc eax
                                                                      out dx, eax
                                                                      out 26h, al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x52ca80x63.desa1
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x380480x118.desa1
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x590000x1000
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x580000xac.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x4e3480x2e4.desa1
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000xc4fc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0xe0000x356d0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x120000x5fd80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .desa00x180000x182b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .desa10x310000x2677e0x2700074c4708ee202861e285db4b938e87055False0.9465019030448718data7.8977885745474365IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .reloc0x580000xac0x1000cbeafa48c876ac7fdebdfa366d0294bfFalse0.04296875data0.3266076913467547IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x590000x25e0x10008438bcffbff592775ca4f0670168eb2dFalse0.02880859375data0.24813886108529037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_BITMAP0x590d00x50dataEnglishUnited States0.15
                                                                      RT_BITMAP0x591200x50dataEnglishUnited States0.15
                                                                      RT_DIALOG0x591700xeedataEnglishUnited States0.05042016806722689

                                                                      Imports

                                                                      DLLImport
                                                                      MFC42.DLL
                                                                      MSVCRT.dllstrchr, strncpy, sscanf, _EH_prolog, __CxxFrameHandler, wcscat, memcpy, malloc, free, strcpy, srand, memcmp, strrchr, strcat, time, localtime, strftime, vsprintf, sprintf, strlen, memset, rand, atoi, strcspn, strstr, _CxxThrowException, tolower, toupper, strcmp, _strcmpi, wcslen, _mbsicmp, __dllonexit, _onexit, ??1type_info@@UAE@XZ, _initterm, _adjust_fdiv
                                                                      KERNEL32.dllUnmapViewOfFile, CreateFileMappingA, MapViewOfFile, GetFileInformationByHandle, FileTimeToSystemTime, SystemTimeToFileTime, FormatMessageA, CreateProcessA, GetLocalTime, lstrcatA, DeviceIoControl, LocalFree, InterlockedIncrement, InterlockedExchange, CreateMutexA, GetLastError, WinExec, lstrcpyA, LoadLibraryA, GetProcAddress, CloseHandle, WriteFile, SetFilePointer, CreateFileA, GetModuleFileNameA, GetCurrentProcess, WideCharToMultiByte, WaitForSingleObject, CreateThread, GetCurrentProcessId, TerminateProcess, OpenProcess, GetTickCount, MoveFileExA, DeleteFileA, Sleep, lstrlenA, FreeLibrary, FindClose, FindNextFileA, FindFirstFileA, ReadFile, GetFileSize, InterlockedDecrement, GetSystemInfo, WriteProcessMemory, CreateDirectoryA, ReadProcessMemory, VirtualQueryEx, GlobalFree, GlobalAlloc, GetVersionExA, GetSystemDefaultUILanguage, GlobalMemoryStatusEx, MultiByteToWideChar, GetSystemDirectoryA
                                                                      USER32.dllwsprintfA, GetDesktopWindow
                                                                      ADVAPI32.dllLookupPrivilegeValueA, RegQueryInfoKeyA, RegEnumValueA, AdjustTokenPrivileges, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, OpenProcessToken
                                                                      WS2_32.dllWSACleanup, htons, closesocket, htonl, sendto, send, __WSAFDIsSet, recv, connect, setsockopt, WSAIoctl, WSAStartup, socket, ntohs, inet_addr, bind, ioctlsocket, select, recvfrom, WSAGetLastError
                                                                      SHLWAPI.dllPathIsDirectoryA, PathFileExistsA, StrStrIA
                                                                      ole32.dllCoInitializeSecurity, CoUninitialize, CoInitializeEx, CoSetProxyBlanket, CoCreateInstance
                                                                      OLEAUT32.dllSafeArrayGetVartype, SafeArrayAccessData, SafeArrayUnaccessData, VariantChangeType, SysStringLen, SafeArrayCreate, SafeArrayDestroy, SysFreeString, SysAllocString, VariantClear, SysAllocStringByteLen, VariantInit
                                                                      MSVCP60.dll?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z, ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
                                                                      NETAPI32.dllNetbios
                                                                      KERNEL32.dllGetModuleFileNameW
                                                                      KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                                                      Exports

                                                                      NameOrdinalAddress
                                                                      InputFile10x1000678b
                                                                      InvCMAP20x10008656
                                                                      PrintFile30x1000443d

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 19, 2024 14:22:24.390034914 CET4970618659192.168.2.7107.160.131.251
                                                                      Nov 19, 2024 14:22:24.390158892 CET4970718530192.168.2.7107.163.56.110
                                                                      Nov 19, 2024 14:22:25.390558958 CET4970618659192.168.2.7107.160.131.251
                                                                      Nov 19, 2024 14:22:25.390772104 CET4970718530192.168.2.7107.163.56.110
                                                                      Nov 19, 2024 14:22:27.406183958 CET4970618659192.168.2.7107.160.131.251
                                                                      Nov 19, 2024 14:22:27.406234026 CET4970718530192.168.2.7107.163.56.110
                                                                      Nov 19, 2024 14:22:31.406426907 CET4970618659192.168.2.7107.160.131.251
                                                                      Nov 19, 2024 14:22:31.406444073 CET4970718530192.168.2.7107.163.56.110
                                                                      Nov 19, 2024 14:22:39.406358957 CET4970618659192.168.2.7107.160.131.251
                                                                      Nov 19, 2024 14:22:39.406361103 CET4970718530192.168.2.7107.163.56.110
                                                                      Nov 19, 2024 14:22:49.451244116 CET4973323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:49.451674938 CET4973423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:50.453308105 CET4973423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:50.453306913 CET4973323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:52.453219891 CET4973323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:52.453221083 CET4973423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:52.897905111 CET4975980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:53.486669064 CET4976423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:53.941673994 CET4976723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:53.948360920 CET4976880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:54.484544039 CET4976423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:54.953449965 CET4976723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:54.953453064 CET4976880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:56.487931013 CET4976423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:56.968856096 CET4976880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:56.968880892 CET4976723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:57.503386974 CET4979323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:57.612824917 CET4979523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:57.615288973 CET4979680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:58.515810013 CET4979323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:22:58.625188112 CET4979680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:22:58.765790939 CET4979523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:00.531469107 CET4979323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:00.640760899 CET4979680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:00.781383038 CET4979523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:01.516755104 CET4983423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:01.667476892 CET4983723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:01.668337107 CET4983880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:02.531420946 CET4983423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:02.672048092 CET4983723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:02.672635078 CET4983880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:04.531444073 CET4983423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:04.687700987 CET4983723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:04.687753916 CET4983880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:05.532713890 CET4986923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:05.648269892 CET4987123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:05.649766922 CET4987280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:06.578325033 CET4986923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:06.640820026 CET4987280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:06.640820980 CET4987123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:08.578334093 CET4986923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:08.640815020 CET4987123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:08.641299009 CET4987280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:09.534961939 CET4990023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:09.644539118 CET4990223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:09.674745083 CET4990380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:10.578385115 CET4990023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:10.640832901 CET4990223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:10.765858889 CET4990380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:12.578351021 CET4990023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:12.640908003 CET4990223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:12.781526089 CET4990380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:13.532303095 CET4993323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:13.649610043 CET4993580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:13.649691105 CET4993623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:14.547204971 CET4993323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:14.640850067 CET4993580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:14.656483889 CET4993623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:16.547255039 CET4993323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:16.656657934 CET4993580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:16.656688929 CET4993623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:17.547719002 CET4996523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:17.660706043 CET4996723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:17.662358999 CET4996880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:18.547250986 CET4996523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:18.672112942 CET4996723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:18.673527956 CET4996880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:20.547168970 CET4996523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:20.687796116 CET4996723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:20.689095974 CET4996880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:21.549902916 CET5000423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:21.670404911 CET5000623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:21.674798965 CET5000780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:22.562808990 CET5000423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:22.672173977 CET5000623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:22.687791109 CET5000780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:24.578448057 CET5000423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:24.672168970 CET5000623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:24.703396082 CET5000780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:25.564007044 CET5003823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:25.677107096 CET5004023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:25.678742886 CET5004180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:26.578408957 CET5003823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:26.687859058 CET5004023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:26.687865019 CET5004180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:28.594094992 CET5003823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:28.689198017 CET5004023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:28.703454971 CET5004180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:29.594501019 CET5007223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:29.712740898 CET5007423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:29.713332891 CET5007580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:30.609749079 CET5007223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:30.719034910 CET5007580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:30.719058037 CET5007423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:32.609946966 CET5007223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:32.734719038 CET5007580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:32.734721899 CET5007423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:33.666954994 CET5010723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:33.788163900 CET5011023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:33.788775921 CET5011180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:34.672254086 CET5010723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:34.781642914 CET5011180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:34.781646013 CET5011023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:36.672666073 CET5010723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:36.781723022 CET5011180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:36.781723022 CET5011023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:37.680826902 CET5015123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:37.785722971 CET5015323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:37.786479950 CET5015480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:38.687903881 CET5015123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:38.797297955 CET5015323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:38.798703909 CET5015480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:40.703582048 CET5015123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:40.812972069 CET5015480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:40.812974930 CET5015323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:41.688723087 CET5019523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:41.800899982 CET5019823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:41.803658962 CET5019980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:42.703494072 CET5019523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:42.812908888 CET5019823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:42.812923908 CET5019980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:44.703609943 CET5019523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:44.828603983 CET5019823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:44.828604937 CET5019980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:45.706985950 CET5025123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:45.823230982 CET5025423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:45.824203014 CET5025580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:46.719156027 CET5025123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:46.828567028 CET5025580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:46.828629017 CET5025423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:48.734941959 CET5025123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:48.828592062 CET5025423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:48.844201088 CET5025580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:49.720284939 CET5031523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:49.836213112 CET5031823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:49.837250948 CET5031980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:50.734833002 CET5031523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:50.844199896 CET5031823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:50.845204115 CET5031980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:52.734833956 CET5031523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:52.859842062 CET5031980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:52.860054016 CET5031823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:53.766707897 CET5039423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:53.879321098 CET5039823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:54.376015902 CET5040980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:54.781816006 CET5039423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:54.891061068 CET5039823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:55.391103983 CET5040980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:56.781774998 CET5039423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:56.906727076 CET5039823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:57.406745911 CET5040980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:58.023382902 CET5046823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:58.148946047 CET5047023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:58.153476000 CET5047180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:59.031793118 CET5046823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:23:59.156776905 CET5047180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:23:59.159914017 CET5047023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:01.031768084 CET5046823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:01.156810999 CET5047180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:01.172389984 CET5047023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:02.050575018 CET5057023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:02.161205053 CET5057323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:02.163553953 CET5057480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:03.058851957 CET5057023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:03.181220055 CET5057480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:03.181226015 CET5057323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:05.071039915 CET5057023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:05.188049078 CET5057323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:05.189476967 CET5057480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:06.063673019 CET5067323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:06.182588100 CET5067423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:06.188919067 CET5067580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:07.078654051 CET5067323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:07.188061953 CET5067423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:07.204186916 CET5067580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:09.078681946 CET5067323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:09.203685045 CET5067580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:09.203773975 CET5067423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:10.070143938 CET5081823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:10.197689056 CET5082023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:10.201378107 CET5082280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:11.078689098 CET5081823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:11.203705072 CET5082023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:11.204935074 CET5082280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:13.203671932 CET5081823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:13.203788042 CET5082023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:13.203805923 CET5082280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:14.082012892 CET5102223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:14.196099043 CET5103023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:14.197880030 CET5103180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:15.219338894 CET5102223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:15.222814083 CET5103180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:15.281821012 CET5103023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:17.219307899 CET5103180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:17.219307899 CET5102223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:17.357147932 CET5103023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:18.214754105 CET5120923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:18.218458891 CET5121080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:18.218499899 CET5121123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:19.313065052 CET5120923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:19.313097000 CET5121080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:19.342535973 CET5121123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:21.313270092 CET5120923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:21.314604044 CET5121080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:21.391204119 CET5121123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:22.284704924 CET5134723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:22.597502947 CET5135580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:22.600604057 CET5135723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:23.313134909 CET5134723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:23.688134909 CET5135723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:23.703731060 CET5135580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:25.406856060 CET5134723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:25.719389915 CET5135580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:25.781939983 CET5135723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:26.300474882 CET5153023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:26.417512894 CET5153880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:26.418992996 CET5153923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:27.391292095 CET5153023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:27.410856962 CET5153923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:27.565210104 CET5153880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:29.391253948 CET5153023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:29.407046080 CET5153923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:29.614340067 CET5153880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:30.317029953 CET5209123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:30.452646971 CET5211723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:30.456291914 CET5211880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:31.391278028 CET5209123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:31.586747885 CET5211723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:31.586782932 CET5211880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:33.467866898 CET5209123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:33.688168049 CET5211723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:33.688180923 CET5211880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:34.344046116 CET5298423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:34.516436100 CET5301423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:34.519545078 CET5301580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:35.406919003 CET5298423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:35.516309023 CET5301580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:35.523039103 CET5301423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:37.516309023 CET5298423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:37.516347885 CET5301580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:37.569315910 CET5301423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:38.347656965 CET5396523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:38.564141989 CET5402823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:38.569128036 CET5402980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:39.391324997 CET5396523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:39.578893900 CET5402823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:39.703814030 CET5402980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:41.485121012 CET5396523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:41.684140921 CET5402823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:41.703830004 CET5402980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:42.370891094 CET5497523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:42.478902102 CET5501523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:42.479895115 CET5501780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:43.406954050 CET5497523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:43.516346931 CET5501523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:43.516382933 CET5501780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:45.516325951 CET5497523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:45.516360044 CET5501523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:45.516469002 CET5501780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:46.401015997 CET5573723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:46.685470104 CET5583123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:46.686301947 CET5583280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:47.594520092 CET5573723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:47.782006979 CET5583280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:47.782036066 CET5583123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:49.688404083 CET5573723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:49.872827053 CET5583280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:49.872904062 CET5583123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:50.413131952 CET5679623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:50.623331070 CET5683823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:50.627847910 CET5683980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:51.516376019 CET5679623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:51.688262939 CET5683980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:51.719559908 CET5683823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:53.516393900 CET5679623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:53.719521046 CET5683823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:53.737042904 CET5683980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:54.425839901 CET5781823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:54.693774939 CET5788523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:55.081010103 CET5795180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:55.469768047 CET5781823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:55.882528067 CET5788523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:56.219531059 CET5795180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:57.594541073 CET5781823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:57.985162973 CET5788523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:58.219542980 CET5795180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:58.440980911 CET5859223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:58.602943897 CET5863823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:58.606724977 CET5864180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:24:59.485168934 CET5859223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:59.719542027 CET5863823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:24:59.719552994 CET5864180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:01.529582977 CET5859223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:01.719563961 CET5863823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:01.719578028 CET5864180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:02.455749035 CET5958923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:02.747129917 CET5967623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:02.750041008 CET5967780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:03.610311985 CET5958923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:03.782138109 CET5967623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:03.907063961 CET5967780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:05.703954935 CET5958923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:05.791433096 CET5967623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:06.019299984 CET5967780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:06.456751108 CET6040523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:06.573587894 CET6045023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:06.573757887 CET6045180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:07.538101912 CET6040523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:07.660727024 CET6045180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:07.703994989 CET6045023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:09.579040051 CET6040523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:09.688338995 CET6045180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:09.719605923 CET6045023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:10.546107054 CET6122223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:11.189332008 CET6125423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:11.196494102 CET6125680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:11.719599962 CET6122223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:12.282162905 CET6125680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:12.282177925 CET6125423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:13.719805002 CET6122223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:14.282151937 CET6125423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:14.282177925 CET6125680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:14.550602913 CET6212023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:14.670041084 CET6214723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:14.671257019 CET6214880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:15.688389063 CET6214723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:15.704051971 CET6212023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:15.704051971 CET6214880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:17.688395977 CET6214723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:17.719649076 CET6212023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:17.719717026 CET6214880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:18.565942049 CET6271423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:18.744560957 CET6277223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:18.746304989 CET6277480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:19.594646931 CET6271423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:19.907232046 CET6277223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:19.907288074 CET6277480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:21.634311914 CET6271423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:21.907159090 CET6277223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:21.907346010 CET6277480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:22.568047047 CET6361523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:22.887020111 CET6371223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:22.887412071 CET6371480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:23.719666958 CET6361523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:23.891551971 CET6371223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:23.891552925 CET6371480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:25.813446999 CET6361523588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:25.891547918 CET6371223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:25.891562939 CET6371480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:26.593744993 CET6464023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:26.815785885 CET6467623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:26.818260908 CET6467780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:27.688484907 CET6464023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:27.877377033 CET6467780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:27.907243967 CET6467623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:29.779330969 CET6464023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:29.891580105 CET6467780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:30.016661882 CET6467623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:30.599875927 CET6550923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:30.852547884 CET4918223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:30.856098890 CET4918480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:31.719697952 CET6550923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:31.891618013 CET4918223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:31.895051956 CET4918480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:33.719717979 CET6550923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:33.982323885 CET4918223588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:33.982356071 CET4918480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:34.634529114 CET5009623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:34.807869911 CET5015023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:34.808540106 CET5015180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:35.773727894 CET5009623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:35.891604900 CET5015180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:35.907239914 CET5015023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:37.782362938 CET5009623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:37.891715050 CET5015180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:38.016678095 CET5015023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:38.644166946 CET5087623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:38.864907980 CET5094023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:38.868297100 CET5094180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:39.782270908 CET5087623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:39.891628027 CET5094180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:39.907346964 CET5094023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:41.806962967 CET5087623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:41.907331944 CET5094023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:41.911891937 CET5094180192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:42.658093929 CET5186923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:43.021073103 CET5198323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:43.021667004 CET5198480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:43.688533068 CET5186923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:44.094777107 CET5198323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:44.094789982 CET5198480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:45.782290936 CET5186923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:46.188581944 CET5198323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:46.189099073 CET5198480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:46.675086021 CET5260323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:46.880197048 CET5265123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:46.885212898 CET5265380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:47.719809055 CET5260323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:47.891670942 CET5265123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:47.907308102 CET5265380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:49.719808102 CET5260323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:49.891683102 CET5265123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:49.907309055 CET5265380192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:50.692039967 CET5354823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:50.895580053 CET5356323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:50.899588108 CET5356580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:51.891696930 CET5354823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:51.910018921 CET5356580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:52.079304934 CET5356323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:53.893500090 CET5354823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:53.907565117 CET5356580192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:54.079245090 CET5356323588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:54.708105087 CET5454623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:54.827267885 CET5457723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:54.827358007 CET5457880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:55.813592911 CET5457880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:55.813812971 CET5457723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:55.893321037 CET5454623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:57.907377958 CET5457880192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:57.907382965 CET5457723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:57.989634037 CET5454623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:58.723252058 CET5561623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:58.838538885 CET5563923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:59.324647903 CET5571480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:25:59.778574944 CET5561623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:25:59.892605066 CET5563923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:00.407736063 CET5571480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:01.891757011 CET5561623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:01.893878937 CET5563923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:02.407381058 CET5571480192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:02.789038897 CET5653423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:03.230068922 CET5653780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:03.231764078 CET5653823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:03.891752005 CET5653423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:04.346124887 CET5653823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:04.346126080 CET5653780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:05.891771078 CET5653423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:06.391792059 CET5653823588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:06.394737959 CET5653780192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:06.801301003 CET5722023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:06.962080002 CET5727123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:06.966092110 CET5727280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:07.813664913 CET5722023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:08.091444969 CET5727280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:08.091588020 CET5727123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:09.907433033 CET5722023588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:10.094913960 CET5727280192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:10.095067978 CET5727123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:10.830338001 CET5808423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:11.058563948 CET5816723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:11.064189911 CET5816980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:11.936060905 CET5808423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:12.204339027 CET5816980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:12.204340935 CET5816723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:14.094924927 CET5808423588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:14.219923019 CET5816723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:14.220007896 CET5816980192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:14.831754923 CET5906123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:14.976849079 CET5908680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:14.977194071 CET5908723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:15.838207960 CET5906123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:15.985584021 CET5908680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:16.016825914 CET5908723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:17.891839027 CET5906123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:18.016911983 CET5908723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:18.079366922 CET5908680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:18.846733093 CET6001123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:19.007433891 CET6004923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:19.009031057 CET6005080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:19.891846895 CET6001123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:20.016843081 CET6005080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:20.017039061 CET6004923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:21.891855955 CET6001123588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:22.016884089 CET6004923588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:22.016983986 CET6005080192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:22.867528915 CET6050623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:22.982338905 CET6052680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:22.982803106 CET6052723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:23.907526016 CET6050623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:24.016861916 CET6052680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:24.081191063 CET6052723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:25.907478094 CET6050623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:26.032505035 CET6052680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:26.189675093 CET6052723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:29.907525063 CET6050623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:30.032526970 CET6052680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:30.188769102 CET6052723588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:37.907541037 CET6050623588192.168.2.7107.160.131.252
                                                                      Nov 19, 2024 14:26:38.032565117 CET6052680192.168.2.7202.108.0.52
                                                                      Nov 19, 2024 14:26:38.204494953 CET6052723588192.168.2.7107.160.131.252

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 19, 2024 14:22:46.438582897 CET5330053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:22:46.958477020 CET53533001.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:22:50.895956039 CET5905453192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:22:51.449840069 CET53590541.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:22:52.571737051 CET5825553192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:22:52.890403032 CET53582551.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:22:55.942811012 CET6060053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:22:56.523276091 CET53606001.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:00.926114082 CET5964553192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:00.934709072 CET53596451.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:05.930890083 CET6430053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:05.938128948 CET53643001.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:10.866048098 CET5001153192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:11.358130932 CET53500111.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:15.925532103 CET5213553192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:16.628213882 CET53521351.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:20.947066069 CET5769953192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:20.958100080 CET53576991.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:25.931757927 CET6441253192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:26.475482941 CET53644121.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:30.879611969 CET5094953192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:31.377990961 CET53509491.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:35.862763882 CET6057053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:36.117356062 CET53605701.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:40.938096046 CET6240153192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:41.441421986 CET53624011.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:45.894515991 CET6329653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:45.901942968 CET53632961.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:50.865127087 CET6082653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:50.874124050 CET53608261.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:53.881313086 CET6231853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:54.374952078 CET53623181.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:23:55.862569094 CET5999253192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:23:56.374607086 CET53599921.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:00.905606985 CET5401253192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:00.913666964 CET53540121.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:05.864023924 CET5485853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:06.405771017 CET53548581.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:10.862339020 CET5149753192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:10.869642019 CET53514971.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:15.895322084 CET5306353192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:16.399916887 CET53530631.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:20.896847963 CET5664353192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:21.422164917 CET53566431.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:25.862229109 CET5622053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:25.871893883 CET53562201.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:30.862106085 CET5247653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:30.869823933 CET53524761.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:35.883938074 CET5890053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:35.891459942 CET53589001.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:40.861284971 CET6173653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:40.868839025 CET53617361.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:45.860397100 CET5042953192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:46.394354105 CET53504291.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:50.887043953 CET6113553192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:50.895036936 CET53611351.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:54.693190098 CET5574653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:55.076478004 CET53557461.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:24:55.863616943 CET5552953192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:24:56.123637915 CET53555291.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:00.863073111 CET6389853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:00.872102022 CET53638981.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:05.866731882 CET5470453192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:05.874093056 CET53547041.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:10.891689062 CET6285253192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:10.899398088 CET53628521.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:15.864559889 CET5880753192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:15.871563911 CET53588071.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:20.885067940 CET6327653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:21.399175882 CET53632761.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:25.861152887 CET5335153192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:25.868504047 CET53533511.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:30.861056089 CET5630653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:30.868313074 CET53563061.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:35.863404036 CET4994753192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:36.382653952 CET53499471.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:40.860949993 CET5185653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:40.868623972 CET53518561.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:45.875149012 CET5729153192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:46.407593966 CET53572911.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:50.888962030 CET5901553192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:50.896358013 CET53590151.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:55.865541935 CET5096753192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:55.873034000 CET53509671.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:25:58.843013048 CET6382653192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:25:59.322695017 CET53638261.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:00.861875057 CET5119853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:00.869441986 CET53511981.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:05.889692068 CET5747853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:06.159596920 CET53574781.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:10.861707926 CET6213353192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:10.868741035 CET53621331.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:15.864578962 CET5912053192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:15.872045994 CET53591201.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:20.863328934 CET6263153192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:20.870932102 CET53626311.1.1.1192.168.2.7
                                                                      Nov 19, 2024 14:26:52.004288912 CET5141853192.168.2.71.1.1.1
                                                                      Nov 19, 2024 14:26:52.011852980 CET53514181.1.1.1192.168.2.7

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Nov 19, 2024 14:22:46.438582897 CET192.168.2.71.1.1.10x834eStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:50.895956039 CET192.168.2.71.1.1.10xcfecStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:52.571737051 CET192.168.2.71.1.1.10xa3Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:55.942811012 CET192.168.2.71.1.1.10xb5d4Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:00.926114082 CET192.168.2.71.1.1.10xd447Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:05.930890083 CET192.168.2.71.1.1.10xe5c8Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:10.866048098 CET192.168.2.71.1.1.10x9466Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:15.925532103 CET192.168.2.71.1.1.10xf871Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:20.947066069 CET192.168.2.71.1.1.10xf547Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:25.931757927 CET192.168.2.71.1.1.10x912Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:30.879611969 CET192.168.2.71.1.1.10xd2cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:35.862763882 CET192.168.2.71.1.1.10xa5acStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:40.938096046 CET192.168.2.71.1.1.10x4751Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:45.894515991 CET192.168.2.71.1.1.10x738Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:50.865127087 CET192.168.2.71.1.1.10x3899Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:53.881313086 CET192.168.2.71.1.1.10xd872Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:55.862569094 CET192.168.2.71.1.1.10xeaceStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:00.905606985 CET192.168.2.71.1.1.10x4cd7Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:05.864023924 CET192.168.2.71.1.1.10xdb6dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:10.862339020 CET192.168.2.71.1.1.10xf2cdStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:15.895322084 CET192.168.2.71.1.1.10x9044Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:20.896847963 CET192.168.2.71.1.1.10x1845Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:25.862229109 CET192.168.2.71.1.1.10xc508Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:30.862106085 CET192.168.2.71.1.1.10xd164Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:35.883938074 CET192.168.2.71.1.1.10x8384Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:40.861284971 CET192.168.2.71.1.1.10x97afStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:45.860397100 CET192.168.2.71.1.1.10x5838Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:50.887043953 CET192.168.2.71.1.1.10xdc57Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:54.693190098 CET192.168.2.71.1.1.10xa792Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:55.863616943 CET192.168.2.71.1.1.10x2bdfStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:00.863073111 CET192.168.2.71.1.1.10x523bStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:05.866731882 CET192.168.2.71.1.1.10x5534Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:10.891689062 CET192.168.2.71.1.1.10x310dStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:15.864559889 CET192.168.2.71.1.1.10xfd57Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:20.885067940 CET192.168.2.71.1.1.10x3b70Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:25.861152887 CET192.168.2.71.1.1.10x5aaStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:30.861056089 CET192.168.2.71.1.1.10x62c2Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:35.863404036 CET192.168.2.71.1.1.10xc716Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:40.860949993 CET192.168.2.71.1.1.10x4263Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:45.875149012 CET192.168.2.71.1.1.10xaf81Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:50.888962030 CET192.168.2.71.1.1.10x3aa1Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:55.865541935 CET192.168.2.71.1.1.10x27cdStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:58.843013048 CET192.168.2.71.1.1.10x2641Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:00.861875057 CET192.168.2.71.1.1.10x1e6Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:05.889692068 CET192.168.2.71.1.1.10x9866Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:10.861707926 CET192.168.2.71.1.1.10xfa27Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:15.864578962 CET192.168.2.71.1.1.10xc28cStandard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:20.863328934 CET192.168.2.71.1.1.10x1355Standard query (0)host123.zz.amA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:52.004288912 CET192.168.2.71.1.1.10x5eaStandard query (0)host123.zz.amA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Nov 19, 2024 14:22:46.958477020 CET1.1.1.1192.168.2.70x834eName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:51.449840069 CET1.1.1.1192.168.2.70xcfecName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:52.890403032 CET1.1.1.1192.168.2.70xa3No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:52.890403032 CET1.1.1.1192.168.2.70xa3No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:22:56.523276091 CET1.1.1.1192.168.2.70xb5d4Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:00.934709072 CET1.1.1.1192.168.2.70xd447Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:05.938128948 CET1.1.1.1192.168.2.70xe5c8Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:11.358130932 CET1.1.1.1192.168.2.70x9466Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:16.628213882 CET1.1.1.1192.168.2.70xf871Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:20.958100080 CET1.1.1.1192.168.2.70xf547Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:26.475482941 CET1.1.1.1192.168.2.70x912Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:31.377990961 CET1.1.1.1192.168.2.70xd2cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:36.117356062 CET1.1.1.1192.168.2.70xa5acName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:41.441421986 CET1.1.1.1192.168.2.70x4751Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:45.901942968 CET1.1.1.1192.168.2.70x738Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:50.874124050 CET1.1.1.1192.168.2.70x3899Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:54.374952078 CET1.1.1.1192.168.2.70xd872No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:54.374952078 CET1.1.1.1192.168.2.70xd872No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:23:56.374607086 CET1.1.1.1192.168.2.70xeaceName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:00.913666964 CET1.1.1.1192.168.2.70x4cd7Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:06.405771017 CET1.1.1.1192.168.2.70xdb6dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:10.869642019 CET1.1.1.1192.168.2.70xf2cdName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:16.399916887 CET1.1.1.1192.168.2.70x9044Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:21.422164917 CET1.1.1.1192.168.2.70x1845Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:25.871893883 CET1.1.1.1192.168.2.70xc508Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:30.869823933 CET1.1.1.1192.168.2.70xd164Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:35.891459942 CET1.1.1.1192.168.2.70x8384Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:40.868839025 CET1.1.1.1192.168.2.70x97afName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:46.394354105 CET1.1.1.1192.168.2.70x5838Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:50.895036936 CET1.1.1.1192.168.2.70xdc57Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:55.076478004 CET1.1.1.1192.168.2.70xa792No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:55.076478004 CET1.1.1.1192.168.2.70xa792No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:24:56.123637915 CET1.1.1.1192.168.2.70x2bdfName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:00.872102022 CET1.1.1.1192.168.2.70x523bName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:05.874093056 CET1.1.1.1192.168.2.70x5534Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:10.899398088 CET1.1.1.1192.168.2.70x310dName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:15.871563911 CET1.1.1.1192.168.2.70xfd57Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:21.399175882 CET1.1.1.1192.168.2.70x3b70Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:25.868504047 CET1.1.1.1192.168.2.70x5aaName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:30.868313074 CET1.1.1.1192.168.2.70x62c2Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:36.382653952 CET1.1.1.1192.168.2.70xc716Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:40.868623972 CET1.1.1.1192.168.2.70x4263Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:46.407593966 CET1.1.1.1192.168.2.70xaf81Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:50.896358013 CET1.1.1.1192.168.2.70x3aa1Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:55.873034000 CET1.1.1.1192.168.2.70x27cdName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:59.322695017 CET1.1.1.1192.168.2.70x2641No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                                                      Nov 19, 2024 14:25:59.322695017 CET1.1.1.1192.168.2.70x2641No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:00.869441986 CET1.1.1.1192.168.2.70x1e6Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:06.159596920 CET1.1.1.1192.168.2.70x9866Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:10.868741035 CET1.1.1.1192.168.2.70xfa27Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:15.872045994 CET1.1.1.1192.168.2.70xc28cName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:20.870932102 CET1.1.1.1192.168.2.70x1355Name error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false
                                                                      Nov 19, 2024 14:26:52.011852980 CET1.1.1.1192.168.2.70x5eaName error (3)host123.zz.amnonenoneA (IP address)IN (0x0001)false

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:1
                                                                      Start time:08:22:17
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll"
                                                                      Imagebase:0x2d0000
                                                                      File size:126'464 bytes
                                                                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:08:22:17
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:08:22:17
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1
                                                                      Imagebase:0x410000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:08:22:18
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InputFile
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:08:22:18
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",#1
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:08:22:21
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,InvCMAP
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:08:22:24
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\PqZ6GU98Eh.dll,PrintFile
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:08:22:24
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 676
                                                                      Imagebase:0x110000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:14
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InputFile
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\PqZ6GU98Eh.dll",PrintFile
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                      Imagebase:0x410000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:19
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:20
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7344 -s 676
                                                                      Imagebase:0x110000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:21
                                                                      Start time:08:22:27
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:ping 127.0.0.1 -n 3
                                                                      Imagebase:0x9f0000
                                                                      File size:18'944 bytes
                                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:24
                                                                      Start time:08:22:54
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:25
                                                                      Start time:08:22:54
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                      Imagebase:0x410000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:26
                                                                      Start time:08:22:55
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:27
                                                                      Start time:08:22:55
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:ping 127.0.0.1 -n 3
                                                                      Imagebase:0x9f0000
                                                                      File size:18'944 bytes
                                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:28
                                                                      Start time:08:23:03
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\PqZ6GU98Eh.dll",InvCMAP
                                                                      Imagebase:0x6e0000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:29
                                                                      Start time:08:23:03
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                                                      Imagebase:0x410000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:30
                                                                      Start time:08:23:03
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:31
                                                                      Start time:08:23:03
                                                                      Start date:19/11/2024
                                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:ping 127.0.0.1 -n 3
                                                                      Imagebase:0x9f0000
                                                                      File size:18'944 bytes
                                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:10.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:11.7%
                                                                        Total number of Nodes:675
                                                                        Total number of Limit Nodes:22
                                                                        execution_graph 5946 10002983 5947 10002988 5946->5947 5950 10001000 strlen 5947->5950 5949 10002992 GetProcAddress 5951 100016d9 #823 memset 5950->5951 5954 10001713 #823 lstrcpyA #825 5951->5954 5954->5949 5959 10008208 5962 10008211 5959->5962 5960 10007f4f 156 API calls 5960->5962 5962->5960 5963 10008270 Sleep 5962->5963 5964 1000400a GetDriveTypeA 5962->5964 5963->5962 5964->5962 5967 1000490f 9 API calls 5968 100049eb select 5967->5968 5969 10004a30 memset recvfrom 5968->5969 5970 10004a21 WSAGetLastError Sleep 5968->5970 5969->5968 5971 10004a75 5969->5971 5970->5968 5972 10004cac closesocket closesocket WSACleanup 5971->5972 5973 10004a7d memset 5971->5973 5984 10004877 memset memcpy strlen 5973->5984 5975 10004aa0 wsprintfA StrStrIA 5976 10004af0 StrStrIA 5975->5976 5977 10004b2d malloc memcpy memcpy htons 5975->5977 5979 10004b02 StrStrIA 5976->5979 5980 10004b26 5976->5980 5978 10004b7c 13 API calls 5977->5978 5977->5980 5978->5980 5979->5980 5982 10004b14 StrStrIA 5979->5982 5980->5968 5980->5972 5980->5977 5980->5978 5981 10004b72 htons 5980->5981 5983 10004c50 inet_addr memcpy memcpy sendto 5980->5983 5981->5978 5982->5977 5982->5980 5983->5968 5983->5980 5985 100048bd 5984->5985 5985->5975 5986 10001812 5987 10001817 5986->5987 5988 10001000 6 API calls 5987->5988 5989 10001821 5988->5989 5990 10007112 #823 5992 1000712c 5990->5992 5996 100071b7 Sleep 5992->5996 5997 100071ea strlen 5992->5997 6002 10005c4c 5992->6002 6017 10003ef4 5992->6017 5996->5992 5997->5996 5998 100071f6 strcmp 5997->5998 5998->5996 5999 10007208 wsprintfA 5998->5999 6042 1000570f 5999->6042 6003 10003ef4 wvsprintfA 6002->6003 6004 10005c86 6003->6004 6053 10003f72 PathFileExistsA 6004->6053 6006 10005c92 6007 10005c99 6006->6007 6008 10005c9d 6006->6008 6007->5992 6054 10004015 CreateFileA 6008->6054 6010 10005cbb 6010->6007 6055 10004035 ReadFile 6010->6055 6012 10005cd6 6056 10003f92 CloseHandle 6012->6056 6014 10005cdc 6057 10003f7d StrStrIA 6014->6057 6016 10005ce9 6016->6007 6058 10003ee1 wvsprintfA 6017->6058 6019 10003f06 memset 6020 100061bd 6019->6020 6021 10001000 6 API calls 6020->6021 6022 100061dd 6021->6022 6059 10003f0a InternetOpenA 6022->6059 6024 100061e4 6039 100061ee 6024->6039 6060 10003f24 InternetOpenUrlA 6024->6060 6026 10006206 6027 10006210 6026->6027 6028 10006219 6026->6028 6061 10003f58 InternetCloseHandle 6027->6061 6030 10006276 6028->6030 6037 1000621f 6028->6037 6064 10003f58 InternetCloseHandle 6030->6064 6032 10006225 memset 6062 10003f41 InternetReadFile 6032->6062 6034 10006216 6065 10003f58 InternetCloseHandle 6034->6065 6035 10006247 memcpy 6035->6037 6038 1000626c 6035->6038 6037->6032 6037->6038 6063 10003f92 CloseHandle 6038->6063 6039->5992 6041 10006274 6041->6030 6043 1000571c 6042->6043 6066 100051d3 14 API calls 6043->6066 6045 10005724 wsprintfA 6067 10005318 6045->6067 6049 10005802 6050 10005841 6049->6050 6051 10005809 OpenProcess 6049->6051 6050->5996 6051->6050 6052 1000581f CreateThread 6051->6052 6052->6050 6151 10005620 6052->6151 6053->6006 6054->6010 6055->6012 6056->6014 6057->6016 6058->6019 6059->6024 6060->6026 6061->6034 6062->6035 6063->6041 6064->6034 6065->6039 6066->6045 6099 1000cd20 6067->6099 6070 1000536c 6071 100053b2 wsprintfA wsprintfA CreateDirectoryA PrintFile 6070->6071 6072 10005372 strcat strcat strcat strcat strchr 6070->6072 6073 10004d36 _EH_prolog 6071->6073 6072->6070 6074 1000cd20 6073->6074 6075 10004d4a memset CoInitializeEx CoInitializeSecurity CoCreateInstance 6074->6075 6101 100050a1 _EH_prolog #823 6075->6101 6078 10004dd5 CoSetProxyBlanket wcscat 6079 100050a1 4 API calls 6078->6079 6081 10004e2f 6079->6081 6112 1000504d _EH_prolog #823 6081->6112 6084 10004e7d 6086 1000515c 4 API calls 6084->6086 6097 10004e90 6084->6097 6085 1000515c 4 API calls 6085->6084 6086->6097 6087 10004fff VariantClear VariantClear 6089 1000501a CoUninitialize 6087->6089 6088 10004ec1 VariantInit VariantInit VariantInit 6088->6097 6089->6049 6091 10004f4d strcpy 6092 10004f6c _strcmpi 6091->6092 6091->6097 6092->6097 6093 1000515c InterlockedDecrement #825 SysFreeString #825 6093->6097 6094 100050a1 _EH_prolog #823 SysAllocString _CxxThrowException 6094->6097 6095 10004fb8 strcpy 6095->6097 6098 10004fda StrStrIA 6095->6098 6096 10005189 6 API calls 6096->6097 6097->6087 6097->6088 6097->6091 6097->6092 6097->6093 6097->6094 6097->6095 6097->6096 6097->6098 6098->6097 6100 10005325 strcpy strchr 6099->6100 6100->6070 6102 100050c4 6101->6102 6103 100050cc 6101->6103 6118 10005128 SysAllocString 6102->6118 6105 10004da2 6103->6105 6122 1000d072 6103->6122 6105->6078 6107 1000515c InterlockedDecrement 6105->6107 6108 10005180 6107->6108 6109 1000516e 6107->6109 6108->6078 6109->6108 6131 100051b3 6109->6131 6113 10005070 6112->6113 6114 10005078 6112->6114 6136 100050f5 6113->6136 6116 10004e4f 6114->6116 6117 1000d072 _CxxThrowException 6114->6117 6116->6084 6116->6085 6117->6116 6119 10005156 6118->6119 6120 10005146 6118->6120 6119->6103 6120->6119 6121 1000d072 _CxxThrowException 6120->6121 6121->6119 6125 1000d203 6122->6125 6129 1000d227 6125->6129 6128 1000d07d 6128->6105 6130 1000d219 _CxxThrowException 6129->6130 6130->6128 6132 100051c3 6131->6132 6133 100051bc SysFreeString 6131->6133 6134 10005179 #825 6132->6134 6135 100051ca #825 6132->6135 6133->6132 6134->6108 6135->6134 6141 1000d0be 6136->6141 6139 10005122 6139->6114 6140 1000d072 _CxxThrowException 6140->6139 6142 1000510c 6141->6142 6143 1000d0cd lstrlenA 6141->6143 6142->6139 6142->6140 6144 1000cd20 6143->6144 6145 1000d0e6 MultiByteToWideChar 6144->6145 6146 1000d101 GetLastError 6145->6146 6147 1000d123 SysAllocString 6145->6147 6148 1000d10d GetLastError 6146->6148 6149 1000d11b 6146->6149 6147->6142 6148->6149 6150 1000d072 _CxxThrowException 6149->6150 6150->6147 6152 10005651 #823 6151->6152 6153 1000564e 6151->6153 6156 10005664 6152->6156 6153->6152 6154 100056f3 #825 CloseHandle 6155 1000566d VirtualQueryEx 6155->6154 6155->6156 6156->6154 6156->6155 6157 100056a8 #825 #823 6156->6157 6158 100056be ReadProcessMemory 6156->6158 6160 100053b7 6156->6160 6157->6158 6158->6156 6161 100053c4 6160->6161 6162 100053d0 6161->6162 6163 100055e3 6161->6163 6165 100053f0 memcmp 6162->6165 6168 100055e0 6162->6168 6164 100055f2 memcmp 6163->6164 6163->6168 6164->6163 6165->6162 6166 10005416 wsprintfA 6165->6166 6167 10005318 7 API calls 6166->6167 6169 1000545e wsprintfA 6167->6169 6168->6156 6170 10001000 6 API calls 6169->6170 6171 100054b3 12 API calls 6170->6171 6172 10001000 6 API calls 6171->6172 6173 10005579 wsprintfA CreateFileA CloseHandle Sleep DeleteFileA 6172->6173 6173->6162 6174 10006dd5 _EH_prolog strstr 6175 10006e01 #823 6174->6175 6176 10006ed5 6174->6176 6177 10006e23 strcpy 6175->6177 6178 10006e1c 6175->6178 6180 10006e3c 6177->6180 6193 10008a6a memset 6178->6193 6198 10005aca memset GetVersionExA 6180->6198 6183 10006e67 6184 10003ef4 wvsprintfA 6183->6184 6185 10006ea0 6184->6185 6213 10006c7a strlen 6185->6213 6188 10001000 6 API calls 6189 10006ebb 6188->6189 6190 10003ef4 wvsprintfA 6189->6190 6191 10006ec9 6190->6191 6221 10006290 6191->6221 6232 10008b8b sprintf CreateFileA 6193->6232 6196 10006e21 6196->6177 6199 10005b20 strcpy 6198->6199 6200 10005b36 6198->6200 6199->6200 6201 10005bb2 6200->6201 6203 10005b68 6200->6203 6204 10005b4a strcpy 6200->6204 6202 10005c28 sprintf 6201->6202 6207 10005bc6 strcpy 6201->6207 6208 10005c09 6201->6208 6202->6183 6205 10005b71 strcpy 6203->6205 6206 10005b8f 6203->6206 6204->6201 6204->6203 6205->6201 6205->6206 6206->6202 6209 10005b9c strcpy 6206->6209 6207->6202 6210 10005be3 6207->6210 6208->6202 6211 10005c12 strcpy 6208->6211 6209->6201 6210->6208 6212 10005bec strcpy 6210->6212 6211->6202 6212->6202 6212->6208 6255 10006bad malloc 6213->6255 6215 10006c94 strlen 6216 10006cf3 6215->6216 6217 10006ca5 6215->6217 6216->6188 6218 10006cc0 toupper 6217->6218 6219 10006ce5 strlen 6217->6219 6220 10006cd4 tolower 6217->6220 6218->6217 6219->6216 6219->6217 6220->6217 6222 10001000 6 API calls 6221->6222 6223 100062a2 6222->6223 6259 10003f0a InternetOpenA 6223->6259 6225 100062a9 6231 100062da 6225->6231 6260 10003f24 InternetOpenUrlA 6225->6260 6227 100062c4 6261 10003f58 InternetCloseHandle 6227->6261 6229 100062d4 6262 10003f58 InternetCloseHandle 6229->6262 6231->6176 6233 10008bd3 DeviceIoControl GetLastError FormatMessageA 6232->6233 6236 10008a8c 6232->6236 6234 10008c15 6233->6234 6233->6236 6252 10008abe DeviceIoControl 6234->6252 6236->6196 6245 10008cc1 memset memset Netbios 6236->6245 6237 10008c3c 6237->6236 6238 10008c45 CloseHandle 6237->6238 6239 10008c5d 6238->6239 6239->6239 6240 10008c6a memset 6239->6240 6253 10008b19 6240->6253 6243 10008b19 6244 10008caf strcpy 6243->6244 6244->6236 6246 10008d11 6245->6246 6247 10008d8e 6245->6247 6248 10008d47 memset strcpy Netbios 6246->6248 6249 10008d1c Netbios 6246->6249 6251 10008d43 6246->6251 6247->6196 6248->6247 6250 10008d93 sprintf 6248->6250 6249->6246 6249->6248 6250->6247 6251->6247 6251->6248 6252->6237 6254 10008b2c strcpy memset 6253->6254 6254->6243 6256 10006bd3 6255->6256 6258 10006bdb strlen 6255->6258 6256->6215 6258->6256 6259->6225 6260->6227 6261->6229 6262->6231 6263 100019a0 6264 100019a5 LoadLibraryA 6263->6264 6265 100062e1 strcpy 6266 10006431 WSAStartup htons 6265->6266 6267 10006355 strstr 6265->6267 6281 10005846 inet_addr inet_addr 6266->6281 6269 100063d1 strcpy 6267->6269 6270 1000637c 6267->6270 6271 100063df strstr 6269->6271 6285 1000611f 6270->6285 6271->6266 6274 100063f4 strcspn strncpy strcspn atoi 6271->6274 6274->6266 6275 10006492 6276 10006486 closesocket 6276->6275 6278 10006394 strcspn strstr 6278->6271 6280 100063b2 strcspn strncpy 6278->6280 6279 100063ce 6279->6269 6280->6271 6282 1000585c 6281->6282 6284 10005862 socket connect 6281->6284 6298 10003eb4 gethostbyname 6282->6298 6284->6275 6284->6276 6286 1000612c 6285->6286 6299 10003f0a InternetOpenA 6286->6299 6288 10006156 6295 100061b1 strstr 6288->6295 6300 10003f24 InternetOpenUrlA 6288->6300 6290 10006171 6291 1000617a memset 6290->6291 6292 100061a8 6290->6292 6301 10003f41 InternetReadFile 6291->6301 6303 10003f58 InternetCloseHandle 6292->6303 6295->6278 6295->6279 6296 100061a2 6302 10003f58 InternetCloseHandle 6296->6302 6298->6284 6299->6288 6300->6290 6301->6296 6302->6292 6303->6295 6304 100042a2 GetCurrentProcess OpenProcessToken 6305 100042c0 LookupPrivilegeValueA 6304->6305 6307 10004313 6304->6307 6306 100042d4 AdjustTokenPrivileges CloseHandle 6305->6306 6305->6307 6306->6307 6308 100087a2 6309 100087be 6308->6309 6315 10004482 6309->6315 6312 100087d1 Sleep CreateThread Sleep CreateThread 6313 100087f7 Sleep 6312->6313 6321 1000842d 6312->6321 6331 10006a7f #823 WSAStartup 6312->6331 6314 100087fc 6313->6314 6316 10001000 6 API calls 6315->6316 6317 1000448d 6316->6317 6320 100040ba RegOpenKeyExA 6317->6320 6319 100044a4 6319->6312 6319->6313 6320->6319 6322 1000843a 6321->6322 6323 10001000 6 API calls 6322->6323 6325 1000855f RegCloseKey Sleep 6322->6325 6327 100084d5 memset memset RegEnumValueA 6322->6327 6324 1000848a RegOpenKeyExA 6323->6324 6324->6325 6326 1000849f RegQueryInfoKeyA 6324->6326 6325->6322 6326->6322 6326->6325 6328 10008555 6327->6328 6329 1000852f StrStrIA 6327->6329 6328->6325 6328->6327 6329->6328 6330 10008545 RegDeleteValueA 6329->6330 6330->6328 6341 10003ece CreateMutexA 6331->6341 6333 10006ab4 GetLastError 6334 10006ac5 6333->6334 6335 10006b1c CloseHandle 6333->6335 6336 10006acb memset 6334->6336 6342 10006499 _EH_prolog memset 6336->6342 6339 10006af2 CreateThread WaitForSingleObject CloseHandle 6340 10006ae9 Sleep 6339->6340 6340->6336 6341->6333 6343 10001000 6 API calls 6342->6343 6344 100064e9 wsprintfA #823 memset 6343->6344 6364 10003f0a InternetOpenA 6344->6364 6346 1000652b 6347 100066d0 6346->6347 6365 10003f24 InternetOpenUrlA 6346->6365 6347->6339 6347->6340 6349 1000654b 6349->6347 6350 10006559 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 6349->6350 6351 1000658f memset 6350->6351 6366 10003f41 InternetReadFile 6351->6366 6353 100065ab 6354 10006647 strlen ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII strlen ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II 6353->6354 6355 100065bf 10 API calls 6353->6355 6356 100066a4 strlen 6354->6356 6357 1000669e 6354->6357 6355->6351 6358 100066b0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 6356->6358 6359 100066df wsprintfA strlen 6356->6359 6357->6356 6358->6347 6360 100066fc #825 strrchr 6359->6360 6362 10006761 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 6360->6362 6363 10006739 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 6360->6363 6362->6347 6363->6347 6364->6346 6365->6349 6366->6353 6367 10001ae2 6368 10001ae7 6367->6368 6369 10001000 6 API calls 6368->6369 6370 10001af1 GetProcAddress 6369->6370 6371 10002523 6372 10002528 6371->6372 6373 10001000 6 API calls 6372->6373 6374 10002532 GetProcAddress 6373->6374 6375 10006ee7 6378 10006d08 6375->6378 6389 10003ff7 GetShortPathNameA 6378->6389 6380 10006d43 6381 10001000 6 API calls 6380->6381 6382 10006d65 6381->6382 6390 1000406c RegCreateKeyExA 6382->6390 6384 10006d71 wsprintfA strlen 6391 100040d4 RegSetValueExA 6384->6391 6386 10006dc4 6392 10004092 RegCloseKey 6386->6392 6388 10006dcf 6389->6380 6390->6384 6391->6386 6392->6388 6397 100044ad LoadLibraryA GetProcAddress GetExtendedUdpTable 6398 100044f4 malloc 6397->6398 6399 100044ef 6397->6399 6400 10004509 GetExtendedUdpTable 6398->6400 6401 10004504 6398->6401 6399->6398 6399->6401 6400->6401 6405 1000451e 6400->6405 6402 1000454b free FreeLibrary 6402->6401 6403 10004525 htons 6404 1000453f 6403->6404 6403->6405 6404->6402 6405->6402 6405->6403 6405->6404 6414 10006eef 6415 10006efc 6414->6415 6416 10001000 6 API calls 6415->6416 6417 10006f09 6416->6417 6418 10001000 6 API calls 6417->6418 6419 10006f17 6418->6419 6420 10006f30 Sleep 6419->6420 6421 1000591c lstrcmpiA CloseHandle CreateToolhelp32Snapshot Process32First Process32Next 6419->6421 6422 10006f3d GetSystemDirectoryA GetSystemDirectoryA 6419->6422 6420->6419 6421->6419 6423 10001000 6 API calls 6422->6423 6424 10006f94 strcat 6423->6424 6425 10001000 6 API calls 6424->6425 6426 10006fab strcat #823 6425->6426 6428 10006fc8 6426->6428 6427 10005c4c 6 API calls 6427->6428 6428->6427 6429 10003ef4 wvsprintfA 6428->6429 6433 10007097 strlen 6428->6433 6435 10007064 Sleep 6428->6435 6438 10004139 6428->6438 6430 1000702e memset 6429->6430 6431 100061bd 13 API calls 6430->6431 6431->6428 6434 100070a3 wsprintfA 6433->6434 6433->6435 6436 10005318 7 API calls 6434->6436 6435->6428 6437 100070d9 PrintFile PrintFile strcmp 6436->6437 6437->6435 6439 10004146 6438->6439 6440 10004166 strcpy 6439->6440 6441 10004177 GetModuleFileNameA strrchr 6439->6441 6444 100041b7 CreateFileA 6440->6444 6442 100041a3 strcat 6441->6442 6443 1000429d 6441->6443 6442->6444 6443->6428 6444->6443 6445 100041e1 9 API calls 6444->6445 6445->6443 6446 10006b30 WSAStartup 6451 10003ece CreateMutexA 6446->6451 6448 10006b61 GetLastError 6449 10006ba1 CloseHandle 6448->6449 6450 10006b72 CreateThread WaitForSingleObject CloseHandle Sleep 6448->6450 6450->6450 6451->6448 6452 10005db4 RegOpenKeyExA 6453 10005e33 strcpy 6452->6453 6454 10005dea 6452->6454 6456 10005e43 6453->6456 6473 1000409d RegQueryValueExA 6454->6473 6474 100058a4 6456->6474 6457 10005e16 6498 10004092 RegCloseKey 6457->6498 6461 10005e1e strcpy 6461->6456 6462 10005aca 10 API calls 6463 10005e52 GlobalMemoryStatusEx 6462->6463 6464 10005e73 6463->6464 6465 10003ef4 wvsprintfA 6464->6465 6466 10005e89 strcpy GetSystemDefaultUILanguage 6465->6466 6481 10005cf7 6466->6481 6469 10005ee1 strcpy 6471 10005f0e 6469->6471 6470 10005ef8 6472 10003ef4 wvsprintfA 6470->6472 6472->6471 6473->6457 6475 100058b4 strlen 6474->6475 6476 10005919 6474->6476 6475->6476 6477 100058bf GlobalAlloc memset strcpy 6475->6477 6476->6462 6478 10005910 GlobalFree 6477->6478 6479 100058e7 6477->6479 6478->6476 6479->6478 6479->6479 6480 100058f8 memset strcpy 6479->6480 6480->6478 6482 10003ef4 wvsprintfA 6481->6482 6483 10005d31 6482->6483 6499 10003f72 PathFileExistsA 6483->6499 6485 10005d3d 6486 10005d44 6485->6486 6487 10005d48 6485->6487 6486->6469 6486->6470 6500 10004015 CreateFileA 6487->6500 6489 10005d66 6489->6486 6501 10004035 ReadFile 6489->6501 6491 10005d81 6502 10003f92 CloseHandle 6491->6502 6493 10005d87 6503 10003f7d StrStrIA 6493->6503 6495 10005d94 6495->6486 6504 10003f7d StrStrIA 6495->6504 6497 10005da8 6497->6486 6498->6461 6499->6485 6500->6489 6501->6491 6502->6493 6503->6495 6504->6497 6507 10008578 Sleep 6508 10001000 6 API calls 6507->6508 6509 1000859b #823 memset 6508->6509 6510 100061bd 13 API calls 6509->6510 6511 100085c2 6510->6511 6512 100085d4 GetTickCount wsprintfA 6511->6512 6513 100085cb Sleep 6511->6513 6516 10006840 CreateFileA WriteFile CloseHandle 6512->6516 6513->6513 6515 10008613 CreateProcessA 6516->6515 6521 1000cfbc 6523 1000cfd8 6521->6523 6525 1000cfcf 6521->6525 6523->6525 6528 1000d000 6523->6528 6529 1000cf11 6523->6529 6524 1000d020 6527 1000cf11 3 API calls 6524->6527 6524->6528 6525->6524 6526 1000cf11 3 API calls 6525->6526 6525->6528 6526->6524 6527->6528 6530 1000cf19 6529->6530 6531 1000cf3a malloc 6530->6531 6533 1000cf4f 6530->6533 6534 1000cf79 6530->6534 6532 1000cf53 _initterm 6531->6532 6531->6533 6532->6533 6533->6525 6534->6533 6535 1000cfa6 free 6534->6535 6535->6533 6538 1000827d GetSystemDirectoryA GetSystemDirectoryA 6539 10001000 6 API calls 6538->6539 6540 100082e0 strcat 6539->6540 6541 10001000 6 API calls 6540->6541 6542 100082f7 strcat #823 6541->6542 6544 10008314 6542->6544 6543 10005c4c 6 API calls 6543->6544 6544->6543 6545 10003ef4 wvsprintfA 6544->6545 6548 1000839f Sleep 6544->6548 6549 100083d2 strlen 6544->6549 6546 1000837a memset 6545->6546 6547 100061bd 13 API calls 6546->6547 6547->6544 6548->6544 6550 10008400 6549->6550 6551 100083de strcmp 6549->6551 6554 10001000 6 API calls 6550->6554 6556 1000721f _EH_prolog 6550->6556 6551->6550 6552 100083f0 wsprintfA 6551->6552 6552->6550 6555 10008420 WinExec 6554->6555 6555->6548 6627 1000774b CoInitializeEx 6556->6627 6558 10007235 6628 100077b2 _EH_prolog 6558->6628 6560 100072a7 6706 1000767f 6560->6706 6562 1000760b CoUninitialize 6722 10008869 #825 6562->6722 6566 100072af 6571 1000504d 8 API calls 6566->6571 6593 100075e9 6566->6593 6568 1000761d 6568->6550 6569 10007292 6702 10007696 6569->6702 6570 10007288 InterlockedIncrement 6570->6569 6574 100072c5 6571->6574 6572 1000515c 4 API calls 6576 100075f9 6572->6576 6710 1000762a _EH_prolog #823 6574->6710 6576->6562 6579 10007696 4 API calls 6579->6560 6580 10007479 6583 1000748b 6580->6583 6584 1000747e strlen 6580->6584 6581 100072ea strlen 6581->6580 6582 100072fb 6581->6582 6716 10007cdc _EH_prolog 6582->6716 6585 10007494 strlen 6583->6585 6586 100075d9 6583->6586 6584->6583 6588 100074a5 6584->6588 6585->6586 6585->6588 6591 1000515c 4 API calls 6586->6591 6586->6593 6589 10007cdc 13 API calls 6588->6589 6592 100074b6 6589->6592 6591->6593 6592->6586 6595 1000504d 8 API calls 6592->6595 6593->6572 6593->6576 6594 1000504d 8 API calls 6596 1000732e SafeArrayCreate VariantInit SafeArrayCreate VariantInit 6594->6596 6597 100074db 6595->6597 6600 1000504d 8 API calls 6596->6600 6598 1000504d 8 API calls 6597->6598 6601 100074ea SafeArrayCreate VariantInit 6598->6601 6603 100073a3 6600->6603 6604 1000504d 8 API calls 6601->6604 6605 10007696 4 API calls 6603->6605 6608 10007540 6604->6608 6606 100073cf 6605->6606 6607 1000504d 8 API calls 6606->6607 6612 100073dc 6607->6612 6609 10007570 6608->6609 6610 1000515c 4 API calls 6608->6610 6611 1000504d 8 API calls 6609->6611 6610->6609 6616 1000757d 6611->6616 6613 10007696 4 API calls 6612->6613 6614 10007408 6613->6614 6615 1000504d 8 API calls 6614->6615 6622 10007415 6615->6622 6617 100075bb 6616->6617 6618 1000515c 4 API calls 6616->6618 6619 100075ca 6617->6619 6620 1000515c 4 API calls 6617->6620 6618->6617 6619->6586 6621 1000515c 4 API calls 6619->6621 6620->6619 6621->6586 6623 10007459 SafeArrayDestroy SafeArrayDestroy 6622->6623 6624 1000515c 4 API calls 6622->6624 6623->6580 6625 10007474 6623->6625 6624->6623 6626 1000515c 4 API calls 6625->6626 6626->6580 6627->6558 6629 100077cf strlen 6628->6629 6670 1000724c 6628->6670 6630 100077e0 CoInitializeSecurity CoCreateInstance 6629->6630 6629->6670 6631 1000780d 6630->6631 6630->6670 6632 100050a1 4 API calls 6631->6632 6633 1000781a 6632->6633 6634 1000784f 6633->6634 6635 1000515c 4 API calls 6633->6635 6636 10007858 CoSetProxyBlanket 6634->6636 6634->6670 6635->6634 6637 10007872 6636->6637 6636->6670 6638 1000504d 8 API calls 6637->6638 6639 1000787d 6638->6639 6640 100078b9 6639->6640 6641 1000515c 4 API calls 6639->6641 6642 1000504d 8 API calls 6640->6642 6640->6670 6641->6640 6643 100078cf 6642->6643 6644 1000504d 8 API calls 6643->6644 6645 100078e1 6644->6645 6646 1000762a 11 API calls 6645->6646 6647 100078f1 6646->6647 6648 10007901 6647->6648 6649 1000515c 4 API calls 6647->6649 6650 10007963 6648->6650 6651 10007906 strlen 6648->6651 6649->6648 6654 1000504d 8 API calls 6650->6654 6651->6650 6652 10007913 6651->6652 6653 1000504d 8 API calls 6652->6653 6655 10007920 6653->6655 6660 10007981 6654->6660 6656 1000762a 11 API calls 6655->6656 6657 10007930 6656->6657 6658 10007696 4 API calls 6657->6658 6659 1000793c 6658->6659 6661 1000504d 8 API calls 6659->6661 6662 100079bd 6660->6662 6664 1000515c 4 API calls 6660->6664 6663 10007947 6661->6663 6666 100079e1 6662->6666 6667 100079c2 6662->6667 6665 1000762a 11 API calls 6663->6665 6664->6662 6668 10007957 6665->6668 6669 10007a17 6666->6669 6723 10008889 6666->6723 6667->6670 6672 1000515c 4 API calls 6667->6672 6671 10007696 4 API calls 6668->6671 6669->6670 6673 1000515c 4 API calls 6669->6673 6670->6560 6670->6576 6675 10007a73 _EH_prolog 6670->6675 6671->6650 6672->6670 6673->6670 6676 10007b74 6675->6676 6677 10007a9b 6675->6677 6678 10007b80 InterlockedIncrement 6676->6678 6679 10007280 6676->6679 6677->6676 6680 10007aae VariantInit 6677->6680 6678->6679 6681 10007b91 6678->6681 6679->6569 6679->6570 6682 1000504d 8 API calls 6680->6682 6683 1000515c 4 API calls 6681->6683 6684 10007ac7 6682->6684 6683->6679 6685 10007b00 6684->6685 6686 1000515c 4 API calls 6684->6686 6687 10007b55 VariantClear VariantClear 6685->6687 6688 10007b18 6685->6688 6689 10007b0b 6685->6689 6686->6685 6687->6676 6690 10007b6e 6687->6690 6693 10007b49 6688->6693 6695 10007b24 6688->6695 6732 10007bda _EH_prolog 6689->6732 6692 1000d072 _CxxThrowException 6690->6692 6692->6676 6756 10007c3c _EH_prolog 6693->6756 6694 10007b16 6694->6687 6740 10007d3f _EH_prolog SafeArrayGetVartype SafeArrayAccessData 6695->6740 6701 1000515c 4 API calls 6701->6694 6703 1000729a 6702->6703 6704 1000769f 6702->6704 6703->6579 6705 1000515c 4 API calls 6704->6705 6705->6703 6707 10007693 6706->6707 6708 10007685 6706->6708 6707->6566 6708->6707 6709 1000768b SysStringLen 6708->6709 6709->6566 6711 10007657 6710->6711 6712 1000764e 6710->6712 6714 1000515c 4 API calls 6711->6714 6715 100072d5 6711->6715 6773 100076a9 6712->6773 6714->6715 6715->6580 6715->6581 6717 1000730c 6716->6717 6718 10007cef 6716->6718 6717->6580 6717->6594 6719 1000504d 8 API calls 6718->6719 6720 10007cfa 6719->6720 6720->6717 6721 1000515c 4 API calls 6720->6721 6721->6717 6722->6568 6726 1000889a 6723->6726 6727 100088b9 #823 6726->6727 6728 10008897 6726->6728 6731 100088f7 #825 6727->6731 6728->6666 6731->6728 6733 10007bf6 #823 6732->6733 6734 10007bee 6732->6734 6736 10007c13 6733->6736 6737 10007c0b 6733->6737 6735 1000515c 4 API calls 6734->6735 6738 10007bf3 6735->6738 6736->6694 6739 10005128 2 API calls 6737->6739 6738->6733 6739->6736 6741 10007dd0 6740->6741 6748 10007d80 6740->6748 6742 10007b30 6741->6742 6743 10007ddc InterlockedIncrement 6741->6743 6751 10007ba9 6742->6751 6743->6742 6745 10007ded 6743->6745 6744 10007dc9 SafeArrayUnaccessData 6744->6741 6746 1000515c 4 API calls 6745->6746 6746->6742 6747 100050a1 4 API calls 6747->6748 6748->6744 6748->6747 6749 1000762a 11 API calls 6748->6749 6750 1000515c 4 API calls 6748->6750 6749->6748 6750->6748 6752 10007bc1 6751->6752 6753 10007bb7 InterlockedIncrement 6751->6753 6754 10007b3b 6752->6754 6755 1000515c 4 API calls 6752->6755 6753->6752 6754->6687 6754->6701 6755->6754 6757 10007c60 VariantInit 6756->6757 6758 10007c56 6756->6758 6767 10007cad 6757->6767 6759 10007bda 8 API calls 6758->6759 6761 10007c5e 6759->6761 6761->6687 6763 10007bda 8 API calls 6764 10007c83 VariantClear 6763->6764 6764->6761 6765 10007c95 6764->6765 6766 1000d072 _CxxThrowException 6765->6766 6766->6761 6768 10007cb5 6767->6768 6769 10007cc4 VariantChangeType 6768->6769 6770 10007c79 6768->6770 6769->6770 6771 10007cd3 6769->6771 6770->6763 6772 1000d072 _CxxThrowException 6771->6772 6772->6770 6774 1000767f SysStringLen 6773->6774 6775 100076c5 6774->6775 6776 1000767f SysStringLen 6775->6776 6777 100076cf SysAllocStringByteLen 6776->6777 6778 100076e7 6777->6778 6780 100076f5 6777->6780 6779 10007742 6778->6779 6781 1000d072 _CxxThrowException 6778->6781 6779->6711 6782 10007718 6780->6782 6783 10007708 memcpy 6780->6783 6781->6780 6782->6779 6784 1000772b memcpy 6782->6784 6783->6782 6784->6779

                                                                        Executed Functions

                                                                        Function 1000490F Relevance: 91.3, APIs: 45, Strings: 7, Instructions: 325networksleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10004978
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 1000498A
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 10004992
                                                                        • htons.WS2_32(00000035), ref: 100049A3
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 100049B4
                                                                        • htons.WS2_32(00000035), ref: 100049BB
                                                                        • inet_addr.WS2_32(?), ref: 100049C1
                                                                        • bind.WS2_32(?,?,00000010), ref: 100049CC
                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 100049E5
                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 10004A17
                                                                        • WSAGetLastError.WS2_32 ref: 10004A21
                                                                        • Sleep.KERNEL32(000003E8), ref: 10004A28
                                                                        • memset.MSVCRT ref: 10004A45
                                                                        • recvfrom.WS2_32(?,?,00000200,00000000,?,00000010), ref: 10004A61
                                                                        • memset.MSVCRT ref: 10004A87
                                                                        • wsprintfA.USER32 ref: 10004AC9
                                                                        • StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?), ref: 10004AE4
                                                                        • StrStrIA.SHLWAPI(?,alyac), ref: 10004AFC
                                                                        • StrStrIA.SHLWAPI(?,ahnlab), ref: 10004B0E
                                                                        • StrStrIA.SHLWAPI(?,v3lite), ref: 10004B20
                                                                        • malloc.MSVCRT ref: 10004B31
                                                                        • memcpy.MSVCRT(00000000,?,00000002), ref: 10004B40
                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000002), ref: 10004B56
                                                                        • htons.WS2_32(00008180), ref: 10004B63
                                                                        • htons.WS2_32(00008182), ref: 10004B77
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004B88
                                                                        • htons.WS2_32(00000001), ref: 10004B92
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BA3
                                                                        • htons.WS2_32(0000C00C), ref: 10004BBE
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BCF
                                                                        • htons.WS2_32(00000001), ref: 10004BD9
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BE7
                                                                        • htons.WS2_32(00000001), ref: 10004BF1
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BFF
                                                                        • htonl.WS2_32(0000007B), ref: 10004C09
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C1C
                                                                        • htons.WS2_32(00000004), ref: 10004C26
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004C34
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 10004C50
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C63
                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000004), ref: 10004C7B
                                                                        • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 10004C95
                                                                        • closesocket.WS2_32(?), ref: 10004CB5
                                                                        • closesocket.WS2_32(?), ref: 10004CBA
                                                                        • WSACleanup.WS2_32 ref: 10004CBC
                                                                        Strings
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10004ADF
                                                                        • alyac, xrefs: 10004AF6
                                                                        • 8.8.8.8, xrefs: 10004949
                                                                        • v3lite, xrefs: 10004B1A
                                                                        • 127.0.0.1, xrefs: 100049AB, 10004C4B
                                                                        • ahnlab, xrefs: 10004B08
                                                                        • %s|, xrefs: 10004AC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$htons$inet_addr$closesocketmemsetsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtowsprintf
                                                                        • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 545395166-2566164256
                                                                        • Opcode ID: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction ID: f4d92e3438a437d2299d84abcf9c5d8c75e9b4238ea887dab6cfd6e428023447
                                                                        • Opcode Fuzzy Hash: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction Fuzzy Hash: 4FB12BB2D0025CAAEB11DBE4CC85EDFBBBCEB48340F014566E604F6155EB71AA44CFA1
                                                                        Function 10007F4F Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 218stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • lstrcpyA.KERNEL32(?,?,00000018,00000000,00000000), ref: 10007F7D
                                                                        • lstrcatA.KERNEL32(?,1001592C), ref: 10007F95
                                                                        • lstrcatA.KERNEL32(?,*.*), ref: 10007FA3
                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 10007FB3
                                                                        • FindNextFileA.KERNEL32(?,?), ref: 10007FD2
                                                                        • lstrcpyA.KERNEL32(?,?), ref: 10008012
                                                                        • lstrcatA.KERNEL32(?,1001592C), ref: 10008024
                                                                        • lstrcatA.KERNEL32(?,0000002E), ref: 10008034
                                                                        • _strcmpi.MSVCRT ref: 10008042
                                                                        • PathIsDirectoryA.SHLWAPI(?), ref: 1000808D
                                                                        • #823.MFC42(00A00000), ref: 100080A1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileFindlstrcpy$#823DirectoryFirstNextPath_strcmpi
                                                                        • String ID: %s\%s$*.*$.$107.160.131.252:23588/article.php$12051805$L2ltYWdlLnBocA==$NPKI$P
                                                                        • API String ID: 2329406363-2544899875
                                                                        • Opcode ID: 45fe1759fd5ce1b210afb38eab7ca04dc649ebf194f4a959ddc902d8577136c1
                                                                        • Instruction ID: d457cdbbe753c7b4e7560833b0a44fa5530ca94c09af8d9545d2bbe4c99e139f
                                                                        • Opcode Fuzzy Hash: 45fe1759fd5ce1b210afb38eab7ca04dc649ebf194f4a959ddc902d8577136c1
                                                                        • Instruction Fuzzy Hash: 3271607290425DAEEB51DBA4CC45FDABBBCFB48381F1004E6E608F6195DB709B888F50
                                                                        Function 10008B8B Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 121stringfilewindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • sprintf.MSVCRT ref: 10008BA5
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10008BC0
                                                                        • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,10008A8C,00000000), ref: 10008BE6
                                                                        • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 10008BF7
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10008C04
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,10008A8C), ref: 10008C46
                                                                        • memset.MSVCRT ref: 10008C71
                                                                        • strcpy.MSVCRT(00000044,00000000,00000013), ref: 10008C8B
                                                                        • memset.MSVCRT ref: 10008C97
                                                                        • strcpy.MSVCRT(00000004,00000000,0000002E,?,?,?,?,00000013), ref: 10008CB1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memsetstrcpy$CloseControlCreateDeviceErrorFileFormatHandleLastMessagesprintf
                                                                        • String ID: 12051805$C:\Users\user\Desktop$C:\Users\user\Desktop\PqZ6GU98Eh.dll$\\.\PHYSICALDRIVE%d
                                                                        • API String ID: 1986549085-2982351672
                                                                        • Opcode ID: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction ID: 4125160363e842b8e7a1d76db44e57ca0f3beb1210815641832f8c97af22e03e
                                                                        • Opcode Fuzzy Hash: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction Fuzzy Hash: 1231D0B6640229BEFB10D7A0CD86FEE736CEB05394F104221FA45A60C4EB74AF4587B5
                                                                        Function 100044AD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 78libraryloadernetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 288 100044ad-100044ed LoadLibraryA GetProcAddress GetExtendedUdpTable 289 100044f4-10004502 malloc 288->289 290 100044ef-100044f2 288->290 291 10004504-10004507 289->291 292 10004509-10004518 GetExtendedUdpTable 289->292 290->289 290->291 293 1000455f-10004563 291->293 294 1000451a-1000451c 292->294 295 1000451e-10004520 292->295 294->293 296 10004522 295->296 297 1000454b-1000455c free FreeLibrary 295->297 298 10004525-10004535 htons 296->298 297->293 299 10004541-10004548 298->299 300 10004537-1000453d 298->300 299->297 300->298 301 1000453f 300->301 301->297
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 100044C4
                                                                        • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 100044D3
                                                                        • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 100044E9
                                                                        • malloc.MSVCRT ref: 100044F7
                                                                        • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 10004513
                                                                        • htons.WS2_32(00000000), ref: 10004529
                                                                        • free.MSVCRT ref: 1000454C
                                                                        • FreeLibrary.KERNEL32(?), ref: 10004556
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ExtendedLibraryTable$AddressFreeLoadProcfreehtonsmalloc
                                                                        • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                                        • API String ID: 1462788321-1809394930
                                                                        • Opcode ID: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction ID: b3820e473f6cbb65c967c2771bb036efaa047e66d01719392f57f806c4aad594
                                                                        • Opcode Fuzzy Hash: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction Fuzzy Hash: 6C21F6B1800559FFFB10DBA8CC88DAE7BBCFB443D2B210915F451E2195EB309E80CA64
                                                                        Function 100042A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 100042AF
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 100042B6
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 100042CA
                                                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000000,00000000,00000000), ref: 100042FF
                                                                        • CloseHandle.KERNEL32(?), ref: 10004308
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                        • String ID:
                                                                        • API String ID: 3038321057-0
                                                                        • Opcode ID: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction ID: b0a8796efaa8e3b84787a9bca2c6b8d54da9404ad25a0782a1589f7175c46836
                                                                        • Opcode Fuzzy Hash: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction Fuzzy Hash: 1A011672900129BFEB10DFA4CC89AEFBBFCEF08380F004051F905E2154EBB09A408BA0
                                                                        Function 10008ABE Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeviceIoControl.KERNEL32(00000000,0007C088,?,00000020,00000000,00000210,00000000,00000000), ref: 10008B0E
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ControlDevice
                                                                        • String ID:
                                                                        • API String ID: 2352790924-0
                                                                        • Opcode ID: bbd02b0b4d7a518c5435b40a03f9a5a5bd4ec8d42038e3938d4c4e81be3e6007
                                                                        • Instruction ID: 1d1cabe85cd12dd8238d7cbf184505c0fb95c42df3b3a12e86696ee6dd9def6c
                                                                        • Opcode Fuzzy Hash: bbd02b0b4d7a518c5435b40a03f9a5a5bd4ec8d42038e3938d4c4e81be3e6007
                                                                        • Instruction Fuzzy Hash: D2F0186118E3C19EE30147685445BD5FF956B76314F0CC7CDF1D45B283C1A54494C7B6
                                                                        Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000000,00000000,10005931,00000002,00000000,00000000,00000000), ref: 10003FBF
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CreateSnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3332741929-0
                                                                        • Opcode ID: 52575d3eb3ab59922be1ab4602cb830e029d55bacf89bd0c0cdd206a51f88f2f
                                                                        • Instruction ID: 92745056c523567f199991dad2fb0d4ab4f903fb5d7c64995becaa4a73b6ff46
                                                                        • Opcode Fuzzy Hash: 52575d3eb3ab59922be1ab4602cb830e029d55bacf89bd0c0cdd206a51f88f2f
                                                                        • Instruction Fuzzy Hash: 69A00235404251ABDA415B50CD44D5ABF61BB94741F05C415F19541034C73195A5DB11
                                                                        Function 10001000 Relevance: 68.6, APIs: 6, Strings: 33, Instructions: 400stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 21 10001000-100016d7 strlen 22 100016d9-100016da 21->22 23 100016dd-100016e1 21->23 22->23 24 100016e3-100016e4 23->24 25 100016e7-10001711 #823 memset 23->25 24->25 26 10001713-10001716 25->26 27 1000175e 25->27 28 10001719 26->28 29 10001761-1000176a 27->29 30 1000171d-1000172f 28->30 31 100017bc-100017cc 29->31 32 1000176c-1000176d 29->32 33 10001731-10001734 30->33 34 10001736-10001739 30->34 35 100017d3-100017df 31->35 36 100017ce-100017d1 31->36 37 100017ec-10001811 #823 lstrcpyA #825 32->37 38 1000176f-1000177f 32->38 41 1000173b-10001742 33->41 34->41 42 100017e1-100017e4 35->42 43 100017e6-100017eb 35->43 36->35 39 10001781-10001784 38->39 40 10001786-10001793 38->40 39->40 44 10001795-10001798 40->44 45 1000179a-100017a6 40->45 41->30 46 10001744-1000175a 41->46 42->43 43->37 44->45 47 100017a8-100017ab 45->47 48 100017ad-100017ba 45->48 46->28 49 1000175c 46->49 47->48 48->37 49->29
                                                                        APIs
                                                                        • strlen.MSVCRT ref: 100016BB
                                                                        • #823.MFC42(00000007,?,C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000000), ref: 100016EB
                                                                        • memset.MSVCRT ref: 100016F9
                                                                        • #823.MFC42(00001000,?,?,C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000000), ref: 100017F4
                                                                        • lstrcpyA.KERNEL32(00000000,?,?,?,C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000000), ref: 100017FE
                                                                        • #825.MFC42(?,?,?,C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000000), ref: 10001805
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825lstrcpymemsetstrlen
                                                                        • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?$C:\Users\user\Desktop\PqZ6GU98Eh.dll
                                                                        • API String ID: 3251808775-2120210801
                                                                        • Opcode ID: 98d32e75ce09d98e3eaa26bf7e8714123dfd6a0d42e937b1675512ced20e5383
                                                                        • Instruction ID: 1e2c39c5481c49465f245eab400177fe17c9ce5cbd2174da6fe3dd4c7a143f85
                                                                        • Opcode Fuzzy Hash: 98d32e75ce09d98e3eaa26bf7e8714123dfd6a0d42e937b1675512ced20e5383
                                                                        • Instruction Fuzzy Hash: 44323BB0D252798BEB65CF49C9987DDBBB8FB09B44F1081DBE158A6241C7B50B85CF80
                                                                        Function 10006499 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 262stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 50 10006499-10006530 _EH_prolog memset call 10001000 wsprintfA #823 memset call 10003f0a 55 10006536-10006546 call 10003f24 50->55 56 1000677e-10006780 50->56 59 1000654b-10006553 55->59 58 100066d0-100066de 56->58 59->56 60 10006559-1000658a ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z strlen ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z 59->60 61 1000658f-100065b0 memset call 10003f41 60->61 64 100065b6-100065b9 61->64 65 10006647-1000669c strlen ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z strlen ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z 61->65 64->65 66 100065bf-10006642 MultiByteToWideChar #823 MultiByteToWideChar WideCharToMultiByte #823 WideCharToMultiByte #825 strlen ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z #825 64->66 67 100066a4-100066ae strlen 65->67 68 1000669e 65->68 66->61 69 100066b0-100066cd ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 67->69 70 100066df-100066fa wsprintfA strlen 67->70 68->67 69->58 71 100066fc-100066fe 70->71 72 10006700-10006706 71->72 73 10006721-10006737 #825 strrchr 71->73 74 10006718 72->74 75 10006708-10006716 72->75 76 10006761-10006778 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 73->76 77 10006739-1000675c ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z * 2 73->77 78 1000671b-1000671f 74->78 75->78 76->56 77->58 78->71
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000649E
                                                                        • memset.MSVCRT ref: 100064DA
                                                                        • wsprintfA.USER32 ref: 100064F7
                                                                        • #823.MFC42(0007D000,?,00000000,00000000,00000000), ref: 10006503
                                                                        • memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                        • strlen.MSVCRT ref: 1000656F
                                                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                        • memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • #823.MFC42(?), ref: 100065D2
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 100065E6
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100065F3
                                                                        • #823.MFC42(00000001), ref: 100065FE
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 10006614
                                                                        • #825.MFC42(?), ref: 1000661D
                                                                        • strlen.MSVCRT ref: 10006625
                                                                        • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10006633
                                                                        • #825.MFC42(?), ref: 1000663C
                                                                        • strlen.MSVCRT ref: 1000664D
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(title,00000000,00000000), ref: 10006659
                                                                        • strlen.MSVCRT ref: 10006667
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10015660,00000005,00000000), ref: 10006676
                                                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(771B0EB8,-00000006,-00000006), ref: 1000668D
                                                                        • strlen.MSVCRT ref: 100066A5
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066B9
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066C7
                                                                        • wsprintfA.USER32 ref: 100066E9
                                                                        • strlen.MSVCRT ref: 100066F0
                                                                        • #825.MFC42(?), ref: 10006724
                                                                        • strrchr.MSVCRT ref: 1000672C
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006745
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006753
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000676A
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006778
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$strlen$ByteCharMultiWide$#823#825InternetV12@memset$?find@?$basic_string@Openwsprintf$?append@?$basic_string@?assign@?$basic_string@?substr@?$basic_string@FileFormatH_prologReadTime___crtstrrchr
                                                                        • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                        • API String ID: 1229813879-2496724313
                                                                        • Opcode ID: faabd19bc968b6a917e67d89aa7ba74d8c49df5b90f8078655ac7851e96c5214
                                                                        • Instruction ID: 10439b61b20b70afd7aa5347c4b54e4e6ebd0b7274b3fc8efdd7ca783922ac27
                                                                        • Opcode Fuzzy Hash: faabd19bc968b6a917e67d89aa7ba74d8c49df5b90f8078655ac7851e96c5214
                                                                        • Instruction Fuzzy Hash: D091CFB6801258BFFB01DBA4CD89EEE7F7DEF08394F244065F505B6295DA315E808BA1
                                                                        Function 10006EEF Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 173stringsleepfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • Sleep.KERNEL32(0000EA60), ref: 10006F35
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F7E
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F88
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006F9C
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FB3
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FBE
                                                                        • memset.MSVCRT ref: 10007035
                                                                        • Sleep.KERNEL32 ref: 1000706A
                                                                        • strlen.MSVCRT ref: 10007098
                                                                        • wsprintfA.USER32 ref: 100070AE
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000), ref: 100070E7
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000,?,00000000), ref: 100070FA
                                                                        • strcmp.MSVCRT ref: 10007105
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryFilePrintSleepSystemstrcat$#823memsetstrcmpstrlenwsprintf
                                                                        • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.252:23588/article.php$iOffset
                                                                        • API String ID: 2115399682-1682937122
                                                                        • Opcode ID: 7589744dcdba884ec5cb73caa100745c0bdf4d48733dbbe0f44c7c9c71e0d7ae
                                                                        • Instruction ID: 72fa86c02a68da5800153c7bf3c705a219ab7ae35cbe7a85c82bd612e58ef154
                                                                        • Opcode Fuzzy Hash: 7589744dcdba884ec5cb73caa100745c0bdf4d48733dbbe0f44c7c9c71e0d7ae
                                                                        • Instruction Fuzzy Hash: BE51C9B6D04359AAF721D764CC46FCF77ACEB083C1F1045A5F208A6086DA75AB848E55
                                                                        Function 100062E1 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 153stringnetworkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcspnstrstr$strcpystrncpy$FormatStartupTime___crtatoiclosesocketconnecthtonsmemsetsocket
                                                                        • String ID: http://
                                                                        • API String ID: 1412329544-1121587658
                                                                        • Opcode ID: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction ID: bda3bb5fe2d8b3d060f482acd811e7885a41a1d7ee8f75e9f264fd4272d9bcff
                                                                        • Opcode Fuzzy Hash: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction Fuzzy Hash: E851567290426CABFB10DBA4DC89FDE77ACEF04394F1004A6F608E6195DA749F458BA1
                                                                        Function 1000827D Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 143stringsleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082CA
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082D4
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082E8
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082FF
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 1000830A
                                                                        • memset.MSVCRT ref: 10008381
                                                                        • Sleep.KERNEL32 ref: 100083A5
                                                                        • strlen.MSVCRT ref: 100083D3
                                                                        • strcmp.MSVCRT ref: 100083E5
                                                                        • wsprintfA.USER32 ref: 100083F7
                                                                        • WinExec.KERNEL32(00000000,00000000), ref: 10008422
                                                                        Strings
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 10008364
                                                                        • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
                                                                        • 8.8.8.8, xrefs: 10008400
                                                                        • 127.0.0.1, xrefs: 10008405
                                                                        • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
                                                                        • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectorySystemstrcat$#823ExecSleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 2179988888-3096136484
                                                                        • Opcode ID: 97d9b0cb9ad65d0722c99cdcc87704b6a986f752f2f4119fbfa9bc55edcdf016
                                                                        • Instruction ID: 326cc2718642543c1dd7a400e4c7d0959c533b8060c56875ff79f0cc4eb49833
                                                                        • Opcode Fuzzy Hash: 97d9b0cb9ad65d0722c99cdcc87704b6a986f752f2f4119fbfa9bc55edcdf016
                                                                        • Instruction Fuzzy Hash: 0441E3B6D04258B6FB21D364CC46FCB7B6CEB44380F2040A5F248BA086DAB4BB848F55
                                                                        Function 10004139 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121stringfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • strcpy.MSVCRT(?,?,?,00080000,00000000,?,10007062,c:\1.txt,iOffset), ref: 10004170
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00080000,00000000,?,10007062,c:\1.txt,iOffset), ref: 10004184
                                                                        • strrchr.MSVCRT ref: 10004193
                                                                        • strcat.MSVCRT(?,log.txt,c:\1.txt,iOffset), ref: 100041B2
                                                                        • CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000,c:\1.txt,iOffset), ref: 100041D0
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100041E6
                                                                        • time.MSVCRT(00000000), ref: 100041ED
                                                                        • _localtime32.MSVCRT(?), ref: 100041FA
                                                                        • strftime.MSVCRT ref: 1000420C
                                                                        • vsprintf.MSVCRT ref: 1000424F
                                                                        • sprintf.MSVCRT ref: 1000426C
                                                                        • strlen.MSVCRT ref: 10004281
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004290
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004297
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleModuleNamePointerWrite_localtime32sprintfstrcatstrcpystrftimestrlenstrrchrtimevsprintf
                                                                        • String ID: %s%s$log.txt
                                                                        • API String ID: 3639226433-1489102009
                                                                        • Opcode ID: 8fe4c2fcaf64cef701cc4c36acd2c106987bdd6d1adb6f1e0b9ee80e9179e738
                                                                        • Instruction ID: d7a24dcdaf8e6b49f461e4f1291d64edd5db5d0b5c8b00a4d6a5de73979513ca
                                                                        • Opcode Fuzzy Hash: 8fe4c2fcaf64cef701cc4c36acd2c106987bdd6d1adb6f1e0b9ee80e9179e738
                                                                        • Instruction Fuzzy Hash: 1E41377690125CBFFB11DBA4CC89EDE7B6CEB08385F1044A6F709E6054DA70AE848B61
                                                                        Function 10005DB4 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 114stringregistrytimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,?), ref: 10005DE0
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                          • Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(?,?,?,?,?,?), ref: 100040B2
                                                                          • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096
                                                                        • strcpy.MSVCRT(000000C8,?,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10005E29
                                                                        • strcpy.MSVCRT(?,Find CPU Error), ref: 10005E3C
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 10005E5F
                                                                        • strcpy.MSVCRT(?,12051805,?,%u MB,-00000001), ref: 10005E95
                                                                        • GetSystemDefaultUILanguage.KERNEL32 ref: 10005E9D
                                                                        • strcpy.MSVCRT(?,00000000), ref: 10005EEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
                                                                        • String ID: %u MB$12051805$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 335664808-297510382
                                                                        • Opcode ID: d1289f1bfd5e699eb50f0d88176b53bb689631849a2f4d627a58bc97ff289444
                                                                        • Instruction ID: 64a10f69e166a7139f234e211cfa4612f73fd1769519a57ef44d38a5129d0f72
                                                                        • Opcode Fuzzy Hash: d1289f1bfd5e699eb50f0d88176b53bb689631849a2f4d627a58bc97ff289444
                                                                        • Instruction Fuzzy Hash: C031F376804218BBFB20CB64CC46FDF77BCEB08341F10446AF654BA085EB71BA448B54
                                                                        Function 1000842D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111registrysleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 247 1000842d-10008471 call 1000cd20 250 10008476-10008499 call 10001000 RegOpenKeyExA 247->250 253 1000855f-10008573 RegCloseKey Sleep 250->253 254 1000849f-100084c4 RegQueryInfoKeyA 250->254 253->250 254->253 255 100084ca-100084cf 254->255 255->253 256 100084d5-1000852d memset * 2 RegEnumValueA 255->256 257 10008555-10008559 256->257 258 1000852f-10008543 StrStrIA 256->258 257->253 257->256 258->257 259 10008545-1000854f RegDeleteValueA 258->259 259->257
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,?), ref: 10008491
                                                                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 100084BC
                                                                        • memset.MSVCRT ref: 100084DE
                                                                        • memset.MSVCRT ref: 100084EC
                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 10008523
                                                                        • StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000853B
                                                                        • RegDeleteValueA.ADVAPI32(?,?), ref: 1000854F
                                                                        • RegCloseKey.ADVAPI32(?), ref: 10008562
                                                                        • Sleep.KERNEL32(000493E0), ref: 1000856D
                                                                        Strings
                                                                        • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10008480
                                                                        • svchsot.exe, xrefs: 10008535
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
                                                                        • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                                        • API String ID: 1121228644-2214221337
                                                                        • Opcode ID: 692ff09cb00611db950c5f9bab00b6b91e85c9fc88cdeaf395db2c8a75e944b9
                                                                        • Instruction ID: 41e6ea02effd465f5a8e3b964bebe7f7f026d5d666a2e96095e75d2e8622051d
                                                                        • Opcode Fuzzy Hash: 692ff09cb00611db950c5f9bab00b6b91e85c9fc88cdeaf395db2c8a75e944b9
                                                                        • Instruction Fuzzy Hash: 0F3106B290015DBEEB11CB94CD85DEFB7BDFB08381F1040A6E645F6114EA70AF848BA0
                                                                        Function 10008CC1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 88stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 260 10008cc1-10008d0f memset * 2 Netbios 261 10008d11-10008d1a 260->261 262 10008d8e-10008d91 260->262 264 10008d47-10008d8c memset strcpy Netbios 261->264 265 10008d1c-10008d35 Netbios 261->265 263 10008dd7-10008dda 262->263 264->262 267 10008d93-10008dd5 sprintf 264->267 265->264 266 10008d37-10008d41 265->266 266->265 268 10008d43-10008d45 266->268 267->263 268->262 268->264
                                                                        APIs
                                                                        • memset.MSVCRT ref: 10008CD6
                                                                        • memset.MSVCRT ref: 10008CE9
                                                                        • Netbios.NETAPI32(?), ref: 10008D08
                                                                        • Netbios.NETAPI32(00000032), ref: 10008D2E
                                                                        • memset.MSVCRT ref: 10008D4F
                                                                        • strcpy.MSVCRT(?,10015928,00000037,00000000,00000040,?,?,?,?,C:\Users\user\Desktop,00000000), ref: 10008D6A
                                                                        • Netbios.NETAPI32(00000033), ref: 10008D85
                                                                        • sprintf.MSVCRT ref: 10008DCC
                                                                        Strings
                                                                        • %02X%02X%02X%02X%02X%02X, xrefs: 10008DC6
                                                                        • C:\Users\user\Desktop\PqZ6GU98Eh.dll, xrefs: 10008CC1
                                                                        • C:\Users\user\Desktop, xrefs: 10008CCB
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Netbiosmemset$sprintfstrcpy
                                                                        • String ID: %02X%02X%02X%02X%02X%02X$C:\Users\user\Desktop$C:\Users\user\Desktop\PqZ6GU98Eh.dll
                                                                        • API String ID: 3158056522-3376335932
                                                                        • Opcode ID: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction ID: 0c2184180702e586fc1ca5cffc2268ba39a058ecf45d59ffc9b9d4e10b1a28f8
                                                                        • Opcode Fuzzy Hash: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction Fuzzy Hash: 86315B71C042ECAAEF22D7A58C45FEE7BBCAF05284F0401D6F688B6186D7749746CB61
                                                                        Function 10006A7F Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 60sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • #823.MFC42(00001218), ref: 10006A8E
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006AA0
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006AB9
                                                                        • memset.MSVCRT ref: 10006AD2
                                                                          • Part of subcall function 10006499: _EH_prolog.MSVCRT ref: 1000649E
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 100064DA
                                                                          • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                          • Part of subcall function 10006499: #823.MFC42(0007D000,?,00000000,00000000,00000000), ref: 10006503
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10006499: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                          • Part of subcall function 10006499: strlen.MSVCRT ref: 1000656F
                                                                          • Part of subcall function 10006499: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10006499: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • Sleep.KERNEL32(0002BF20), ref: 10006AEE
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006B02
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B0D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B14
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B1D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memset$#823CloseCreateD@2@@std@@D@std@@HandleU?$char_traits@V?$allocator@$?assign@?$basic_string@ByteCharErrorFormatH_prologLastMultiMutexObjectSingleSleepStartupThreadTidy@?$basic_string@TimeV12@WaitWide___crtstrlenwsprintf
                                                                        • String ID: 0x5d65r455f$5762479093
                                                                        • API String ID: 667822095-2446933972
                                                                        • Opcode ID: 7254cf0a5069f4466a80c8bc8f76d8c9c0ba48acf0955bdf51b1eafd43c67802
                                                                        • Instruction ID: 8cdb2823aa61e5ac7bb0c892828062c090cb3bd64512b72bfa76aaf67c22daa6
                                                                        • Opcode Fuzzy Hash: 7254cf0a5069f4466a80c8bc8f76d8c9c0ba48acf0955bdf51b1eafd43c67802
                                                                        • Instruction Fuzzy Hash: 90012871544258BBF310E7B09CCEDBF3A5CDB463E1F140138FA15A508ADB659C1546B3
                                                                        Function 10008578 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81sleepprocessCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • Sleep.KERNEL32(00002710), ref: 1000858F
                                                                        • #823.MFC42(00300000,aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=), ref: 100085A4
                                                                        • memset.MSVCRT ref: 100085B1
                                                                        • Sleep.KERNEL32(001B7740), ref: 100085D0
                                                                        • GetTickCount.KERNEL32 ref: 100085EA
                                                                        • wsprintfA.USER32 ref: 100085FD
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10008648
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep$#823CountCreateProcessTickmemsetwsprintf
                                                                        • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                        • API String ID: 3077700110-1533272838
                                                                        • Opcode ID: b399c389a6952da4a1e76028729d53607dc0337d40ef3b4359c096c56d0270c5
                                                                        • Instruction ID: b7caa614f7a4c108a39e01f2f415c9d76805585370d17942aa5233dc0422d24d
                                                                        • Opcode Fuzzy Hash: b399c389a6952da4a1e76028729d53607dc0337d40ef3b4359c096c56d0270c5
                                                                        • Instruction Fuzzy Hash: 1C2181B690025CBAEB11DBE4CC46EDFBB7CEF48390F140465F704B6144DA755A858BA1
                                                                        Function 10006D08 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 72stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                          • Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                        • wsprintfA.USER32 ref: 10006D99
                                                                        • strlen.MSVCRT ref: 10006DA6
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006DBF
                                                                          • Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DC4,?,cmap,00000000,00000001,?,00000001,?), ref: 100040E9
                                                                          • Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateFormatNamePathShortTimeValue___crtstrlenwsprintf
                                                                        • String ID: %s "%s",InvCMAP$C:\Users\user\Desktop\PqZ6GU98Eh.dll$C:\Windows\SysWOW64\rundll32.exe$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$cmap
                                                                        • API String ID: 3689556866-3321501187
                                                                        • Opcode ID: 300191d9c923bfa9bc08a1993b71915e7710e85837c007b043ca48bd91da71fd
                                                                        • Instruction ID: 7dc0f1b3fd9e1d9418d14e8918f8b50030fd009d3d489128e72a392b119d986e
                                                                        • Opcode Fuzzy Hash: 300191d9c923bfa9bc08a1993b71915e7710e85837c007b043ca48bd91da71fd
                                                                        • Instruction Fuzzy Hash: 6311C4B694421CBEFB11D3A4DC86FEA776CDB14344F1404B1F704B6085DAB16FC88AA4
                                                                        Function 10007112 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95stringsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 1000717C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823Sleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: http://107.160.131.252:23588/article.php
                                                                        • API String ID: 1027432993-2036118572
                                                                        • Opcode ID: 6de58a2388895b53ab50c2bf3e9d44295fe5c5acc228e842e96009f29d2bf823
                                                                        • Instruction ID: 5486f43503b26e233c42defc0be38958001ce26b0c4cd5fd0b99a09dc76495a5
                                                                        • Opcode Fuzzy Hash: 6de58a2388895b53ab50c2bf3e9d44295fe5c5acc228e842e96009f29d2bf823
                                                                        • Instruction Fuzzy Hash: E3213E7AD0465576F724D328CC56FDF7BACEF053C4F2000A6F608A50C6EB799A818A61
                                                                        Function 10006B30 Relevance: 10.5, APIs: 7, Instructions: 45sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006B48
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006B66
                                                                        • CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B7C
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B87
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B8E
                                                                        • Sleep.KERNEL32(00002710), ref: 10006B99
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006BA2
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3243752880-0
                                                                        • Opcode ID: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction ID: 4de3013a68fbd2a0a9bee951070d024d9b213cabf77efd8d8e5562ee79781ab3
                                                                        • Opcode Fuzzy Hash: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction Fuzzy Hash: D4F0FF71805170BBF6116BB08CCDCAF3E2CEF8A3E0B100120FA09E2089CB604C4186B2
                                                                        Function 100087A2 Relevance: 7.5, APIs: 5, Instructions: 41sleepthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(000927C0), ref: 100087D6
                                                                        • CreateThread.KERNEL32(?,?,Function_00006A7F), ref: 100087E2
                                                                        • Sleep.KERNEL32(00001388,?,?,Function_00006A7F), ref: 100087E9
                                                                        • CreateThread.KERNEL32(?,?,Function_0000842D,?,?,?,?,?,Function_00006A7F), ref: 100087F5
                                                                        • Sleep.KERNEL32(000000FF), ref: 100087F9
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep$CreateThread
                                                                        • String ID:
                                                                        • API String ID: 3220764680-0
                                                                        • Opcode ID: 8b9edb06aae0866067db075b5769f311d3122d35d7f0168556a720072c3588b7
                                                                        • Instruction ID: e1bc5a8aa8d4d7cd152f2372032bd98f242356ce35dd9a3b5ee7e8e81e7d26b3
                                                                        • Opcode Fuzzy Hash: 8b9edb06aae0866067db075b5769f311d3122d35d7f0168556a720072c3588b7
                                                                        • Instruction Fuzzy Hash: BAF092E964935D7CB222B3B20CC6DBF2C4DDFC06ECB110675F6982448A9E948E004972
                                                                        Function 100061BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                                        Strings
                                                                        • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInternetOpenTime___crt
                                                                        • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                                        • API String ID: 483802873-1756078650
                                                                        • Opcode ID: 1e0449321829ac075868f7791ddb88bc23347712aa06c58fafcd56dcacb11458
                                                                        • Instruction ID: ab7613da0529a9e7ad045271e1496bf6998c2837bea1459af3b68005a9a4b910
                                                                        • Opcode Fuzzy Hash: 1e0449321829ac075868f7791ddb88bc23347712aa06c58fafcd56dcacb11458
                                                                        • Instruction Fuzzy Hash: 3D21C275D0014DBAEF21DB65DC89D9F7BBEDB852D0F20807AF608A6045EA31AA818660
                                                                        Function 1000CF11 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _inittermfreemalloc
                                                                        • String ID: k{v
                                                                        • API String ID: 1678931842-443568515
                                                                        • Opcode ID: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction ID: 0e2fbd444cc1af3c64615f742c80b3cddb005ce76f3f19b4b4b8d30d748738d8
                                                                        • Opcode Fuzzy Hash: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction Fuzzy Hash: 8E11EC716043279BF714CBA4DE84B6677F6F7083D1B11807EE909D7168EB31E8418B56
                                                                        Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 100062BF
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                                        Strings
                                                                        • TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: InternetOpen$FormatTime___crt
                                                                        • String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
                                                                        • API String ID: 1165476586-1918919809
                                                                        • Opcode ID: 7d413902a71a0fa37bd04b551418cd9e657d6686dadda5dfef55b74cb0eb8057
                                                                        • Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
                                                                        • Opcode Fuzzy Hash: 7d413902a71a0fa37bd04b551418cd9e657d6686dadda5dfef55b74cb0eb8057
                                                                        • Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5
                                                                        Function 10002983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000299A
                                                                        Strings
                                                                        • R2V0TW9kdWxlRmlsZU5hbWVB, xrefs: 10002988
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlRmlsZU5hbWVB
                                                                        • API String ID: 190572456-4201997209
                                                                        • Opcode ID: f46d4fa220a880352004de651f4bb6b3b335fd06019cbf560e81defe2f92f49c
                                                                        • Instruction ID: b1a1b435f00da94364d5068d1a7261ba1d721826fe38f5c424aadfdcf37e0a94
                                                                        • Opcode Fuzzy Hash: f46d4fa220a880352004de651f4bb6b3b335fd06019cbf560e81defe2f92f49c
                                                                        • Instruction Fuzzy Hash: CBC09BB4411555DEF711DB30DD45A543675F7183C3B504215F450D413DDFB06981D610
                                                                        Function 10001AE2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001AF9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: U2V0RXJyb3JNb2Rl
                                                                        • API String ID: 190572456-495186574
                                                                        • Opcode ID: ff490dd18d4e5ff5408a380a1a8df732b33e8b4543bd9f8dde01fd42c4961cf8
                                                                        • Instruction ID: b3207cb24b35482d93af76edd0b439524cf254a3b1688944550d3917fc20d73e
                                                                        • Opcode Fuzzy Hash: ff490dd18d4e5ff5408a380a1a8df732b33e8b4543bd9f8dde01fd42c4961cf8
                                                                        • Instruction Fuzzy Hash: D8C04C74421550EAF711DB60DC496693A66F749281F104115F4419412CEB705881D615
                                                                        Function 10001CA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001CC0
                                                                        Strings
                                                                        • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB, xrefs: 10001CAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB
                                                                        • API String ID: 190572456-1897290307
                                                                        • Opcode ID: ce0636699d25fda12e0eab421e31998aad9de4fdcc928db9376e6b55bb93da23
                                                                        • Instruction ID: 679180479ed6cfc3c3ab9d5752cbc6c40d3ed07f1b9e890cc62039329d529da3
                                                                        • Opcode Fuzzy Hash: ce0636699d25fda12e0eab421e31998aad9de4fdcc928db9376e6b55bb93da23
                                                                        • Instruction Fuzzy Hash: 2AC09B745101549FF711DB61DD45B543726F7083C17508115F4409413CDBB1D881DF15
                                                                        Function 10002523 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000253A
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEVudW0=, xrefs: 10002528
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEVudW0=
                                                                        • API String ID: 190572456-980335172
                                                                        • Opcode ID: 21751e58ec1ca713f8f44fcc5f653abdf89010ed70324c720c096a464e28c9f5
                                                                        • Instruction ID: 63a1c40aa0e56be92247ee1fed4819ec6860f7f49589733cfa06d56f95f5deb7
                                                                        • Opcode Fuzzy Hash: 21751e58ec1ca713f8f44fcc5f653abdf89010ed70324c720c096a464e28c9f5
                                                                        • Instruction Fuzzy Hash: DBC02BB0402010DEF302CF20FC48B143650E30C3C3B204054F4004003DDF7058C05911
                                                                        Function 10002546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000255D
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 1000254B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
                                                                        • API String ID: 190572456-3430808999
                                                                        • Opcode ID: d8bbc8fd9275c5640add86db4cf87e0375892e35759ac896a444ccd6314cd60b
                                                                        • Instruction ID: ca1272d1c6c5ba21fa127b69b1bf27ffee5f9a6a4e26c013838c333b549259fb
                                                                        • Opcode Fuzzy Hash: d8bbc8fd9275c5640add86db4cf87e0375892e35759ac896a444ccd6314cd60b
                                                                        • Instruction Fuzzy Hash: BEC02B70800010DEF7019F20DC54A243A10F30C3C2B208160F4004003CDF70D8C0A900
                                                                        Function 100025AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100025C6
                                                                        Strings
                                                                        • TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 100025B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0QXBpQnVmZmVyRnJlZQ==
                                                                        • API String ID: 190572456-3244026974
                                                                        • Opcode ID: f4e47d902401f386d7afa6f4e06afb688abb2cdc623dcf81710c4eb5e0de29bc
                                                                        • Instruction ID: dfe5daf16c6b78ace36240ce5652ccc2d6de07b8baeb264f7ad7c7904fcf06df
                                                                        • Opcode Fuzzy Hash: f4e47d902401f386d7afa6f4e06afb688abb2cdc623dcf81710c4eb5e0de29bc
                                                                        • Instruction Fuzzy Hash: 32C02BB04030109EF312CB20DC946543620E38C3C2B214005F8004003DDF7199C09910
                                                                        Function 1000363A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10003651
                                                                        Strings
                                                                        • R2V0TW9kdWxlQmFzZU5hbWVB, xrefs: 1000363F
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlQmFzZU5hbWVB
                                                                        • API String ID: 190572456-2033685547
                                                                        • Opcode ID: cfe29cf07384324d310c7843b8016bb23d59ca87281aca01b1d6a40fd625a0fd
                                                                        • Instruction ID: 5df146e122e72d039630dbb6b0b3531cff15eb77738ab70f128977c83543ccad
                                                                        • Opcode Fuzzy Hash: cfe29cf07384324d310c7843b8016bb23d59ca87281aca01b1d6a40fd625a0fd
                                                                        • Instruction Fuzzy Hash: F0C09BB44055A0EEF7119B24EC496653715F7083C2B11C115F4419513CDF7158C19514
                                                                        Function 10008208 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10007F4F: lstrcpyA.KERNEL32(?,?,00000018,00000000,00000000), ref: 10007F7D
                                                                          • Part of subcall function 10007F4F: lstrcatA.KERNEL32(?,1001592C), ref: 10007F95
                                                                          • Part of subcall function 10007F4F: lstrcatA.KERNEL32(?,*.*), ref: 10007FA3
                                                                          • Part of subcall function 10007F4F: FindFirstFileA.KERNEL32(?,?), ref: 10007FB3
                                                                        • Sleep.KERNEL32(0036EE80), ref: 10008275
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileFindFirstSleeplstrcpy
                                                                        • String ID: C:\Program Files
                                                                        • API String ID: 187370985-1387799010
                                                                        • Opcode ID: 83b88d70ee97de05683047d1343494b736ce8ede311b85eac737ac99d3d0c06e
                                                                        • Instruction ID: d83235a906959e4aadb43ccc14bd8b3b82f7a1bf41f2c86c9f4ab1f61b13aabe
                                                                        • Opcode Fuzzy Hash: 83b88d70ee97de05683047d1343494b736ce8ede311b85eac737ac99d3d0c06e
                                                                        • Instruction Fuzzy Hash: 97F0AC769046A1AAF601CF940DC15CF77ACFB122A4B201022FA44BE046D7F19E4283E1
                                                                        Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 506b09687f3ab7a414a75766b3d3f90481d321aca35c59e901201fc3ba8e4a5b
                                                                        • Instruction ID: 2f1a498b2dcbf4f3c3eb6ba8bd5ccb29d644f5d642ac185d28254d8eeb3824b8
                                                                        • Opcode Fuzzy Hash: 506b09687f3ab7a414a75766b3d3f90481d321aca35c59e901201fc3ba8e4a5b
                                                                        • Instruction Fuzzy Hash: 5BD09B3200015EFBCF025F81DD058DA3F6AFB4C2A9B0A8654FA1824030C776E9B1AB91
                                                                        Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 100040CC
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 4a8faa62bcfb3270353cf14121b101114a74a138e05c17fcdee85730a6dc741a
                                                                        • Instruction ID: 325a12e481168666c7c0c00c36f8af78d7d871d703ad2c0798f43e35c83d2956
                                                                        • Opcode Fuzzy Hash: 4a8faa62bcfb3270353cf14121b101114a74a138e05c17fcdee85730a6dc741a
                                                                        • Instruction Fuzzy Hash: A1C0013200060EFBDF025F91EC05CDA3F3AFB182A1B008020FA2804030C773D9B1AB91
                                                                        Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 6ebc564339288df785ab319f2eef5fd975c9d2bdaaabd508592ec2c4882c7e5c
                                                                        • Instruction ID: 3b8007e0c36ccf4b72e51ff36ba8b6d098d3d00fbcb84495eb87ae2067493b1e
                                                                        • Opcode Fuzzy Hash: 6ebc564339288df785ab319f2eef5fd975c9d2bdaaabd508592ec2c4882c7e5c
                                                                        • Instruction Fuzzy Hash: BFC0EC3200020EBBDF025F91EC0589A7F2AEB082A0B008010FA2804021C7339971AB95
                                                                        Function 100019A0 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction ID: b66798628aae855c83bf7f686cb25124971be1b6095d86ea20a0bb19a8bac96f
                                                                        • Opcode Fuzzy Hash: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction Fuzzy Hash: 92B002749015B0DFF7119F14DCDC5447B62E749341B61C055E8415113CD7714455EF55
                                                                        Function 100019CE Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction ID: abcc7ed5f68379418d9c40dbe7f79a1e4d6a15d0a0615b498f296ba2a9f239dc
                                                                        • Opcode Fuzzy Hash: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction Fuzzy Hash: 97B012B0401660CFF7014F20DCC80087F33F308382B008113E8019053CD7304510EA00
                                                                        Function 100019FC Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction ID: 47b57bf21aca614cddfcfaea860b1cc3e38cf6dbd9f820980586a8aa178d607c
                                                                        • Opcode Fuzzy Hash: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction Fuzzy Hash: F7B00274551560DFFB119F20DCC45447A73E74D382B61C056E8515113CDB72C490EE11
                                                                        Function 10001A41 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction ID: 24c90ffc9fcf9f59ee58c84600115bd45079cb77f81d8688bd4f2d963a816155
                                                                        • Opcode Fuzzy Hash: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction Fuzzy Hash: 73B00274501560DBF7119F12DCC45447E67F74A7C1B11C055E8555163CD7714451AF11
                                                                        Function 10001AB4 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction ID: 44505aba912a868df48011d1cc75e83db32967a8423b7cb2a14cd0cb0a600a36
                                                                        • Opcode Fuzzy Hash: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction Fuzzy Hash: FBB012B4001560CBF7008F50CCC40047E23E30D345B20C015FD005013DC7314450AE00
                                                                        Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CreateMutex
                                                                        • String ID:
                                                                        • API String ID: 1964310414-0
                                                                        • Opcode ID: b0445fb2c580dfef0359de022438c5cf869d669a1619e2cffc7a985e78b4f379
                                                                        • Instruction ID: 0660ba76b91c4ba90ad6f84dc9e800b0fcc5abeceff4b92d4c6b7b19770fb62c
                                                                        • Opcode Fuzzy Hash: b0445fb2c580dfef0359de022438c5cf869d669a1619e2cffc7a985e78b4f379
                                                                        • Instruction Fuzzy Hash: 14B0097A408210BFDF025B90DD4880ABBA2BB88362F24C958F6A941031C732C520EB02
                                                                        Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: NamePathShort
                                                                        • String ID:
                                                                        • API String ID: 1295925010-0
                                                                        • Opcode ID: 4d5884627ad890fc19a7fce987e6ff622a4b63b76918a6086ce94622cf65f669
                                                                        • Instruction ID: 9ed1efb17d4bc623500ef1ea71d91a7222f1847b1b215a14ca4852d72f61d6bf
                                                                        • Opcode Fuzzy Hash: 4d5884627ad890fc19a7fce987e6ff622a4b63b76918a6086ce94622cf65f669
                                                                        • Instruction Fuzzy Hash: 0DB0097A509210BFDF025B91DE5881ABFB2AB88321F50C95CF6A940031C7328520EB02
                                                                        Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Process32First.KERNEL32(00000000,00000000), ref: 1000410C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: FirstProcess32
                                                                        • String ID:
                                                                        • API String ID: 2623510744-0
                                                                        • Opcode ID: e67c12039c6e27c9775ed2303caa81bdaef1dde80995cd1ad643f76d7915693a
                                                                        • Instruction ID: c9858dfc005bbdb7cb3bc2a9c9cd704bcf097683957f92dac5198df2e9f65fac
                                                                        • Opcode Fuzzy Hash: e67c12039c6e27c9775ed2303caa81bdaef1dde80995cd1ad643f76d7915693a
                                                                        • Instruction Fuzzy Hash: FCA00275505512ABDA515B51CD4484AFF61BBD4341F01C415F18940034C7359465DB11
                                                                        Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Process32Next.KERNEL32(00000000,00000000), ref: 1000411D
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: NextProcess32
                                                                        • String ID:
                                                                        • API String ID: 1850201408-0
                                                                        • Opcode ID: a3f922a5f824779d2e4fb6a0605a006c2019e83fe50e179df1dbe93f5432c8bc
                                                                        • Instruction ID: 61c727c5f78705df26fed0ca172bffc95c0448491f66f63664d3ec9bbd55d41d
                                                                        • Opcode Fuzzy Hash: a3f922a5f824779d2e4fb6a0605a006c2019e83fe50e179df1dbe93f5432c8bc
                                                                        • Instruction Fuzzy Hash: B4A00136408612ABDA52AB50CD4888ABFA2BBE8381F11C819F18A41034C73694A5EB12
                                                                        Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDriveTypeA.KERNEL32(?,1000825D,10015948), ref: 1000400E
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DriveType
                                                                        • String ID:
                                                                        • API String ID: 338552980-0
                                                                        • Opcode ID: 910e139e7f72f3dc7016df4695e01adbd10b1f6739a032fc72a57664e309aaef
                                                                        • Instruction ID: 35e6a258e9880390de709bccb697b72c0b050f0fde384497e413ae747a6bc5b2
                                                                        • Opcode Fuzzy Hash: 910e139e7f72f3dc7016df4695e01adbd10b1f6739a032fc72a57664e309aaef
                                                                        • Instruction Fuzzy Hash: B29002304042109BDE015B10CE4D4097BA1AB84701B00C454F05540131C7328914EA01
                                                                        Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Close
                                                                        • String ID:
                                                                        • API String ID: 3535843008-0
                                                                        • Opcode ID: 008722ebc5c55bf02cf93ee3d880f2bf6535d1cb723afbe45f3708d3cb5b8931
                                                                        • Instruction ID: 429567ee138713cc7d1fb87d8f160ac62efaac39d3f4df16b73647169d7c4b87
                                                                        • Opcode Fuzzy Hash: 008722ebc5c55bf02cf93ee3d880f2bf6535d1cb723afbe45f3708d3cb5b8931
                                                                        • Instruction Fuzzy Hash: 649002705055219BEE015B11CF494097B61ABC4705F008454E04D40030C7319810EA01
                                                                        Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: gethostbyname
                                                                        • String ID:
                                                                        • API String ID: 930432418-0
                                                                        • Opcode ID: 05e41723ed0a8037c4578c7a948b0b8a63a99cfb4cc59ac2d943447070d7b44e
                                                                        • Instruction ID: 0d2d6050cfce57933b45c6e53f9aa9dc9bc4905d00d8a83e77bf324908419f10
                                                                        • Opcode Fuzzy Hash: 05e41723ed0a8037c4578c7a948b0b8a63a99cfb4cc59ac2d943447070d7b44e
                                                                        • Instruction Fuzzy Hash: 6A900270545110ABDE015B11CF594197EB1AB88701B148458E48940031C7318810EA01
                                                                        Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathFileExistsA.SHLWAPI(00000000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,771A8A60,00000000), ref: 10003F76
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ExistsFilePath
                                                                        • String ID:
                                                                        • API String ID: 1174141254-0
                                                                        • Opcode ID: b54471f397a0d8406c378fc9e06ab65f4bca33af0b81d7c7b1cf25565e94f53f
                                                                        • Instruction ID: 22fc78391477ad96e85b828bbcbeae1f812a7d3dd0aa48fa7cc8604c4f1e63b0
                                                                        • Opcode Fuzzy Hash: b54471f397a0d8406c378fc9e06ab65f4bca33af0b81d7c7b1cf25565e94f53f
                                                                        • Instruction Fuzzy Hash: 5B9002705051109BEE015B11CF494097A61AB84705B008458E05D40031C7719910EE01
                                                                        Function 10008A6A Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memset.MSVCRT ref: 10008A7B
                                                                          • Part of subcall function 10008B8B: sprintf.MSVCRT ref: 10008BA5
                                                                          • Part of subcall function 10008B8B: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10008BC0
                                                                          • Part of subcall function 10008B8B: DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,10008A8C,00000000), ref: 10008BE6
                                                                          • Part of subcall function 10008B8B: GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 10008BF7
                                                                          • Part of subcall function 10008B8B: FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10008C04
                                                                          • Part of subcall function 10008CC1: memset.MSVCRT ref: 10008CD6
                                                                          • Part of subcall function 10008CC1: memset.MSVCRT ref: 10008CE9
                                                                          • Part of subcall function 10008CC1: Netbios.NETAPI32(?), ref: 10008D08
                                                                          • Part of subcall function 10008CC1: Netbios.NETAPI32(00000032), ref: 10008D2E
                                                                          • Part of subcall function 10008CC1: memset.MSVCRT ref: 10008D4F
                                                                          • Part of subcall function 10008CC1: strcpy.MSVCRT(?,10015928,00000037,00000000,00000040,?,?,?,?,C:\Users\user\Desktop,00000000), ref: 10008D6A
                                                                          • Part of subcall function 10008CC1: Netbios.NETAPI32(00000033), ref: 10008D85
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memset$Netbios$ControlCreateDeviceErrorFileFormatLastMessagesprintfstrcpy
                                                                        • String ID:
                                                                        • API String ID: 3320403761-0
                                                                        • Opcode ID: f7f6ee7d95f6abb0cbd950b7fdefe046ec70cd3ef44402f68cbfdc2feb09b75a
                                                                        • Instruction ID: 0756d29dd38d3d38e900a36dffe274fc8fe1e2211c0ac0af711b78feb94bf0b7
                                                                        • Opcode Fuzzy Hash: f7f6ee7d95f6abb0cbd950b7fdefe046ec70cd3ef44402f68cbfdc2feb09b75a
                                                                        • Instruction Fuzzy Hash: DAD05E7475422012F52096215C02F59269DDB40BD0F04082AFB88AB6C9DEA4AE0083A5

                                                                        Non-executed Functions

                                                                        Function 10004D36 Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 299stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10004D3B
                                                                        • memset.MSVCRT ref: 10004D59
                                                                        • CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 10004D63
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 10004D8E
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,?,10016AE0), ref: 10004DE2
                                                                        • wcscat.MSVCRT ref: 10004E18
                                                                        • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                        • strcpy.MSVCRT(?,00000000,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 10004F52
                                                                        • _strcmpi.MSVCRT ref: 10004F75
                                                                        • strcpy.MSVCRT(?,00000000,?,?,?,?,10016AE0,00000000,00080000), ref: 10004FC0
                                                                        • StrStrIA.SHLWAPI(?,svchost.exe -k NetworkService,?,?,?,?,10016AE0,00000000,00080000), ref: 10004FE6
                                                                        • VariantClear.OLEAUT32(?), ref: 10005009
                                                                        • VariantClear.OLEAUT32(?), ref: 1000500F
                                                                        • CoUninitialize.OLE32(?,?,?,?,?,10016AE0,00000000,00080000), ref: 10005035
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Init$ClearH_prologInitializestrcpy$#823BlanketCreateInstanceProxySecurityUninitialize_strcmpimemsetwcscat
                                                                        • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                        • API String ID: 53594991-2685825574
                                                                        • Opcode ID: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction ID: f36072ad76851ef4156648f9e7cf886c39e7a66da788ed21f351d69932db9bd7
                                                                        • Opcode Fuzzy Hash: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction Fuzzy Hash: 26A12AB1900259AFEB04DF94CC84DEEBBB8FF48394F104569F615AB294DB31AE45CB60
                                                                        Function 100051D3 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 92stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000004,10016AE0,00000000,00080000,?,?,?,?,?,?,?,?,?,?,10005724,10016AE0), ref: 10005210
                                                                        • #823.MFC42(000000FF,00000004,10016AE0,00000000,00080000,?,?,?,?,?,?,?,?,?,?,10005724), ref: 10005225
                                                                        • #823.MFC42(00000000,000000FF,00000004,10016AE0,00000000,00080000), ref: 1000523F
                                                                        • strrchr.MSVCRT ref: 10005250
                                                                        • strncpy.MSVCRT ref: 10005267
                                                                        • strncpy.MSVCRT ref: 10005271
                                                                        • GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                        • GetCurrentProcess.KERNEL32(00000020,1000721D), ref: 10005296
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,00080000), ref: 100052AD
                                                                        • AdjustTokenPrivileges.ADVAPI32(1000721D,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                        • CloseHandle.KERNEL32(1000721D), ref: 100052E2
                                                                        • strlen.MSVCRT ref: 100052EE
                                                                        • sscanf.MSVCRT ref: 1000530A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
                                                                        • String ID: %[^$C:\Users\user\Desktop$SeDebugPrivilege
                                                                        • API String ID: 1460262115-86836437
                                                                        • Opcode ID: 6d92c98b6d9f80e141df79854f10e01ad2732370edeef5f3baa56b08548985bd
                                                                        • Instruction ID: 1d4034c089aeb94910ddb95873c9201c7a3e8f51f79135a92f0693b8715c0055
                                                                        • Opcode Fuzzy Hash: 6d92c98b6d9f80e141df79854f10e01ad2732370edeef5f3baa56b08548985bd
                                                                        • Instruction Fuzzy Hash: 3631FDB5801228EFF700DFA4CDC9E9A7BB8EB08742F14802AF514EA264D7729942CF51
                                                                        Function 10005ACA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$Versionmemsetsprintf
                                                                        • String ID: 2000$2003$2008$Vista$Win %s SP%d
                                                                        • API String ID: 313931894-2264339393
                                                                        • Opcode ID: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction ID: 7d42eae51c3aa3afb7aca7336a245172d168173812804ea46fc3bd7bd3e3ba23
                                                                        • Opcode Fuzzy Hash: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction Fuzzy Hash: F5415031D4032CEEFB24C6649C46FDAB7A8DB013A7F1044A7E20CA5086D776AEC5CA91
                                                                        Function 10004630 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(?,?,?,00A00000), ref: 1000465D
                                                                        • strcat.MSVCRT(?,\*.*,?,?,?,00A00000), ref: 1000466E
                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,?,00A00000), ref: 10004684
                                                                        • wsprintfA.USER32 ref: 100046C3
                                                                        • strlen.MSVCRT ref: 100046CC
                                                                        • #825.MFC42(00000000,00A00000,?,00000000,00A00000), ref: 10004742
                                                                        • FindNextFileA.KERNEL32(?,00000010), ref: 10004754
                                                                        • FindClose.KERNEL32(?), ref: 10004765
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$#825CloseFirstNextstrcatstrcpystrlenwsprintf
                                                                        • String ID: %s\%s$.$\*.*
                                                                        • API String ID: 842957512-2210278135
                                                                        • Opcode ID: 14c0b3fbaa0a98754f9af856c310a7e6fb90b3c39843455b06ec2df0189135e4
                                                                        • Instruction ID: 3547d33416261faf8458c6710b5cd13efccda21bf8dfe0cc576b5eff074e2184
                                                                        • Opcode Fuzzy Hash: 14c0b3fbaa0a98754f9af856c310a7e6fb90b3c39843455b06ec2df0189135e4
                                                                        • Instruction Fuzzy Hash: 97314DB2C0025CBBEF12DFA4CC45ADE7B79EB04380F1104E6E619A2055DB719B989F51
                                                                        Function 1000C049 Relevance: 3.1, APIs: 2, Instructions: 61timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(00000000,?,00000000,00000001,?,00000001,76789DE0,00A00000), ref: 1000C08F
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 1000C09D
                                                                          • Part of subcall function 1000B992: FileTimeToSystemTime.KERNEL32(?,00000001,00000001,76789DE0,?,00A00000,?,?,1000C4BA,?,00000001,76789DE0,00A00000), ref: 1000B9A0
                                                                          • Part of subcall function 1000B970: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000B98C
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                        • String ID:
                                                                        • API String ID: 568878067-0
                                                                        • Opcode ID: acb5aad6551f62eb6bb54de3509b51a1b75e97431e4f5327700e9b58ba3a470c
                                                                        • Instruction ID: 9395cd62dad14a91468537832dcef7e7f0a52948a0dcb5ca0d40c5fda14c5f50
                                                                        • Opcode Fuzzy Hash: acb5aad6551f62eb6bb54de3509b51a1b75e97431e4f5327700e9b58ba3a470c
                                                                        • Instruction Fuzzy Hash: 1421F5B5904B58EFDB25CFA8C44099BBBF5EF08340B00882EE68AD2710E674E645CB54
                                                                        Function 1000B235 Relevance: 1.6, Strings: 1, Instructions: 400COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: K
                                                                        • API String ID: 0-856455061
                                                                        • Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                        • Instruction ID: 9aa4ec9f8917db308ce764332d9eea5b3a3a2b02149446eca5bd3df864230787
                                                                        • Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
                                                                        • Instruction Fuzzy Hash: 00D1F331104689ADDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771
                                                                        Function 1000AED1 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: K
                                                                        • API String ID: 0-856455061
                                                                        • Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                        • Instruction ID: deea517a90883ebe1c394bfda45a9bedc53e3a2fe2376341d0b219587cd6ae1c
                                                                        • Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
                                                                        • Instruction Fuzzy Hash: 719113311046896EDB21CFAD8C80EFFBBBCAF46A40F840549FE85C7642D255E92DA771
                                                                        Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitWindowsEx.USER32(?,?), ref: 10003F6B
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ExitWindows
                                                                        • String ID:
                                                                        • API String ID: 1089080001-0
                                                                        • Opcode ID: a0d9fa97b1e1e39b06bdef1288d6089e46bfaf0110e54166fccdcd3b95f73ca3
                                                                        • Instruction ID: 4ef2750e7b628f6ec6f30376c7cf025ff7e7fc08bc077e4d2af0ab61b57d367d
                                                                        • Opcode Fuzzy Hash: a0d9fa97b1e1e39b06bdef1288d6089e46bfaf0110e54166fccdcd3b95f73ca3
                                                                        • Instruction Fuzzy Hash: 3BA00175509212ABDE025B51CE4884ABEA6AB89381F00C868F18940031C73294A1EB12
                                                                        Function 1000B71E Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                        • Instruction ID: 4ac6500bd546590d7ea14c6efde5edf5aedc1e10ba929c21bb6b156839336c8c
                                                                        • Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
                                                                        • Instruction Fuzzy Hash: D7314C33E2C6B607E324DF7A4C84025F7D6EB4A0A275A8779DE88E3255D128EC11CBD0
                                                                        Function 1001BB82 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e8c0fa911b4d3826a0bc719b5757c3a8810b9af615261cb87faa5529ae7d4ea
                                                                        • Instruction ID: ab804ab7f7386474820b1e05d2b4e403c210ce30860c1735e943e85212d2efa9
                                                                        • Opcode Fuzzy Hash: 3e8c0fa911b4d3826a0bc719b5757c3a8810b9af615261cb87faa5529ae7d4ea
                                                                        • Instruction Fuzzy Hash: F711AC7040C281DFC716DF28D4A16EE7BA1EFA6390F04081CF4C50B241D3399A59EB13
                                                                        Function 1001B002 Relevance: .0, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ab8168c32b1e283020f3aa09d4c2b7e4e3b822ae08bd7678732eb939a3d67a85
                                                                        • Instruction ID: 1b54ed18dab414aa01878d7e51cf313666220a664a9faffcefaee8cca1aa458b
                                                                        • Opcode Fuzzy Hash: ab8168c32b1e283020f3aa09d4c2b7e4e3b822ae08bd7678732eb939a3d67a85
                                                                        • Instruction Fuzzy Hash: 02F057112B6F0B469B0003BCCFA89C45744A5D2030EE89F04BB7E845F1C76B40B2CC96
                                                                        Function 1001B0AE Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6cab6cbcbbe78a60f668dc2e9f9cb647cf714c69a527e7e225bedbcb2ed0eaf4
                                                                        • Instruction ID: 77c50987af49f513bd68fafd068584da0cc77a1380f39ac092b88aed24172c25
                                                                        • Opcode Fuzzy Hash: 6cab6cbcbbe78a60f668dc2e9f9cb647cf714c69a527e7e225bedbcb2ed0eaf4
                                                                        • Instruction Fuzzy Hash: D3F0A93254AF0BD9CB2292FC4C8020C6510AF42234FA603529B758EAE28F2AC0C7D5C2
                                                                        Function 1001B2B6 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a18f753f84ad5b666da516722a0d5194c0d6468b3b7f9fd556b112f60c8b9e4
                                                                        • Instruction ID: c3aad4d8543de85cc6102d737dc705e200043473d52345c20f3afd2f6cff868a
                                                                        • Opcode Fuzzy Hash: 6a18f753f84ad5b666da516722a0d5194c0d6468b3b7f9fd556b112f60c8b9e4
                                                                        • Instruction Fuzzy Hash: 1EF0A52659CF6FCA061299FC0CC014DB6528E661383A41326EB708F7F6CBA5D16BE2D5
                                                                        Function 100053B7 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 222filesleepinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcmp.MSVCRT(00000000,-00000001), ref: 10005406
                                                                        • wsprintfA.USER32 ref: 10005437
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?,00080000,00000000,?,100070D9,00000000), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 1000549E
                                                                        • wsprintfA.USER32 ref: 100054BC
                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 100054CA
                                                                        • PrintFile.PQZ6GU98EH(?,?), ref: 100054DE
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        • WriteProcessMemory.KERNEL32(?,?,00000009,00000000), ref: 100054FC
                                                                        • time.MSVCRT(00000000), ref: 1000551B
                                                                        • srand.MSVCRT ref: 10005522
                                                                        • rand.MSVCRT ref: 1000552A
                                                                        • rand.MSVCRT ref: 10005538
                                                                        • rand.MSVCRT ref: 10005543
                                                                        • rand.MSVCRT ref: 1000554E
                                                                        • rand.MSVCRT ref: 10005559
                                                                        • rand.MSVCRT ref: 10005564
                                                                        • wsprintfA.USER32 ref: 10005582
                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000559C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 100055A3
                                                                        • Sleep.KERNEL32(000003E8), ref: 100055AE
                                                                        • DeleteFileA.KERNEL32(?), ref: 100055BB
                                                                        • memcmp.MSVCRT(?,-000000FE), ref: 10005602
                                                                        Strings
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                        • %s\%s, xrefs: 10005431
                                                                        • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: rand$File$strcatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryPrintProcessSleepsrandstrcpystrlentime
                                                                        • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                        • API String ID: 3546221339-455112146
                                                                        • Opcode ID: dbf0b97541eec7ea32aa62863234b20154f1bfcbf4447e0181b3cfe9062c47f0
                                                                        • Instruction ID: 023f1052d7a0be8e83d6270df64d4839765010a646a328037934ecf360ce8854
                                                                        • Opcode Fuzzy Hash: dbf0b97541eec7ea32aa62863234b20154f1bfcbf4447e0181b3cfe9062c47f0
                                                                        • Instruction Fuzzy Hash: FF610873A40258BFFB10DB64CC49FDE776DEB84351F184466F604AB180CBB5EA848B64
                                                                        Function 10005989 Relevance: 42.1, APIs: 11, Strings: 13, Instructions: 81stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000598E
                                                                        • wsprintfA.USER32 ref: 100059AE
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104,10008666), ref: 100059C6
                                                                        • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000104), ref: 100059D5
                                                                        • strcpy.MSVCRT(C:\Users\user\Desktop,C:\Users\user\Desktop\PqZ6GU98Eh.dll), ref: 100059DE
                                                                        • strrchr.MSVCRT ref: 100059E6
                                                                        • wsprintfA.USER32 ref: 100059FB
                                                                        • wsprintfA.USER32 ref: 10005A08
                                                                        • wsprintfA.USER32 ref: 10005A19
                                                                        • #823.MFC42(00000084), ref: 10005A20
                                                                        • strcpy.MSVCRT(ECF4BB82F7E0,00000044), ref: 10005A50
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: wsprintf$FileModuleNamestrcpy$#823H_prologmemsetstrrchr
                                                                        • String ID: %s\%s$%s\version.txt$12051805$12051805$C:\Users\user\Desktop$C:\Users\user\Desktop\12051805$C:\Users\user\Desktop\PqZ6GU98Eh.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB82F7E0$M%s$Mhost123.zz.am:6658$host123.zz.am:6658
                                                                        • API String ID: 292421652-2073011050
                                                                        • Opcode ID: 12bd8d76cb0b41ec68fa3c007b6dcf69280600bdc4658a05dc882eb0f134facf
                                                                        • Instruction ID: 400d6614f39ff7cd744ddab951aebd9dcb408de85795f0dded65be8652f6b733
                                                                        • Opcode Fuzzy Hash: 12bd8d76cb0b41ec68fa3c007b6dcf69280600bdc4658a05dc882eb0f134facf
                                                                        • Instruction Fuzzy Hash: F22102322003687BF210E7958C85F5B7F9CDB856AAF01412AF741AE181CB72E8808A72
                                                                        Function 1000721F Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 363stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007224
                                                                          • Part of subcall function 1000774B: CoInitializeEx.OLE32(00000000,00000000,00080000,?,10007235,00080000), ref: 1000776E
                                                                          • Part of subcall function 100077B2: _EH_prolog.MSVCRT ref: 100077B7
                                                                          • Part of subcall function 100077B2: strlen.MSVCRT ref: 100077D2
                                                                          • Part of subcall function 100077B2: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                          • Part of subcall function 100077B2: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100077B2: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • InterlockedIncrement.KERNEL32(-00000008), ref: 1000728C
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(00080008), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(00080000,?,?,?,10016AE0,00000000,00080000), ref: 1000517A
                                                                        • strlen.MSVCRT ref: 100072ED
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
                                                                        • VariantInit.OLEAUT32(?), ref: 1000735E
                                                                        • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
                                                                        • VariantInit.OLEAUT32(?), ref: 10007388
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007462
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007467
                                                                        • strlen.MSVCRT ref: 10007481
                                                                        • strlen.MSVCRT ref: 10007497
                                                                          • Part of subcall function 10007A73: _EH_prolog.MSVCRT ref: 10007A78
                                                                          • Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007A73: InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
                                                                        • VariantInit.OLEAUT32(?), ref: 10007524
                                                                        • CoUninitialize.OLE32(Win32_NetworkAdapterConfiguration,IPEnabled=TRUE,00080000), ref: 1000760B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ArraySafe$CreateInitstrlen$H_prologInterlocked$ClearDestroyIncrementInitialize$#825BlanketDecrementInstanceProxySecurityUninitialize
                                                                        • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                        • API String ID: 3394522676-1668994663
                                                                        • Opcode ID: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction ID: a4af8c9dca73a5c283ada5a53ee1da82c278c6dc42568daf6e2b053f761370a2
                                                                        • Opcode Fuzzy Hash: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction Fuzzy Hash: 45D14C70D00219EFEB15CFA4C880AEEBBB8FF45781F104019F519AB259DB75AA45CFA1
                                                                        Function 1000C3AB Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 464COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /$UT
                                                                        • API String ID: 0-1626504983
                                                                        • Opcode ID: 4e20de288c3a92402ee2be844def14dbc334af6ad8bc11c9fdd8b0be8c49a202
                                                                        • Instruction ID: f54fcba8cf9e0f27e2bd44127f596e67299a7ae9ee4814bd1667c505b59f09c1
                                                                        • Opcode Fuzzy Hash: 4e20de288c3a92402ee2be844def14dbc334af6ad8bc11c9fdd8b0be8c49a202
                                                                        • Instruction Fuzzy Hash: D002D375A0439D9BEB21CF68C844F9EBBF5EF04380F1444AEE449A7246CB70AE85CB55
                                                                        Function 1000B8C7 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _mbsicmp$strlen
                                                                        • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                        • API String ID: 2479270535-51310709
                                                                        • Opcode ID: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction ID: 73947956ff5f80da35e905b20d3a22064da75616644d11fbfe3e9aabf24defd8
                                                                        • Opcode Fuzzy Hash: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction Fuzzy Hash: 9611823F619E27687659F966AC149DF17C8CF930F2337002BE750EA488FF25CA864661
                                                                        Function 10004351 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 80sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • StrStrIA.SHLWAPI(?,cmd.exe), ref: 10004366
                                                                        • GetCurrentProcessId.KERNEL32 ref: 10004373
                                                                          • Part of subcall function 10004318: OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • Sleep.KERNEL32(?), ref: 100043A6
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 100043BB
                                                                          • Part of subcall function 10001000: strlen.MSVCRT ref: 100016BB
                                                                          • Part of subcall function 10001000: #823.MFC42(00000007,?,C:\Users\user\Desktop\PqZ6GU98Eh.dll,00000000), ref: 100016EB
                                                                          • Part of subcall function 10001000: memset.MSVCRT ref: 100016F9
                                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 100043D9
                                                                        • DeleteFileA.KERNEL32(?), ref: 100043DE
                                                                        • Sleep.KERNEL32(000003E8), ref: 100043E5
                                                                        • PathFileExistsA.SHLWAPI(?), ref: 100043EA
                                                                        • GetTickCount.KERNEL32 ref: 1000440B
                                                                        • wsprintfA.USER32 ref: 10004421
                                                                        • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 10004436
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteMoveProcessSleep$#823CountCurrentExistsOpenPathTickmemsetstrlenwsprintf
                                                                        • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                                                        • API String ID: 13915177-3916765701
                                                                        • Opcode ID: f741f87015062f5f26a35d3659c710a6dbf8c386dcad4caa9f1c645ae77be91a
                                                                        • Instruction ID: 963a348ca2d5bfb4595b212cae23924ed86a21a29487051e768ee2e180cf1c8b
                                                                        • Opcode Fuzzy Hash: f741f87015062f5f26a35d3659c710a6dbf8c386dcad4caa9f1c645ae77be91a
                                                                        • Instruction Fuzzy Hash: CC2162B2500258BBFB11AB60DC89BDE7B6CEB043D1F154061F644A9095DFB59E808A65
                                                                        Function 1000600F Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 95librarystringloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(urlmon.dll), ref: 10006026
                                                                        • LoadLibraryA.KERNEL32(wininet.dll), ref: 10006030
                                                                        • GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 1000605B
                                                                        • GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 10006068
                                                                        • #823.MFC42(00000050), ref: 1000606E
                                                                        • strcat.MSVCRT(?,10015560), ref: 100060BB
                                                                        • strcat.MSVCRT(?,?,?,10015560), ref: 100060CE
                                                                        • strcat.MSVCRT(?,10015560,?,?,?,10015560), ref: 100060DB
                                                                        • memset.MSVCRT ref: 100060E7
                                                                          • Part of subcall function 10003FC8: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10003FE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$AddressLibraryLoadProc$#823CreateProcessmemset
                                                                        • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
                                                                        • API String ID: 1308283570-2475139894
                                                                        • Opcode ID: 34ecf789aa35694245457eda00ed5882bda15fa83932d0fa1f3e80ffa3c8b103
                                                                        • Instruction ID: 5bc36e72ee7a02c1c0e69050cea4439c3b038a47dfce127ca0f0f16504b8aeec
                                                                        • Opcode Fuzzy Hash: 34ecf789aa35694245457eda00ed5882bda15fa83932d0fa1f3e80ffa3c8b103
                                                                        • Instruction Fuzzy Hash: C2312CB290065CBAEB11DBA4CC45FDF7F7DEB08341F5444A6E208AB181E7716A458EA0
                                                                        Function 10007E03 Relevance: 21.1, APIs: 14, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007E08
                                                                        • #389.MFC42(00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E2D
                                                                        • #6059.MFC42(00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E4C
                                                                        • #6059.MFC42(00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60), ref: 10007E60
                                                                        • #3229.MFC42(00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000), ref: 10007E70
                                                                        • #5204.MFC42(00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002), ref: 10007E89
                                                                        • #5808.MFC42(00000000,00000000,1000822F,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003), ref: 10007E9D
                                                                        • #825.MFC42(1000822F,00000000,00000000,1000822F,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EA9
                                                                        • #1988.MFC42 ref: 10007EC3
                                                                        • #690.MFC42 ref: 10007ECF
                                                                        • #5356.MFC42(1000822F,00000000,00000000,1000822F,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EE1
                                                                        • #825.MFC42(000000C8,1000822F,00000000,00000000,1000822F,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000), ref: 10007F10
                                                                        • #1988.MFC42 ref: 10007F27
                                                                        • #690.MFC42 ref: 10007F39
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #1988#6059#690#825$#3229#389#5204#5356#5808H_prolog
                                                                        • String ID:
                                                                        • API String ID: 686017586-0
                                                                        • Opcode ID: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction ID: 65d52c856144c7dc343c998bea728568d717a918c34615c3037e65eeb0ab1587
                                                                        • Opcode Fuzzy Hash: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction Fuzzy Hash: AF417C7590121DAFEF14DF94D985DDEBFB9EF49390F10002AF40AA3295CB346A45CBA1
                                                                        Function 1000570F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101filethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000004,10016AE0,00000000,00080000,?,?,?,?,?,?,?,?,?,?,10005724,10016AE0), ref: 10005210
                                                                          • Part of subcall function 100051D3: #823.MFC42(000000FF,00000004,10016AE0,00000000,00080000,?,?,?,?,?,?,?,?,?,?,10005724), ref: 10005225
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000000,000000FF,00000004,10016AE0,00000000,00080000), ref: 1000523F
                                                                          • Part of subcall function 100051D3: strrchr.MSVCRT ref: 10005250
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005267
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005271
                                                                          • Part of subcall function 100051D3: GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                          • Part of subcall function 100051D3: GetCurrentProcess.KERNEL32(00000020,1000721D), ref: 10005296
                                                                          • Part of subcall function 100051D3: OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                          • Part of subcall function 100051D3: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,00080000), ref: 100052AD
                                                                          • Part of subcall function 100051D3: AdjustTokenPrivileges.ADVAPI32(1000721D,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                          • Part of subcall function 100051D3: CloseHandle.KERNEL32(1000721D), ref: 100052E2
                                                                          • Part of subcall function 100051D3: strlen.MSVCRT ref: 100052EE
                                                                          • Part of subcall function 100051D3: sscanf.MSVCRT ref: 1000530A
                                                                        • wsprintfA.USER32 ref: 1000574F
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?,00080000,00000000,?,100070D9,00000000), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 100057B1
                                                                        • wsprintfA.USER32 ref: 100057C5
                                                                        • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,10016AE0,00000000,00080000,?,1000721D), ref: 100057D4
                                                                        • PrintFile.PQZ6GU98EH(?,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000,?,1000721D), ref: 100057E8
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                          • Part of subcall function 10004D36: _EH_prolog.MSVCRT ref: 10004D3B
                                                                          • Part of subcall function 10004D36: memset.MSVCRT ref: 10004D59
                                                                          • Part of subcall function 10004D36: CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 10004D63
                                                                          • Part of subcall function 10004D36: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                          • Part of subcall function 10004D36: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 10004D8E
                                                                          • Part of subcall function 10004D36: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,?,?,?,10016AE0), ref: 10004DE2
                                                                          • Part of subcall function 10004D36: wcscat.MSVCRT ref: 10004E18
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,10016AE0,00000000), ref: 10005810
                                                                        • CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000), ref: 10005835
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Createstrcat$#823FileProcesswsprintf$CloseHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryH_prologInfoInstanceLookupPrintPrivilegePrivilegesProxySecuritySystemThreadValueWritememsetsscanfstrcpystrrchrwcscat
                                                                        • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                        • API String ID: 3029756400-1421401311
                                                                        • Opcode ID: 9f4c73466d9255d574249554586103f24472f68cd16168b7b109d9363276bf42
                                                                        • Instruction ID: 28587ef57c74646f6200826593ba84f0ee4a51bfb79cbc35cab65446596f3e80
                                                                        • Opcode Fuzzy Hash: 9f4c73466d9255d574249554586103f24472f68cd16168b7b109d9363276bf42
                                                                        • Instruction Fuzzy Hash: 75317772910178BBEB11D7A4CC84FCF7B6CEB08746F1405A6F209FA051DB71AA858B95
                                                                        Function 1000B9EF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        • GetFileSize.KERNEL32(?,00000000,?,00000000), ref: 1000BA6A
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1000BA86
                                                                        • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1000BA9A
                                                                        • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1000BAA3
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BAB3
                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 1000BACE
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BADE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerRead$HandleInformationSize
                                                                        • String ID: $@$@
                                                                        • API String ID: 2979504256-3743272326
                                                                        • Opcode ID: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction ID: 300477372e44d699427ff54a679b45810dd7889e5983b4805fee524b870b0fb0
                                                                        • Opcode Fuzzy Hash: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction Fuzzy Hash: 33516AB1A0064DAFEB10DF94CC81AAEBBF9EF44394F108069F641E6164D770AE80CB51
                                                                        Function 100077B2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 227stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 100077B7
                                                                        • strlen.MSVCRT ref: 100077D2
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • strlen.MSVCRT ref: 10007909
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog$#823strlen$BlanketCreateInitializeInstanceProxySecurity
                                                                        • String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
                                                                        • API String ID: 2251539122-2582412207
                                                                        • Opcode ID: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction ID: b5d22a176f2e9897db3186ef54651fb278fb7d6c126efc4cfaa591b9760a4b79
                                                                        • Opcode Fuzzy Hash: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction Fuzzy Hash: CA817D34901219EFEF15CF94C885AEE7B79FF057D0F208409F51AAB199DB34AA44CBA1
                                                                        Function 10006DD5 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 89stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10006DDA
                                                                        • strstr.MSVCRT ref: 10006DF1
                                                                        • #823.MFC42(00000084), ref: 10006E08
                                                                        • strcpy.MSVCRT(ECF4BB82F7E0,00000044), ref: 10006E31
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823H_prologmemsetstrcpystrstr
                                                                        • String ID: %s|NULL|%s|%s$12051805$ECF4BB82F7E0$JXMvam95LmFzcD9zaWQ9JXM=$http://$http://107.160.131.251:18659/
                                                                        • API String ID: 983634193-2637721669
                                                                        • Opcode ID: de1fbe1ddc52417a92cb610ab810b29f6ad9195cdf2bae228fea0961122f35c6
                                                                        • Instruction ID: 8b9bdae4842b9c152c707f293006ae36ec67aa252ce097f8c2e94734218e6b38
                                                                        • Opcode Fuzzy Hash: de1fbe1ddc52417a92cb610ab810b29f6ad9195cdf2bae228fea0961122f35c6
                                                                        • Instruction Fuzzy Hash: 4E2107B6900259AEEB10D7B4CC41BEF77BDFF48240F1045BAF209E7585DB70AA448A25
                                                                        Function 10004770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathIsDirectoryA.SHLWAPI(00A00000), ref: 1000477F
                                                                        • strlen.MSVCRT ref: 1000478E
                                                                        • strlen.MSVCRT ref: 1000479C
                                                                        • strlen.MSVCRT ref: 100047AA
                                                                        • strrchr.MSVCRT ref: 100047C1
                                                                        • strcpy.MSVCRT(00000000,00A00000,00000000,00000001,00000000,?,123), ref: 100047FF
                                                                        • strrchr.MSVCRT ref: 1000480D
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC93
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC9A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$#825strrchr$DirectoryPathstrcpy
                                                                        • String ID: 123
                                                                        • API String ID: 3295485176-2286445522
                                                                        • Opcode ID: 625955dd574f6d6b8c6012326a80e82a6eaa29ade1b474a779e0d70915fbb28e
                                                                        • Instruction ID: a8b34575d82df1a2a640fea0855918061287e9e4bc387d8eb88593b54901316a
                                                                        • Opcode Fuzzy Hash: 625955dd574f6d6b8c6012326a80e82a6eaa29ade1b474a779e0d70915fbb28e
                                                                        • Instruction Fuzzy Hash: 272181F64043996BFB20DB70CC85F9F3B9CDF413D0F114866FA449608ADE74A98487A5
                                                                        Function 10005318 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?,00080000,00000000,?,100070D9,00000000), ref: 1000534D
                                                                        • strchr.MSVCRT ref: 10005367
                                                                        • strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                        • strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                        • strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                        • strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                        • strchr.MSVCRT ref: 100053AB
                                                                        Strings
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C
                                                                        • , xrefs: 10005382
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$strchr$strcpy
                                                                        • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 1601127630-230412946
                                                                        • Opcode ID: c6efaf51be604f44dc0df4bdfb26751985826912d61fa2720ea58989172d95ae
                                                                        • Instruction ID: a6a5a67d86e8b927bc33642b6afb12583160e86d38cb06b733c3e3ee002f1740
                                                                        • Opcode Fuzzy Hash: c6efaf51be604f44dc0df4bdfb26751985826912d61fa2720ea58989172d95ae
                                                                        • Instruction Fuzzy Hash: 1301923690025D7AEB22D728CC41FCE7F58EF483C1F144475F6486A096D7B1BE845A90
                                                                        Function 10007A73 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007A78
                                                                        • VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 1000504D: _EH_prolog.MSVCRT ref: 10005052
                                                                          • Part of subcall function 1000504D: #823.MFC42(0000000C,00000000,?,10004E4F,WQL,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 1000505D
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007D3F: _EH_prolog.MSVCRT ref: 10007D44
                                                                          • Part of subcall function 10007D3F: SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                          • Part of subcall function 10007D3F: SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                          • Part of subcall function 10007D3F: SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 10007D3F: InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                          • Part of subcall function 10007BA9: InterlockedIncrement.KERNEL32(-00000008), ref: 10007BBB
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(00080008), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(00080000,?,?,?,10016AE0,00000000,00080000), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$ArrayH_prologIncrementSafeVariant$ClearData$#823#825AccessDecrementInitUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 4001368842-3916222277
                                                                        • Opcode ID: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction ID: 16e68ad5d50085e4c10e12c9d7be0e27fc14601c0442ffb24b2420ebed866ce4
                                                                        • Opcode Fuzzy Hash: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction Fuzzy Hash: 71418275D0015A9BEF14DFA4C884AEEB7F8FF48285F10446DE91AA3245D738BE48CB61
                                                                        Function 10005620 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000001), ref: 10005655
                                                                        • VirtualQueryEx.KERNEL32(?,?,0000001C), ref: 1000567A
                                                                        • #825.MFC42(00000000), ref: 100056A9
                                                                        • #823.MFC42(?,00000000), ref: 100056B5
                                                                        • ReadProcessMemory.KERNEL32(?,00000000,?,00000000), ref: 100056CD
                                                                        • #825.MFC42(00000000), ref: 100056F4
                                                                        • CloseHandle.KERNEL32 ref: 10005700
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823#825$CloseHandleMemoryProcessQueryReadVirtual
                                                                        • String ID:
                                                                        • API String ID: 2613863258-0
                                                                        • Opcode ID: 002f558362e930e248a222bec98fb806c49b2a35eaec4bb71dce11e0a1fc2edc
                                                                        • Instruction ID: 4db0274d55e25b68ee7d3e13ac28b9df299f601e2e192f3360f90a931f98b51e
                                                                        • Opcode Fuzzy Hash: 002f558362e930e248a222bec98fb806c49b2a35eaec4bb71dce11e0a1fc2edc
                                                                        • Instruction Fuzzy Hash: 6B318431A00219ABFB00CB54CD89FAE7BB8EB483D5F554029F904AB254D777AD41CB61
                                                                        Function 10004564 Relevance: 10.6, APIs: 7, Instructions: 76fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,10004724,00000000,?,00A00000), ref: 100045A0
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,10004724,00000000,?,00A00000), ref: 100045B5
                                                                        • #823.MFC42(00000000,?,10004724,00000000,?,00A00000), ref: 100045BC
                                                                        • memset.MSVCRT ref: 100045DB
                                                                        • ReadFile.KERNEL32(00A00000,?,00001000,00000000,00000000,00000000,?,00A00000), ref: 100045F3
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10004610
                                                                        • CloseHandle.KERNEL32(?), ref: 10004622
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$#823CloseCreateHandleReadSizememcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3874965551-0
                                                                        • Opcode ID: 444ed53be344c49d7c4879e69ee1f475a9efe4e4b85c42753bd3e96010758085
                                                                        • Instruction ID: b8e15c26b79344f892a994df82a26dd1cf42bd8fa36d8d7a2bc0f72dde553fdd
                                                                        • Opcode Fuzzy Hash: 444ed53be344c49d7c4879e69ee1f475a9efe4e4b85c42753bd3e96010758085
                                                                        • Instruction Fuzzy Hash: C7218EB1900249BFEB11CFA4CC85ECA3BADEB08391F104461FA49E7154D671AE848B64
                                                                        Function 10008805 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepprocessfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • C:\Users\user\Desktop, xrefs: 1000881C
                                                                        • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteExecFileSleepwsprintf
                                                                        • String ID: C:\Users\user\Desktop$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                        • API String ID: 3112201625-3416770859
                                                                        • Opcode ID: 8fd58fb97f7187a4bd612a9f5f4254e8e120dfff4a7f91695060778d60fb1e9e
                                                                        • Instruction ID: 08be347dabe4e69125defaea18d67bebded8d0a374800736b22a7d520ac7fbac
                                                                        • Opcode Fuzzy Hash: 8fd58fb97f7187a4bd612a9f5f4254e8e120dfff4a7f91695060778d60fb1e9e
                                                                        • Instruction Fuzzy Hash: 85F08272500199EBEB118BA4CC897DA7769FF04385F040875F301F5094DBB09ED48B55
                                                                        Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00000000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,771A8A60,00000000), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
                                                                        • API String ID: 1721638100-2890774959
                                                                        • Opcode ID: 03e6eb5649f995162fe0502a851718215146e7e5ecf34e072ca3f8dc286043e4
                                                                        • Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
                                                                        • Opcode Fuzzy Hash: 03e6eb5649f995162fe0502a851718215146e7e5ecf34e072ca3f8dc286043e4
                                                                        • Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60
                                                                        Function 100058A4 Relevance: 8.8, APIs: 7, Instructions: 53stringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strlen.MSVCRT ref: 100058B5
                                                                        • GlobalAlloc.KERNEL32(00000040,00000001), ref: 100058C7
                                                                        • memset.MSVCRT ref: 100058D3
                                                                        • strcpy.MSVCRT(00000000,?,00000000,00000000,00000001), ref: 100058DA
                                                                        • memset.MSVCRT ref: 100058FC
                                                                        • strcpy.MSVCRT(?,00000000,?,00000000,00000001), ref: 10005908
                                                                        • GlobalFree.KERNEL32(00000000), ref: 10005911
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Globalmemsetstrcpy$AllocFreestrlen
                                                                        • String ID:
                                                                        • API String ID: 1071719858-0
                                                                        • Opcode ID: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction ID: 78a2fa517b2917b970834adb5cd9272944c22913aa7c801b0364ce0a5f020401
                                                                        • Opcode Fuzzy Hash: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction Fuzzy Hash: 2201D4B6901269BBF72097148C4AF8B7AACDF417D5F200465F802B2147D665EE4082B8
                                                                        Function 1000BB8A Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000001,00000000,00A00000,?,1000CABA,00A00000,00000000,?,76789DE0,?,1000CB9E,100047D6), ref: 1000BBDE
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,00A00000,?,1000CABA,00A00000,00000000,?,76789DE0), ref: 1000BC18
                                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 1000BC72
                                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,1000CABA,00A00000,00000000,?,76789DE0,?,1000CB9E,100047D6,100047D6,00000003), ref: 1000BC8F
                                                                        • CloseHandle.KERNEL32(?,?,1000CABA,00A00000,00000000,?,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000), ref: 1000BC9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Create$CloseHandleMappingPointerView
                                                                        • String ID:
                                                                        • API String ID: 1737989552-0
                                                                        • Opcode ID: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction ID: 52b7da836c05925aaa6f9b96ed88e0255cb2f85f02a575bc541db1582194b3b7
                                                                        • Opcode Fuzzy Hash: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction Fuzzy Hash: 37317EB0604B86EBF330CF1488C4E0BBAE9EB043D8F108A3EF59596549DB70ED849751
                                                                        Function 1000BCFD Relevance: 7.6, APIs: 5, Instructions: 86fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #825.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD20
                                                                        • #823.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD32
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD45
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD91
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?), ref: 1000BDB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$#823#825FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3892973715-0
                                                                        • Opcode ID: 70d3a05536c547757963e2269a9c66a3c24953c0d41dd9b8c2ffe1624f591c77
                                                                        • Instruction ID: eade77e95de1ab09ce47e5abe9d45642cf2deb7cfcad3d271b4ca3a4ff9751d3
                                                                        • Opcode Fuzzy Hash: 70d3a05536c547757963e2269a9c66a3c24953c0d41dd9b8c2ffe1624f591c77
                                                                        • Instruction Fuzzy Hash: 0921BF79605B44AFE760CF54C995E57BBF8FF84780B50092FE48687A19EA30F844CB60
                                                                        Function 10007D3F Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007D44
                                                                        • SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?,?,?,?,?,?,?,?,10016AE0,00000000,00080000), ref: 100050B1
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(00080008), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(00080000,?,?,?,10016AE0,00000000,00080000), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ArrayH_prologSafe$#823DataInterlocked$#825AccessDecrementIncrementUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 1452789435-0
                                                                        • Opcode ID: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction ID: ea9047e10af159b7580fc06cd53243e613a27a56fa66aaec08421a04c4a394ba
                                                                        • Opcode Fuzzy Hash: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction Fuzzy Hash: 11214875D0015A9BDB00DF98C9858BEFBB8FF44381F50402EE919A3285D738AE45CBA2
                                                                        Function 1000678B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100067C6
                                                                        • memset.MSVCRT ref: 100067ED
                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 10006805
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10006820
                                                                        • CloseHandle.KERNEL32(?), ref: 10006832
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleReadmemcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3052882905-0
                                                                        • Opcode ID: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction ID: 5372e76102180c80e4120fc22f7e4cb3026b0456e1d7771b076241391e3a1f27
                                                                        • Opcode Fuzzy Hash: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction Fuzzy Hash: 2F115E7290015DBFEB11CF58CC81FCA77ADEB08395F208461FB59E6144D671AF948B64
                                                                        Function 10006C7A Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$malloctolowertoupper
                                                                        • String ID:
                                                                        • API String ID: 1610385915-0
                                                                        • Opcode ID: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction ID: c0d6b828c61c7d5c2e34b190325b5f457e34af4db0ec980d6b37c81afeaef70f
                                                                        • Opcode Fuzzy Hash: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction Fuzzy Hash: CA019675840558EAFB12DB58DC45FFD7BBAEB092C0F600091E885D621AC735AF029795
                                                                        Function 1000D133 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 1000D146
                                                                        • #823.MFC42(00000002,?,?,?,?,00000000,10005199,?,75C03D70,10004FB4,?,?,?,?,10016AE0,00000000), ref: 1000D150
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,?,?,00000000,10005199,?,75C03D70,10004FB4), ref: 1000D172
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?,?,?,?,10016AE0,00000000,00080000), ref: 1000D182
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?,?,?,?,10016AE0,00000000,00080000), ref: 1000D188
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$#823ByteCharMultiWidewcslen
                                                                        • String ID:
                                                                        • API String ID: 902154227-0
                                                                        • Opcode ID: 283cc951a1f6b3325bbd106f9e7b35091dc407a319248508b5f87fd762be128e
                                                                        • Instruction ID: 6bb69d995878b1488902086bddc70bddf1cd9bd550ac255682a075b1bb48b8d2
                                                                        • Opcode Fuzzy Hash: 283cc951a1f6b3325bbd106f9e7b35091dc407a319248508b5f87fd762be128e
                                                                        • Instruction Fuzzy Hash: E8F0F67624415A7DF220F7754C84EAFBB9CDB813F8722463BF554E6049DD15EC0081B1
                                                                        Function 1000D0BE Relevance: 7.5, APIs: 5, Instructions: 45memorystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,?,1000510C,10005078), ref: 1000D0D0
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,1000510C,10005078), ref: 1000D0F7
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D107
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D10D
                                                                        • SysAllocString.OLEAUT32 ref: 1000D124
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
                                                                        • String ID:
                                                                        • API String ID: 4196186757-0
                                                                        • Opcode ID: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction ID: 2c08bb26518ab0f280075e55d60ce098becb15f14d51ddb0b8ccd9ff930e194d
                                                                        • Opcode Fuzzy Hash: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction Fuzzy Hash: C301F93250011AB6F720AB30CC45B9E3FA8EF013E1F104032F914D6098EB74A96186B5
                                                                        Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00000000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,771A8A60,00000000), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$C:\Users\user\Desktop$http://
                                                                        • API String ID: 1721638100-518030693
                                                                        • Opcode ID: cc5d678c9803407ce5fb162c1d94cdbdae1b2679153d85ff883c85f75d479873
                                                                        • Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
                                                                        • Opcode Fuzzy Hash: cc5d678c9803407ce5fb162c1d94cdbdae1b2679153d85ff883c85f75d479873
                                                                        • Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660
                                                                        Function 10005F98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                                          • Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D
                                                                        • strlen.MSVCRT ref: 10005FEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
                                                                        • String ID: %s\lang.ini$C:\Users\user\Desktop
                                                                        • API String ID: 3442345488-1671016533
                                                                        • Opcode ID: 6494f5da224de4b60d7ec8da68c29878e5a42309ca571d4673cbe0b578dbf8a1
                                                                        • Instruction ID: fdba07edcaf4c5d9f8880ce60f62221f71be709bcd2a0296a9a45e1c288e65da
                                                                        • Opcode Fuzzy Hash: 6494f5da224de4b60d7ec8da68c29878e5a42309ca571d4673cbe0b578dbf8a1
                                                                        • Instruction Fuzzy Hash: A5F0F6768011187AE621D6659C0BFEF3E6CDF857E0F104121FA48E90C5EB75AAC196E1
                                                                        Function 10004318 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,cmd.exe,10004399,?), ref: 10004338
                                                                        • CloseHandle.KERNEL32(00000000,?,cmd.exe,10004399,?), ref: 10004346
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpenTerminate
                                                                        • String ID: cmd.exe
                                                                        • API String ID: 2026632969-723907552
                                                                        • Opcode ID: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction ID: f86e1008737f822a82b35af81a2ba7d261664a8727063637e60ae571ff64eda0
                                                                        • Opcode Fuzzy Hash: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction Fuzzy Hash: 91E08C327041B0BBE2715B376C4CE8B2EA8EFC97E27020524F525E2148DA604982C0B5
                                                                        Function 1000BF37 Relevance: 6.1, APIs: 4, Instructions: 97timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,00000000,1000C494,00000000,00000001,?,00000001), ref: 1000BF78
                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 1000BFA8
                                                                        • GetLocalTime.KERNEL32(?), ref: 1000BFD6
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 1000BFE4
                                                                          • Part of subcall function 1000B9EF: GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                        • String ID:
                                                                        • API String ID: 3986731826-0
                                                                        • Opcode ID: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction ID: a661c7283e1e9e859b50db88ed376cc691573cb3dc5a3d1bc11cebbdbb99f212
                                                                        • Opcode Fuzzy Hash: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction Fuzzy Hash: 2E310AB5900B49EFE721CF69C88099BBBF9FF08394B10492EE596D2660D774E944CB60
                                                                        Function 1000CA74 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000CA79
                                                                        • #823.MFC42(00004086,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000,100047D6,00000000,?,123), ref: 1000CA85
                                                                        • #825.MFC42(00000000,00A00000,00000000,?,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000,100047D6,00000000,?,123), ref: 1000CACF
                                                                          • Part of subcall function 1000CAF7: strlen.MSVCRT ref: 1000CB33
                                                                          • Part of subcall function 1000CAF7: #823.MFC42(00000001,00000000,00000001,76789DE0,1000CAA0,100080B7,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000,100047D6,00000000,?), ref: 1000CB3A
                                                                          • Part of subcall function 1000CAF7: strcpy.MSVCRT(00000000,00000000,00000001,00000000,00000001,76789DE0,1000CAA0,100080B7,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000,100047D6), ref: 1000CB43
                                                                        • #823.MFC42(00000008,00A00000,00000000,?,76789DE0,?,1000CB9E,100047D6,100047D6,00000003,00000000,100047D6,00000000,?,123), ref: 1000CADB
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825H_prologstrcpystrlen
                                                                        • String ID:
                                                                        • API String ID: 958000321-0
                                                                        • Opcode ID: 439a18c034a823a2dfd78f2443a1a94ac5f1420c4328b880b0f79b1a3f01fa98
                                                                        • Instruction ID: 4daa850a962544825f29420b50c2e7fca5cf2665263421bc6ff588bbe2bec9b2
                                                                        • Opcode Fuzzy Hash: 439a18c034a823a2dfd78f2443a1a94ac5f1420c4328b880b0f79b1a3f01fa98
                                                                        • Instruction Fuzzy Hash: BE01D43160031CAFFB15DF64C906F5E3AA0EF443E4F01412DF40AA71D4CB709800D692
                                                                        Function 1000443D Relevance: 6.0, APIs: 4, Instructions: 27filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                        • strlen.MSVCRT ref: 10004467
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleWritestrlen
                                                                        • String ID:
                                                                        • API String ID: 1350020999-0
                                                                        • Opcode ID: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction ID: 674abdbc6602e5f6a43210abfac0cc78235cd9a48f578be9d5b3dbb9807df2d8
                                                                        • Opcode Fuzzy Hash: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction Fuzzy Hash: EFE048351402087BF7111B50DC4EFAA3B2CE784B50F208011F744A80D0DBB17D455654
                                                                        Function 1000611F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 1000616C
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,00000000,00000000,10006206), ref: 10003F39
                                                                        • memset.MSVCRT ref: 10006187
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                          • Part of subcall function 10003F58: InternetCloseHandle.WININET(000000FF), ref: 10003F5C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000007.00000002.3809187766.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000007.00000002.3809157417.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809221623.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809258436.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809294875.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809328889.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809369342.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809397267.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809430436.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809462809.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809493804.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809525856.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000007.00000002.3809554594.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Open$CloseFileFormatHandleReadTime___crtmemset
                                                                        • String ID: http
                                                                        • API String ID: 1631465489-2541227442
                                                                        • Opcode ID: 705391b569755a221e2b8fe28b7a1c258c75be8f738d2a3e157d759eb6788d99
                                                                        • Instruction ID: e803b75fad12bc2b196d73d519180cebb6b4d95abcf79e6c0b0238ba5ed24b07
                                                                        • Opcode Fuzzy Hash: 705391b569755a221e2b8fe28b7a1c258c75be8f738d2a3e157d759eb6788d99
                                                                        • Instruction Fuzzy Hash: 2A01B1B690029D7EFB23D6A8DCC2EFF72ADCB0C2D4F0000B5F708A6145DAA56E8145B5

                                                                        Execution Graph

                                                                        Execution Coverage:2.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:2.9%
                                                                        Total number of Nodes:35
                                                                        Total number of Limit Nodes:3
                                                                        execution_graph 5913 100019a0 5914 100019a5 LoadLibraryA 5913->5914 5917 10001ae2 5918 10001ae7 5917->5918 5921 10001000 strlen 5918->5921 5920 10001af1 GetProcAddress 5922 100016d9 #823 memset 5921->5922 5925 10001713 #823 lstrcpyA #825 5922->5925 5925->5920 5926 10002523 5927 10002528 5926->5927 5928 10001000 6 API calls 5927->5928 5929 10002532 GetProcAddress 5928->5929 5938 10001ca9 5939 10001cae 5938->5939 5940 10001000 6 API calls 5939->5940 5941 10001cb8 GetProcAddress 5940->5941 5952 10001812 5953 10001817 5952->5953 5954 10001000 6 API calls 5953->5954 5955 10001821 5954->5955 5964 1000cfbc 5966 1000cfd8 5964->5966 5967 1000cfcf 5964->5967 5966->5967 5971 1000d000 5966->5971 5972 1000cf11 5966->5972 5968 1000d020 5967->5968 5970 1000cf11 3 API calls 5967->5970 5967->5971 5969 1000cf11 3 API calls 5968->5969 5968->5971 5969->5971 5970->5968 5973 1000cf19 5972->5973 5974 1000cf3a malloc 5973->5974 5976 1000cf4f 5973->5976 5977 1000cf79 5973->5977 5975 1000cf53 _initterm 5974->5975 5974->5976 5975->5976 5976->5967 5977->5976 5978 1000cfa6 free 5977->5978 5978->5976 5979 1000443d CreateFileA strlen WriteFile CloseHandle

                                                                        Executed Functions

                                                                        Function 1000443D Relevance: 6.0, APIs: 4, Instructions: 27filestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 47 1000443d-10004481 CreateFileA strlen WriteFile CloseHandle
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                        • strlen.MSVCRT ref: 10004467
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleWritestrlen
                                                                        • String ID:
                                                                        • API String ID: 1350020999-0
                                                                        • Opcode ID: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction ID: 674abdbc6602e5f6a43210abfac0cc78235cd9a48f578be9d5b3dbb9807df2d8
                                                                        • Opcode Fuzzy Hash: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction Fuzzy Hash: EFE048351402087BF7111B50DC4EFAA3B2CE784B50F208011F744A80D0DBB17D455654
                                                                        Function 10001000 Relevance: 66.9, APIs: 6, Strings: 32, Instructions: 400stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825lstrcpymemsetstrlen
                                                                        • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?
                                                                        • API String ID: 3251808775-1038084669
                                                                        • Opcode ID: b11ca45e2396e9c86b8ddb6aba5292ea4cd214887a5bfd65de22252d69a1cce1
                                                                        • Instruction ID: 1e2c39c5481c49465f245eab400177fe17c9ce5cbd2174da6fe3dd4c7a143f85
                                                                        • Opcode Fuzzy Hash: b11ca45e2396e9c86b8ddb6aba5292ea4cd214887a5bfd65de22252d69a1cce1
                                                                        • Instruction Fuzzy Hash: 44323BB0D252798BEB65CF49C9987DDBBB8FB09B44F1081DBE158A6241C7B50B85CF80
                                                                        Function 1000CF11 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 29 1000cf11-1000cf17 30 1000cf27-1000cf38 29->30 31 1000cf19-1000cf1f 29->31 32 1000cf79-1000cf7b 30->32 33 1000cf3a-1000cf4d malloc 30->33 34 1000cf21 31->34 35 1000cf4f-1000cf51 31->35 38 1000cfb6-1000cfb8 32->38 39 1000cf7d-1000cf84 32->39 33->35 36 1000cf53-1000cf77 _initterm 33->36 34->30 37 1000cfb9 35->37 36->38 38->37 39->38 40 1000cf86-1000cf8d 39->40 41 1000cf90-1000cf92 40->41 42 1000cf94-1000cf98 41->42 43 1000cfa6-1000cfb5 free 41->43 44 1000cfa1-1000cfa4 42->44 45 1000cf9a-1000cf9c 42->45 43->38 44->41 45->44
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _inittermfreemalloc
                                                                        • String ID: k{v
                                                                        • API String ID: 1678931842-443568515
                                                                        • Opcode ID: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction ID: 0e2fbd444cc1af3c64615f742c80b3cddb005ce76f3f19b4b4b8d30d748738d8
                                                                        • Opcode Fuzzy Hash: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction Fuzzy Hash: 8E11EC716043279BF714CBA4DE84B6677F6F7083D1B11807EE909D7168EB31E8418B56
                                                                        Function 10002983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 68 10002983-1000298d call 10001000 71 10002992-100029a5 GetProcAddress 68->71
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000299A
                                                                        Strings
                                                                        • R2V0TW9kdWxlRmlsZU5hbWVB, xrefs: 10002988
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlRmlsZU5hbWVB
                                                                        • API String ID: 190572456-4201997209
                                                                        • Opcode ID: 1557f5d79256d7c8ac66964af858d2a5d3a9d876618c51bceefced0cd8189c30
                                                                        • Instruction ID: b1a1b435f00da94364d5068d1a7261ba1d721826fe38f5c424aadfdcf37e0a94
                                                                        • Opcode Fuzzy Hash: 1557f5d79256d7c8ac66964af858d2a5d3a9d876618c51bceefced0cd8189c30
                                                                        • Instruction Fuzzy Hash: CBC09BB4411555DEF711DB30DD45A543675F7183C3B504215F450D413DDFB06981D610
                                                                        Function 10001AE2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 48 10001ae2-10001aec call 10001000 51 10001af1-10001b04 GetProcAddress 48->51
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001AF9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: U2V0RXJyb3JNb2Rl
                                                                        • API String ID: 190572456-495186574
                                                                        • Opcode ID: b81d5d325cadc815cdd1632931e62b9bb143e88e1171eecaeda0c1d789539086
                                                                        • Instruction ID: b3207cb24b35482d93af76edd0b439524cf254a3b1688944550d3917fc20d73e
                                                                        • Opcode Fuzzy Hash: b81d5d325cadc815cdd1632931e62b9bb143e88e1171eecaeda0c1d789539086
                                                                        • Instruction Fuzzy Hash: D8C04C74421550EAF711DB60DC496693A66F749281F104115F4419412CEB705881D615
                                                                        Function 10001CA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 52 10001ca9-10001cb3 call 10001000 55 10001cb8-10001ccb GetProcAddress 52->55
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001CC0
                                                                        Strings
                                                                        • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB, xrefs: 10001CAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB
                                                                        • API String ID: 190572456-1897290307
                                                                        • Opcode ID: aac3f6f07ca681beb31007582e3c0fefaca278ca4a11224ae424bf2c9ba99a53
                                                                        • Instruction ID: 679180479ed6cfc3c3ab9d5752cbc6c40d3ed07f1b9e890cc62039329d529da3
                                                                        • Opcode Fuzzy Hash: aac3f6f07ca681beb31007582e3c0fefaca278ca4a11224ae424bf2c9ba99a53
                                                                        • Instruction Fuzzy Hash: 2AC09B745101549FF711DB61DD45B543726F7083C17508115F4409413CDBB1D881DF15
                                                                        Function 10002523 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 56 10002523-10002545 call 10001000 GetProcAddress
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000253A
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEVudW0=, xrefs: 10002528
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEVudW0=
                                                                        • API String ID: 190572456-980335172
                                                                        • Opcode ID: 327d9bad702a7a7c842a33e500bfd4edb7a997bbbb3fa120786fb7268e4a0849
                                                                        • Instruction ID: 63a1c40aa0e56be92247ee1fed4819ec6860f7f49589733cfa06d56f95f5deb7
                                                                        • Opcode Fuzzy Hash: 327d9bad702a7a7c842a33e500bfd4edb7a997bbbb3fa120786fb7268e4a0849
                                                                        • Instruction Fuzzy Hash: DBC02BB0402010DEF302CF20FC48B143650E30C3C3B204054F4004003DDF7058C05911
                                                                        Function 10002546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 60 10002546-10002550 call 10001000 63 10002555-10002568 GetProcAddress 60->63
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000255D
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 1000254B
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
                                                                        • API String ID: 190572456-3430808999
                                                                        • Opcode ID: c3c83eeaad7e8c410e6871171806503969bcfb26dab9e11f60b75c50dcd8f11e
                                                                        • Instruction ID: ca1272d1c6c5ba21fa127b69b1bf27ffee5f9a6a4e26c013838c333b549259fb
                                                                        • Opcode Fuzzy Hash: c3c83eeaad7e8c410e6871171806503969bcfb26dab9e11f60b75c50dcd8f11e
                                                                        • Instruction Fuzzy Hash: BEC02B70800010DEF7019F20DC54A243A10F30C3C2B208160F4004003CDF70D8C0A900
                                                                        Function 100025AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 64 100025af-100025d1 call 10001000 GetProcAddress
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100025C6
                                                                        Strings
                                                                        • TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 100025B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0QXBpQnVmZmVyRnJlZQ==
                                                                        • API String ID: 190572456-3244026974
                                                                        • Opcode ID: 642dc9320d71326d07a2f0d470ae2b62ddec43ef6150d903d9759c8aea796598
                                                                        • Instruction ID: dfe5daf16c6b78ace36240ce5652ccc2d6de07b8baeb264f7ad7c7904fcf06df
                                                                        • Opcode Fuzzy Hash: 642dc9320d71326d07a2f0d470ae2b62ddec43ef6150d903d9759c8aea796598
                                                                        • Instruction Fuzzy Hash: 32C02BB04030109EF312CB20DC946543620E38C3C2B214005F8004003DDF7199C09910
                                                                        Function 1000363A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 72 1000363a-10003644 call 10001000 75 10003649-1000365c GetProcAddress 72->75
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10003651
                                                                        Strings
                                                                        • R2V0TW9kdWxlQmFzZU5hbWVB, xrefs: 1000363F
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlQmFzZU5hbWVB
                                                                        • API String ID: 190572456-2033685547
                                                                        • Opcode ID: b997374319e8bd926180a74ce876fca69aa3ba4c39f33a98ea0eb4ca7101dc0c
                                                                        • Instruction ID: 5df146e122e72d039630dbb6b0b3531cff15eb77738ab70f128977c83543ccad
                                                                        • Opcode Fuzzy Hash: b997374319e8bd926180a74ce876fca69aa3ba4c39f33a98ea0eb4ca7101dc0c
                                                                        • Instruction Fuzzy Hash: F0C09BB44055A0EEF7119B24EC496653715F7083C2B11C115F4419513CDF7158C19514
                                                                        Function 100019A0 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 76 100019a0-100019b6 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction ID: b66798628aae855c83bf7f686cb25124971be1b6095d86ea20a0bb19a8bac96f
                                                                        • Opcode Fuzzy Hash: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction Fuzzy Hash: 92B002749015B0DFF7119F14DCDC5447B62E749341B61C055E8415113CD7714455EF55
                                                                        Function 100019CE Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 78 100019ce-100019e4 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction ID: abcc7ed5f68379418d9c40dbe7f79a1e4d6a15d0a0615b498f296ba2a9f239dc
                                                                        • Opcode Fuzzy Hash: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction Fuzzy Hash: 97B012B0401660CFF7014F20DCC80087F33F308382B008113E8019053CD7304510EA00
                                                                        Function 100019FC Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 80 100019fc-10001a12 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction ID: 47b57bf21aca614cddfcfaea860b1cc3e38cf6dbd9f820980586a8aa178d607c
                                                                        • Opcode Fuzzy Hash: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction Fuzzy Hash: F7B00274551560DFFB119F20DCC45447A73E74D382B61C056E8515113CDB72C490EE11
                                                                        Function 10001A41 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 82 10001a41-10001a57 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction ID: 24c90ffc9fcf9f59ee58c84600115bd45079cb77f81d8688bd4f2d963a816155
                                                                        • Opcode Fuzzy Hash: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction Fuzzy Hash: 73B00274501560DBF7119F12DCC45447E67F74A7C1B11C055E8555163CD7714451AF11
                                                                        Function 10001AB4 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 84 10001ab4-10001aca LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction ID: 44505aba912a868df48011d1cc75e83db32967a8423b7cb2a14cd0cb0a600a36
                                                                        • Opcode Fuzzy Hash: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction Fuzzy Hash: FBB012B4001560CBF7008F50CCC40047E23E30D345B20C015FD005013DC7314450AE00

                                                                        Non-executed Functions

                                                                        Function 1000490F Relevance: 91.3, APIs: 45, Strings: 7, Instructions: 325networksleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10004978
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 1000498A
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 10004992
                                                                        • htons.WS2_32(00000035), ref: 100049A3
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 100049B4
                                                                        • htons.WS2_32(00000035), ref: 100049BB
                                                                        • inet_addr.WS2_32(?), ref: 100049C1
                                                                        • bind.WS2_32(?,?,00000010), ref: 100049CC
                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 100049E5
                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 10004A17
                                                                        • WSAGetLastError.WS2_32 ref: 10004A21
                                                                        • Sleep.KERNEL32(000003E8), ref: 10004A28
                                                                        • memset.MSVCRT ref: 10004A45
                                                                        • recvfrom.WS2_32(?,?,00000200,00000000,?,00000010), ref: 10004A61
                                                                        • memset.MSVCRT ref: 10004A87
                                                                        • wsprintfA.USER32 ref: 10004AC9
                                                                        • StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?), ref: 10004AE4
                                                                        • StrStrIA.SHLWAPI(?,alyac), ref: 10004AFC
                                                                        • StrStrIA.SHLWAPI(?,ahnlab), ref: 10004B0E
                                                                        • StrStrIA.SHLWAPI(?,v3lite), ref: 10004B20
                                                                        • malloc.MSVCRT ref: 10004B31
                                                                        • memcpy.MSVCRT(00000000,?,00000002), ref: 10004B40
                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000002), ref: 10004B56
                                                                        • htons.WS2_32(00008180), ref: 10004B63
                                                                        • htons.WS2_32(00008182), ref: 10004B77
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004B88
                                                                        • htons.WS2_32(00000001), ref: 10004B92
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BA3
                                                                        • htons.WS2_32(0000C00C), ref: 10004BBE
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BCF
                                                                        • htons.WS2_32(00000001), ref: 10004BD9
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BE7
                                                                        • htons.WS2_32(00000001), ref: 10004BF1
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BFF
                                                                        • htonl.WS2_32(0000007B), ref: 10004C09
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C1C
                                                                        • htons.WS2_32(00000004), ref: 10004C26
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004C34
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 10004C50
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C63
                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000004), ref: 10004C7B
                                                                        • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 10004C95
                                                                        • closesocket.WS2_32(?), ref: 10004CB5
                                                                        • closesocket.WS2_32(?), ref: 10004CBA
                                                                        • WSACleanup.WS2_32 ref: 10004CBC
                                                                        Strings
                                                                        • ahnlab, xrefs: 10004B08
                                                                        • alyac, xrefs: 10004AF6
                                                                        • 127.0.0.1, xrefs: 100049AB, 10004C4B
                                                                        • 8.8.8.8, xrefs: 10004949
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10004ADF
                                                                        • %s|, xrefs: 10004AC3
                                                                        • v3lite, xrefs: 10004B1A
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$htons$inet_addr$closesocketmemsetsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtowsprintf
                                                                        • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 545395166-2566164256
                                                                        • Opcode ID: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction ID: f4d92e3438a437d2299d84abcf9c5d8c75e9b4238ea887dab6cfd6e428023447
                                                                        • Opcode Fuzzy Hash: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction Fuzzy Hash: 4FB12BB2D0025CAAEB11DBE4CC85EDFBBBCEB48340F014566E604F6155EB71AA44CFA1
                                                                        Function 10007F4F Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 218stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileFindlstrcpy$#823DirectoryFirstNextPath_strcmpi
                                                                        • String ID: %s\%s$*.*$.$107.160.131.252:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                                        • API String ID: 2329406363-814645805
                                                                        • Opcode ID: 37b47c7ba2c27473b8910e5e435b14cdcd88c29ffb91b507766bf1329a5379fd
                                                                        • Instruction ID: d457cdbbe753c7b4e7560833b0a44fa5530ca94c09af8d9545d2bbe4c99e139f
                                                                        • Opcode Fuzzy Hash: 37b47c7ba2c27473b8910e5e435b14cdcd88c29ffb91b507766bf1329a5379fd
                                                                        • Instruction Fuzzy Hash: 3271607290425DAEEB51DBA4CC45FDABBBCFB48381F1004E6E608F6195DB709B888F50
                                                                        Function 100051D3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 92stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000004), ref: 10005210
                                                                        • #823.MFC42(000000FF,00000004), ref: 10005225
                                                                        • #823.MFC42(00000000,000000FF,00000004), ref: 1000523F
                                                                        • strrchr.MSVCRT ref: 10005250
                                                                        • strncpy.MSVCRT ref: 10005267
                                                                        • strncpy.MSVCRT ref: 10005271
                                                                        • GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                        • GetCurrentProcess.KERNEL32(00000020,?), ref: 10005296
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 100052AD
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                        • CloseHandle.KERNEL32(?), ref: 100052E2
                                                                        • strlen.MSVCRT ref: 100052EE
                                                                        • sscanf.MSVCRT ref: 1000530A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
                                                                        • String ID: %[^$SeDebugPrivilege
                                                                        • API String ID: 1460262115-1521022383
                                                                        • Opcode ID: dd54c802b8f8b7ecd1266b55cc8fef6123e2c6864af47b6229623f8ae5d47dda
                                                                        • Instruction ID: 1d4034c089aeb94910ddb95873c9201c7a3e8f51f79135a92f0693b8715c0055
                                                                        • Opcode Fuzzy Hash: dd54c802b8f8b7ecd1266b55cc8fef6123e2c6864af47b6229623f8ae5d47dda
                                                                        • Instruction Fuzzy Hash: 3631FDB5801228EFF700DFA4CDC9E9A7BB8EB08742F14802AF514EA264D7729942CF51
                                                                        Function 10008B8B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 121stringfilewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • sprintf.MSVCRT ref: 10008BA5
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10008BC0
                                                                        • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,10008A8C,00000000), ref: 10008BE6
                                                                        • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 10008BF7
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10008C04
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,10008A8C), ref: 10008C46
                                                                        • memset.MSVCRT ref: 10008C71
                                                                        • strcpy.MSVCRT(00000044,00000000,00000013), ref: 10008C8B
                                                                        • memset.MSVCRT ref: 10008C97
                                                                        • strcpy.MSVCRT(00000004,00000000,0000002E,?,?,?,?,00000013), ref: 10008CB1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memsetstrcpy$CloseControlCreateDeviceErrorFileFormatHandleLastMessagesprintf
                                                                        • String ID: 12051805$\\.\PHYSICALDRIVE%d
                                                                        • API String ID: 1986549085-3647642929
                                                                        • Opcode ID: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction ID: 4125160363e842b8e7a1d76db44e57ca0f3beb1210815641832f8c97af22e03e
                                                                        • Opcode Fuzzy Hash: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction Fuzzy Hash: 1231D0B6640229BEFB10D7A0CD86FEE736CEB05394F104221FA45A60C4EB74AF4587B5
                                                                        Function 10004630 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$#825CloseFirstNextstrcatstrcpystrlenwsprintf
                                                                        • String ID: %s\%s$.$\*.*
                                                                        • API String ID: 842957512-2210278135
                                                                        • Opcode ID: b4c73bc3ca2c33e5ad31019ee68780f9b663d34cc684c3e582d2d03e2533959f
                                                                        • Instruction ID: 3547d33416261faf8458c6710b5cd13efccda21bf8dfe0cc576b5eff074e2184
                                                                        • Opcode Fuzzy Hash: b4c73bc3ca2c33e5ad31019ee68780f9b663d34cc684c3e582d2d03e2533959f
                                                                        • Instruction Fuzzy Hash: 97314DB2C0025CBBEF12DFA4CC45ADE7B79EB04380F1104E6E619A2055DB719B989F51
                                                                        Function 100042A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 100042AF
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 100042B6
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 100042CA
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 100042FF
                                                                        • CloseHandle.KERNEL32(?), ref: 10004308
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                        • String ID:
                                                                        • API String ID: 3038321057-0
                                                                        • Opcode ID: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction ID: b0a8796efaa8e3b84787a9bca2c6b8d54da9404ad25a0782a1589f7175c46836
                                                                        • Opcode Fuzzy Hash: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction Fuzzy Hash: 1A011672900129BFEB10DFA4CC89AEFBBFCEF08380F004051F905E2154EBB09A408BA0
                                                                        Function 10006499 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 262stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000649E
                                                                        • memset.MSVCRT ref: 100064DA
                                                                        • wsprintfA.USER32 ref: 100064F7
                                                                        • #823.MFC42(0007D000), ref: 10006503
                                                                        • memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                        • strlen.MSVCRT ref: 1000656F
                                                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                        • memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • #823.MFC42(?), ref: 100065D2
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 100065E6
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100065F3
                                                                        • #823.MFC42(00000001), ref: 100065FE
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 10006614
                                                                        • #825.MFC42(?), ref: 1000661D
                                                                        • strlen.MSVCRT ref: 10006625
                                                                        • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10006633
                                                                        • #825.MFC42(?), ref: 1000663C
                                                                        • strlen.MSVCRT ref: 1000664D
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(title,00000000,00000000), ref: 10006659
                                                                        • strlen.MSVCRT ref: 10006667
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10015660,00000005,00000000), ref: 10006676
                                                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,-00000006,-00000006), ref: 1000668D
                                                                        • strlen.MSVCRT ref: 100066A5
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066B9
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066C7
                                                                        • wsprintfA.USER32 ref: 100066E9
                                                                        • strlen.MSVCRT ref: 100066F0
                                                                        • #825.MFC42(?), ref: 10006724
                                                                        • strrchr.MSVCRT ref: 1000672C
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006745
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006753
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000676A
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006778
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$strlen$ByteCharMultiWide$#823#825InternetV12@memset$?find@?$basic_string@Openwsprintf$?append@?$basic_string@?assign@?$basic_string@?substr@?$basic_string@FileFormatH_prologReadTime___crtstrrchr
                                                                        • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                        • API String ID: 1229813879-2496724313
                                                                        • Opcode ID: 9b4abc579768af9e6d288c688c0c4273486453251afc56da2ed0f4637ad25651
                                                                        • Instruction ID: 10439b61b20b70afd7aa5347c4b54e4e6ebd0b7274b3fc8efdd7ca783922ac27
                                                                        • Opcode Fuzzy Hash: 9b4abc579768af9e6d288c688c0c4273486453251afc56da2ed0f4637ad25651
                                                                        • Instruction Fuzzy Hash: D091CFB6801258BFFB01DBA4CD89EEE7F7DEF08394F244065F505B6295DA315E808BA1
                                                                        Function 100053B7 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 222filesleepinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcmp.MSVCRT(00000000,-00000001), ref: 10005406
                                                                        • wsprintfA.USER32 ref: 10005437
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 1000549E
                                                                        • wsprintfA.USER32 ref: 100054BC
                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 100054CA
                                                                        • PrintFile.PQZ6GU98EH(?,?), ref: 100054DE
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        • WriteProcessMemory.KERNEL32(?,?,00000009,00000000), ref: 100054FC
                                                                        • time.MSVCRT(00000000), ref: 1000551B
                                                                        • srand.MSVCRT ref: 10005522
                                                                        • rand.MSVCRT ref: 1000552A
                                                                        • rand.MSVCRT ref: 10005538
                                                                        • rand.MSVCRT ref: 10005543
                                                                        • rand.MSVCRT ref: 1000554E
                                                                        • rand.MSVCRT ref: 10005559
                                                                        • rand.MSVCRT ref: 10005564
                                                                        • wsprintfA.USER32 ref: 10005582
                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000559C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 100055A3
                                                                        • Sleep.KERNEL32(000003E8), ref: 100055AE
                                                                        • DeleteFileA.KERNEL32(?), ref: 100055BB
                                                                        • memcmp.MSVCRT(?,-000000FE), ref: 10005602
                                                                        Strings
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                        • %s\%s, xrefs: 10005431
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                        • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: rand$File$strcatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryPrintProcessSleepsrandstrcpystrlentime
                                                                        • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                        • API String ID: 3546221339-455112146
                                                                        • Opcode ID: 77dc5654d890d41b8df4c3bfc927f4e08fa7dbbc842ad33926e75cec058c366f
                                                                        • Instruction ID: 023f1052d7a0be8e83d6270df64d4839765010a646a328037934ecf360ce8854
                                                                        • Opcode Fuzzy Hash: 77dc5654d890d41b8df4c3bfc927f4e08fa7dbbc842ad33926e75cec058c366f
                                                                        • Instruction Fuzzy Hash: FF610873A40258BFFB10DB64CC49FDE776DEB84351F184466F604AB180CBB5EA848B64
                                                                        Function 10004D36 Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 299stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10004D3B
                                                                        • memset.MSVCRT ref: 10004D59
                                                                        • CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?), ref: 10004D63
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?), ref: 10004D8E
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10004DE2
                                                                        • wcscat.MSVCRT ref: 10004E18
                                                                        • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                        • strcpy.MSVCRT(?,00000000,?), ref: 10004F52
                                                                        • _strcmpi.MSVCRT ref: 10004F75
                                                                        • strcpy.MSVCRT(?,00000000,?), ref: 10004FC0
                                                                        • StrStrIA.SHLWAPI(?,svchost.exe -k NetworkService,?), ref: 10004FE6
                                                                        • VariantClear.OLEAUT32(?), ref: 10005009
                                                                        • VariantClear.OLEAUT32(?), ref: 1000500F
                                                                        • CoUninitialize.OLE32 ref: 10005035
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Init$ClearH_prologInitializestrcpy$#823BlanketCreateInstanceProxySecurityUninitialize_strcmpimemsetwcscat
                                                                        • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                        • API String ID: 53594991-2685825574
                                                                        • Opcode ID: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction ID: f36072ad76851ef4156648f9e7cf886c39e7a66da788ed21f351d69932db9bd7
                                                                        • Opcode Fuzzy Hash: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction Fuzzy Hash: 26A12AB1900259AFEB04DF94CC84DEEBBB8FF48394F104569F615AB294DB31AE45CB60
                                                                        Function 1000721F Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 363stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007224
                                                                          • Part of subcall function 1000774B: CoInitializeEx.OLE32(00000000,00000000,00080000,?,10007235,00080000), ref: 1000776E
                                                                          • Part of subcall function 100077B2: _EH_prolog.MSVCRT ref: 100077B7
                                                                          • Part of subcall function 100077B2: strlen.MSVCRT ref: 100077D2
                                                                          • Part of subcall function 100077B2: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                          • Part of subcall function 100077B2: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100077B2: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • InterlockedIncrement.KERNEL32(-00000008), ref: 1000728C
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • strlen.MSVCRT ref: 100072ED
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
                                                                        • VariantInit.OLEAUT32(?), ref: 1000735E
                                                                        • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
                                                                        • VariantInit.OLEAUT32(?), ref: 10007388
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007462
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007467
                                                                        • strlen.MSVCRT ref: 10007481
                                                                        • strlen.MSVCRT ref: 10007497
                                                                          • Part of subcall function 10007A73: _EH_prolog.MSVCRT ref: 10007A78
                                                                          • Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007A73: InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
                                                                        • VariantInit.OLEAUT32(?), ref: 10007524
                                                                        • CoUninitialize.OLE32(Win32_NetworkAdapterConfiguration,IPEnabled=TRUE,00080000), ref: 1000760B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ArraySafe$CreateInitstrlen$H_prologInterlocked$ClearDestroyIncrementInitialize$#825BlanketDecrementInstanceProxySecurityUninitialize
                                                                        • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                        • API String ID: 3394522676-1668994663
                                                                        • Opcode ID: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction ID: a4af8c9dca73a5c283ada5a53ee1da82c278c6dc42568daf6e2b053f761370a2
                                                                        • Opcode Fuzzy Hash: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction Fuzzy Hash: 45D14C70D00219EFEB15CFA4C880AEEBBB8FF45781F104019F519AB259DB75AA45CFA1
                                                                        Function 10006EEF Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 173stringsleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(0000EA60), ref: 10006F35
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F7E
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F88
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006F9C
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FB3
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FBE
                                                                        • memset.MSVCRT ref: 10007035
                                                                        • Sleep.KERNEL32 ref: 1000706A
                                                                        • strlen.MSVCRT ref: 10007098
                                                                        • wsprintfA.USER32 ref: 100070AE
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000), ref: 100070E7
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000,?,00000000), ref: 100070FA
                                                                        • strcmp.MSVCRT ref: 10007105
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryFilePrintSleepSystemstrcat$#823memsetstrcmpstrlenwsprintf
                                                                        • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.252:23588/article.php$iOffset
                                                                        • API String ID: 2115399682-1682937122
                                                                        • Opcode ID: 34783836d23a8db4268eedaf92dd829836002f85e3c0af5e734622589c8d7944
                                                                        • Instruction ID: 72fa86c02a68da5800153c7bf3c705a219ab7ae35cbe7a85c82bd612e58ef154
                                                                        • Opcode Fuzzy Hash: 34783836d23a8db4268eedaf92dd829836002f85e3c0af5e734622589c8d7944
                                                                        • Instruction Fuzzy Hash: BE51C9B6D04359AAF721D764CC46FCF77ACEB083C1F1045A5F208A6086DA75AB848E55
                                                                        Function 100062E1 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 153stringnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcspnstrstr$strcpystrncpy$FormatStartupTime___crtatoiclosesocketconnecthtonsmemsetsocket
                                                                        • String ID: http://
                                                                        • API String ID: 1412329544-1121587658
                                                                        • Opcode ID: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction ID: bda3bb5fe2d8b3d060f482acd811e7885a41a1d7ee8f75e9f264fd4272d9bcff
                                                                        • Opcode Fuzzy Hash: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction Fuzzy Hash: E851567290426CABFB10DBA4DC89FDE77ACEF04394F1004A6F608E6195DA749F458BA1
                                                                        Function 1000C3AB Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 464COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /$UT
                                                                        • API String ID: 0-1626504983
                                                                        • Opcode ID: 852622564ec4b07a6b6f7f536fb0b8595a6822e117332c7ee593b18b30d01d06
                                                                        • Instruction ID: f54fcba8cf9e0f27e2bd44127f596e67299a7ae9ee4814bd1667c505b59f09c1
                                                                        • Opcode Fuzzy Hash: 852622564ec4b07a6b6f7f536fb0b8595a6822e117332c7ee593b18b30d01d06
                                                                        • Instruction Fuzzy Hash: D002D375A0439D9BEB21CF68C844F9EBBF5EF04380F1444AEE449A7246CB70AE85CB55
                                                                        Function 1000827D Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 143stringsleepprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082CA
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082D4
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082E8
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082FF
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 1000830A
                                                                        • memset.MSVCRT ref: 10008381
                                                                        • Sleep.KERNEL32 ref: 100083A5
                                                                        • strlen.MSVCRT ref: 100083D3
                                                                        • strcmp.MSVCRT ref: 100083E5
                                                                        • wsprintfA.USER32 ref: 100083F7
                                                                        • WinExec.KERNEL32(00000000,00000000), ref: 10008422
                                                                        Strings
                                                                        • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
                                                                        • 127.0.0.1, xrefs: 10008405
                                                                        • 8.8.8.8, xrefs: 10008400
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 10008364
                                                                        • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
                                                                        • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectorySystemstrcat$#823ExecSleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 2179988888-3096136484
                                                                        • Opcode ID: eb8ee1f67ef8b6176ace78af9f5f151e4eb5de1024bbfe4c57946852b65a3e88
                                                                        • Instruction ID: 326cc2718642543c1dd7a400e4c7d0959c533b8060c56875ff79f0cc4eb49833
                                                                        • Opcode Fuzzy Hash: eb8ee1f67ef8b6176ace78af9f5f151e4eb5de1024bbfe4c57946852b65a3e88
                                                                        • Instruction Fuzzy Hash: 0441E3B6D04258B6FB21D364CC46FCB7B6CEB44380F2040A5F248BA086DAB4BB848F55
                                                                        Function 10005989 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 81stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000598E
                                                                        • wsprintfA.USER32 ref: 100059AE
                                                                        • GetModuleFileNameA.KERNEL32(00000000,100165C8,00000104,10008666), ref: 100059C6
                                                                        • GetModuleFileNameA.KERNEL32(100166CC,00000104), ref: 100059D5
                                                                        • strcpy.MSVCRT(100167D0,100166CC), ref: 100059DE
                                                                        • strrchr.MSVCRT ref: 100059E6
                                                                        • wsprintfA.USER32 ref: 100059FB
                                                                        • wsprintfA.USER32 ref: 10005A08
                                                                        • wsprintfA.USER32 ref: 10005A19
                                                                        • #823.MFC42(00000084), ref: 10005A20
                                                                        • strcpy.MSVCRT(10016AF0,00000044), ref: 10005A50
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: wsprintf$FileModuleNamestrcpy$#823H_prologmemsetstrrchr
                                                                        • String ID: %s\%s$%s\version.txt$12051805$F896SD5DAE$M%s$host123.zz.am:6658
                                                                        • API String ID: 292421652-2736149435
                                                                        • Opcode ID: e5172cdacd31d8d7d1381340ee94b22184651f32abae94e719a96e510908b970
                                                                        • Instruction ID: 400d6614f39ff7cd744ddab951aebd9dcb408de85795f0dded65be8652f6b733
                                                                        • Opcode Fuzzy Hash: e5172cdacd31d8d7d1381340ee94b22184651f32abae94e719a96e510908b970
                                                                        • Instruction Fuzzy Hash: F22102322003687BF210E7958C85F5B7F9CDB856AAF01412AF741AE181CB72E8808A72
                                                                        Function 10004139 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(?,?), ref: 10004170
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10004184
                                                                        • strrchr.MSVCRT ref: 10004193
                                                                        • strcat.MSVCRT(?,log.txt), ref: 100041B2
                                                                        • CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 100041D0
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100041E6
                                                                        • time.MSVCRT(00000000), ref: 100041ED
                                                                        • localtime.MSVCRT(?), ref: 100041FA
                                                                        • strftime.MSVCRT ref: 1000420C
                                                                        • vsprintf.MSVCRT ref: 1000424F
                                                                        • sprintf.MSVCRT ref: 1000426C
                                                                        • strlen.MSVCRT ref: 10004281
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004290
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004297
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleModuleNamePointerWritelocaltimesprintfstrcatstrcpystrftimestrlenstrrchrtimevsprintf
                                                                        • String ID: %s%s$log.txt
                                                                        • API String ID: 2918410534-1489102009
                                                                        • Opcode ID: 6a96db00d658787538a7c9d728de0d35d20d0f261e33c19072dcf104bd009eb6
                                                                        • Instruction ID: d7a24dcdaf8e6b49f461e4f1291d64edd5db5d0b5c8b00a4d6a5de73979513ca
                                                                        • Opcode Fuzzy Hash: 6a96db00d658787538a7c9d728de0d35d20d0f261e33c19072dcf104bd009eb6
                                                                        • Instruction Fuzzy Hash: 1E41377690125CBFFB11DBA4CC89EDE7B6CEB08385F1044A6F709E6054DA70AE848B61
                                                                        Function 1000B8C7 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _mbsicmp$strlen
                                                                        • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                        • API String ID: 2479270535-51310709
                                                                        • Opcode ID: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction ID: 73947956ff5f80da35e905b20d3a22064da75616644d11fbfe3e9aabf24defd8
                                                                        • Opcode Fuzzy Hash: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction Fuzzy Hash: 9611823F619E27687659F966AC149DF17C8CF930F2337002BE750EA488FF25CA864661
                                                                        Function 10004351 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 80sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • StrStrIA.SHLWAPI(?,cmd.exe), ref: 10004366
                                                                        • GetCurrentProcessId.KERNEL32 ref: 10004373
                                                                          • Part of subcall function 10004318: OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • Sleep.KERNEL32(?), ref: 100043A6
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 100043BB
                                                                          • Part of subcall function 10001000: strlen.MSVCRT ref: 100016BB
                                                                          • Part of subcall function 10001000: #823.MFC42(00000007), ref: 100016EB
                                                                          • Part of subcall function 10001000: memset.MSVCRT ref: 100016F9
                                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 100043D9
                                                                        • DeleteFileA.KERNEL32(?), ref: 100043DE
                                                                        • Sleep.KERNEL32(000003E8), ref: 100043E5
                                                                        • PathFileExistsA.SHLWAPI(?), ref: 100043EA
                                                                        • GetTickCount.KERNEL32 ref: 1000440B
                                                                        • wsprintfA.USER32 ref: 10004421
                                                                        • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 10004436
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteMoveProcessSleep$#823CountCurrentExistsOpenPathTickmemsetstrlenwsprintf
                                                                        • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                                                        • API String ID: 13915177-3916765701
                                                                        • Opcode ID: 8abbd0928008d068458f6ec8a9b8eb2790f2a58190247dfe79be96e1ab9430c7
                                                                        • Instruction ID: 963a348ca2d5bfb4595b212cae23924ed86a21a29487051e768ee2e180cf1c8b
                                                                        • Opcode Fuzzy Hash: 8abbd0928008d068458f6ec8a9b8eb2790f2a58190247dfe79be96e1ab9430c7
                                                                        • Instruction Fuzzy Hash: CC2162B2500258BBFB11AB60DC89BDE7B6CEB043D1F154061F644A9095DFB59E808A65
                                                                        Function 10005ACA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$Versionmemsetsprintf
                                                                        • String ID: 2000$2003$2008$Vista$Win %s SP%d
                                                                        • API String ID: 313931894-2264339393
                                                                        • Opcode ID: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction ID: 7d42eae51c3aa3afb7aca7336a245172d168173812804ea46fc3bd7bd3e3ba23
                                                                        • Opcode Fuzzy Hash: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction Fuzzy Hash: F5415031D4032CEEFB24C6649C46FDAB7A8DB013A7F1044A7E20CA5086D776AEC5CA91
                                                                        Function 10005DB4 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 114stringregistrytimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10005DE0
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                          • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                          • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10004096
                                                                        • strcpy.MSVCRT(000000C8,?,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10005E29
                                                                        • strcpy.MSVCRT(?,Find CPU Error), ref: 10005E3C
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 10005E5F
                                                                        • strcpy.MSVCRT(?,12051805,?,%u MB,-00000001), ref: 10005E95
                                                                        • GetSystemDefaultUILanguage.KERNEL32 ref: 10005E9D
                                                                        • strcpy.MSVCRT(?,00000000), ref: 10005EEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
                                                                        • String ID: %u MB$12051805$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 335664808-297510382
                                                                        • Opcode ID: f5c445e53940849268ae1e19965f9d3b92ecee27d3a80da98793b752984bbc1e
                                                                        • Instruction ID: 64a10f69e166a7139f234e211cfa4612f73fd1769519a57ef44d38a5129d0f72
                                                                        • Opcode Fuzzy Hash: f5c445e53940849268ae1e19965f9d3b92ecee27d3a80da98793b752984bbc1e
                                                                        • Instruction Fuzzy Hash: C031F376804218BBFB20CB64CC46FDF77BCEB08341F10446AF654BA085EB71BA448B54
                                                                        Function 1000600F Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 95librarystringloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(urlmon.dll), ref: 10006026
                                                                        • LoadLibraryA.KERNEL32(wininet.dll), ref: 10006030
                                                                        • GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 1000605B
                                                                        • GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 10006068
                                                                        • #823.MFC42(00000050), ref: 1000606E
                                                                        • strcat.MSVCRT(?,10015560), ref: 100060BB
                                                                        • strcat.MSVCRT(?,?,?,10015560), ref: 100060CE
                                                                        • strcat.MSVCRT(?,10015560,?,?,?,10015560), ref: 100060DB
                                                                        • memset.MSVCRT ref: 100060E7
                                                                          • Part of subcall function 10003FC8: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10003FE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$AddressLibraryLoadProc$#823CreateProcessmemset
                                                                        • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
                                                                        • API String ID: 1308283570-2475139894
                                                                        • Opcode ID: 10015ed59732541beb5642d44f753a41e84aebf18f2d39d3c00af53a476127d6
                                                                        • Instruction ID: 5bc36e72ee7a02c1c0e69050cea4439c3b038a47dfce127ca0f0f16504b8aeec
                                                                        • Opcode Fuzzy Hash: 10015ed59732541beb5642d44f753a41e84aebf18f2d39d3c00af53a476127d6
                                                                        • Instruction Fuzzy Hash: C2312CB290065CBAEB11DBA4CC45FDF7F7DEB08341F5444A6E208AB181E7716A458EA0
                                                                        Function 10007E03 Relevance: 21.1, APIs: 14, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007E08
                                                                        • #389.MFC42(00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E2D
                                                                        • #6059.MFC42(00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E4C
                                                                        • #6059.MFC42(00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60), ref: 10007E60
                                                                        • #3229.MFC42(00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000), ref: 10007E70
                                                                        • #5204.MFC42(00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002), ref: 10007E89
                                                                        • #5808.MFC42(00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003), ref: 10007E9D
                                                                        • #825.MFC42(?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EA9
                                                                        • #1988.MFC42 ref: 10007EC3
                                                                        • #690.MFC42 ref: 10007ECF
                                                                        • #5356.MFC42(?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EE1
                                                                        • #825.MFC42(000000C8,?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000), ref: 10007F10
                                                                        • #1988.MFC42 ref: 10007F27
                                                                        • #690.MFC42 ref: 10007F39
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #1988#6059#690#825$#3229#389#5204#5356#5808H_prolog
                                                                        • String ID:
                                                                        • API String ID: 686017586-0
                                                                        • Opcode ID: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction ID: 65d52c856144c7dc343c998bea728568d717a918c34615c3037e65eeb0ab1587
                                                                        • Opcode Fuzzy Hash: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction Fuzzy Hash: AF417C7590121DAFEF14DF94D985DDEBFB9EF49390F10002AF40AA3295CB346A45CBA1
                                                                        Function 1000570F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101filethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000004), ref: 10005210
                                                                          • Part of subcall function 100051D3: #823.MFC42(000000FF,00000004), ref: 10005225
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000000,000000FF,00000004), ref: 1000523F
                                                                          • Part of subcall function 100051D3: strrchr.MSVCRT ref: 10005250
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005267
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005271
                                                                          • Part of subcall function 100051D3: GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                          • Part of subcall function 100051D3: GetCurrentProcess.KERNEL32(00000020,?), ref: 10005296
                                                                          • Part of subcall function 100051D3: OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                          • Part of subcall function 100051D3: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 100052AD
                                                                          • Part of subcall function 100051D3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                          • Part of subcall function 100051D3: CloseHandle.KERNEL32(?), ref: 100052E2
                                                                          • Part of subcall function 100051D3: strlen.MSVCRT ref: 100052EE
                                                                          • Part of subcall function 100051D3: sscanf.MSVCRT ref: 1000530A
                                                                        • wsprintfA.USER32 ref: 1000574F
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 100057B1
                                                                        • wsprintfA.USER32 ref: 100057C5
                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 100057D4
                                                                        • PrintFile.PQZ6GU98EH(?,?), ref: 100057E8
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                          • Part of subcall function 10004D36: _EH_prolog.MSVCRT ref: 10004D3B
                                                                          • Part of subcall function 10004D36: memset.MSVCRT ref: 10004D59
                                                                          • Part of subcall function 10004D36: CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?), ref: 10004D63
                                                                          • Part of subcall function 10004D36: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                          • Part of subcall function 10004D36: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?), ref: 10004D8E
                                                                          • Part of subcall function 10004D36: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10004DE2
                                                                          • Part of subcall function 10004D36: wcscat.MSVCRT ref: 10004E18
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10005810
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000), ref: 10005835
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Createstrcat$#823FileProcesswsprintf$CloseHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryH_prologInfoInstanceLookupPrintPrivilegePrivilegesProxySecuritySystemThreadValueWritememsetsscanfstrcpystrrchrwcscat
                                                                        • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                        • API String ID: 3029756400-1421401311
                                                                        • Opcode ID: ad18d1a8a1d4ce6432a8a8d11d10060157b86576ffbf362925edad6276568f5f
                                                                        • Instruction ID: 28587ef57c74646f6200826593ba84f0ee4a51bfb79cbc35cab65446596f3e80
                                                                        • Opcode Fuzzy Hash: ad18d1a8a1d4ce6432a8a8d11d10060157b86576ffbf362925edad6276568f5f
                                                                        • Instruction Fuzzy Hash: 75317772910178BBEB11D7A4CC84FCF7B6CEB08746F1405A6F209FA051DB71AA858B95
                                                                        Function 1000B9EF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        • GetFileSize.KERNEL32(?,00000000,?,00000000), ref: 1000BA6A
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1000BA86
                                                                        • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1000BA9A
                                                                        • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1000BAA3
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BAB3
                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 1000BACE
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BADE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerRead$HandleInformationSize
                                                                        • String ID: $@$@
                                                                        • API String ID: 2979504256-3743272326
                                                                        • Opcode ID: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction ID: 300477372e44d699427ff54a679b45810dd7889e5983b4805fee524b870b0fb0
                                                                        • Opcode Fuzzy Hash: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction Fuzzy Hash: 33516AB1A0064DAFEB10DF94CC81AAEBBF9EF44394F108069F641E6164D770AE80CB51
                                                                        Function 1000842D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111registrysleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?), ref: 10008491
                                                                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 100084BC
                                                                        • memset.MSVCRT ref: 100084DE
                                                                        • memset.MSVCRT ref: 100084EC
                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 10008523
                                                                        • StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000853B
                                                                        • RegDeleteValueA.ADVAPI32(?,?), ref: 1000854F
                                                                        • RegCloseKey.ADVAPI32(?), ref: 10008562
                                                                        • Sleep.KERNEL32(000493E0), ref: 1000856D
                                                                        Strings
                                                                        • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10008480
                                                                        • svchsot.exe, xrefs: 10008535
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
                                                                        • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                                        • API String ID: 1121228644-2214221337
                                                                        • Opcode ID: b033cfff7d98bde0bff13e71afadec912eb6ecabbaa77eabc96f46338b5dae00
                                                                        • Instruction ID: 41e6ea02effd465f5a8e3b964bebe7f7f026d5d666a2e96095e75d2e8622051d
                                                                        • Opcode Fuzzy Hash: b033cfff7d98bde0bff13e71afadec912eb6ecabbaa77eabc96f46338b5dae00
                                                                        • Instruction Fuzzy Hash: 0F3106B290015DBEEB11CB94CD85DEFB7BDFB08381F1040A6E645F6114EA70AF848BA0
                                                                        Function 10006A7F Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 60sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00001218), ref: 10006A8E
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006AA0
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006AB9
                                                                        • memset.MSVCRT ref: 10006AD2
                                                                          • Part of subcall function 10006499: _EH_prolog.MSVCRT ref: 1000649E
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 100064DA
                                                                          • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                          • Part of subcall function 10006499: #823.MFC42(0007D000), ref: 10006503
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10006499: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                          • Part of subcall function 10006499: strlen.MSVCRT ref: 1000656F
                                                                          • Part of subcall function 10006499: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10006499: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • Sleep.KERNEL32(0002BF20), ref: 10006AEE
                                                                        • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006B02
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B0D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B14
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B1D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memset$#823CloseCreateD@2@@std@@D@std@@HandleU?$char_traits@V?$allocator@$?assign@?$basic_string@ByteCharErrorFormatH_prologLastMultiMutexObjectSingleSleepStartupThreadTidy@?$basic_string@TimeV12@WaitWide___crtstrlenwsprintf
                                                                        • String ID: 0x5d65r455f$5762479093
                                                                        • API String ID: 667822095-2446933972
                                                                        • Opcode ID: 7fef6f5394270c5f89689a20f937946811b0a18946ee1a53cbc7a8a1d9bb0782
                                                                        • Instruction ID: 8cdb2823aa61e5ac7bb0c892828062c090cb3bd64512b72bfa76aaf67c22daa6
                                                                        • Opcode Fuzzy Hash: 7fef6f5394270c5f89689a20f937946811b0a18946ee1a53cbc7a8a1d9bb0782
                                                                        • Instruction Fuzzy Hash: 90012871544258BBF310E7B09CCEDBF3A5CDB463E1F140138FA15A508ADB659C1546B3
                                                                        Function 100077B2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 227stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 100077B7
                                                                        • strlen.MSVCRT ref: 100077D2
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • strlen.MSVCRT ref: 10007909
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog$#823strlen$BlanketCreateInitializeInstanceProxySecurity
                                                                        • String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
                                                                        • API String ID: 2251539122-2582412207
                                                                        • Opcode ID: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction ID: b5d22a176f2e9897db3186ef54651fb278fb7d6c126efc4cfaa591b9760a4b79
                                                                        • Opcode Fuzzy Hash: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction Fuzzy Hash: CA817D34901219EFEF15CF94C885AEE7B79FF057D0F208409F51AAB199DB34AA44CBA1
                                                                        Function 10008578 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81sleepprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00002710), ref: 1000858F
                                                                        • #823.MFC42(00300000,aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=), ref: 100085A4
                                                                        • memset.MSVCRT ref: 100085B1
                                                                        • Sleep.KERNEL32(001B7740), ref: 100085D0
                                                                        • GetTickCount.KERNEL32 ref: 100085EA
                                                                        • wsprintfA.USER32 ref: 100085FD
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10008648
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep$#823CountCreateProcessTickmemsetwsprintf
                                                                        • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                        • API String ID: 3077700110-1533272838
                                                                        • Opcode ID: 9c7c0fc28da91c3447766d1f79b0ee7ffa5bf468e5b711f49d6b7a35b3051f9e
                                                                        • Instruction ID: b7caa614f7a4c108a39e01f2f415c9d76805585370d17942aa5233dc0422d24d
                                                                        • Opcode Fuzzy Hash: 9c7c0fc28da91c3447766d1f79b0ee7ffa5bf468e5b711f49d6b7a35b3051f9e
                                                                        • Instruction Fuzzy Hash: 1C2181B690025CBAEB11DBE4CC46EDFBB7CEF48390F140465F704B6144DA755A858BA1
                                                                        Function 10006DD5 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 89stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10006DDA
                                                                        • strstr.MSVCRT ref: 10006DF1
                                                                        • #823.MFC42(00000084), ref: 10006E08
                                                                        • strcpy.MSVCRT(10016AF0,00000044), ref: 10006E31
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823H_prologmemsetstrcpystrstr
                                                                        • String ID: %s|NULL|%s|%s$12051805$JXMvam95LmFzcD9zaWQ9JXM=$http://$http://107.160.131.251:18659/
                                                                        • API String ID: 983634193-1290726177
                                                                        • Opcode ID: 243f683b57c2e1fe972a3f83381904fa47b5ea202852c667d08b0b67eb33b8bd
                                                                        • Instruction ID: 8b9bdae4842b9c152c707f293006ae36ec67aa252ce097f8c2e94734218e6b38
                                                                        • Opcode Fuzzy Hash: 243f683b57c2e1fe972a3f83381904fa47b5ea202852c667d08b0b67eb33b8bd
                                                                        • Instruction Fuzzy Hash: 4E2107B6900259AEEB10D7B4CC41BEF77BDFF48240F1045BAF209E7585DB70AA448A25
                                                                        Function 10008CC1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • %02X%02X%02X%02X%02X%02X, xrefs: 10008DC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Netbiosmemset$sprintfstrcpy
                                                                        • String ID: %02X%02X%02X%02X%02X%02X
                                                                        • API String ID: 3158056522-722279150
                                                                        • Opcode ID: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction ID: 0c2184180702e586fc1ca5cffc2268ba39a058ecf45d59ffc9b9d4e10b1a28f8
                                                                        • Opcode Fuzzy Hash: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction Fuzzy Hash: 86315B71C042ECAAEF22D7A58C45FEE7BBCAF05284F0401D6F688B6186D7749746CB61
                                                                        Function 10004770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathIsDirectoryA.SHLWAPI(?), ref: 1000477F
                                                                        • strlen.MSVCRT ref: 1000478E
                                                                        • strlen.MSVCRT ref: 1000479C
                                                                        • strlen.MSVCRT ref: 100047AA
                                                                        • strrchr.MSVCRT ref: 100047C1
                                                                        • strcpy.MSVCRT(00000000,?,00000000,00000001,?,?,123), ref: 100047FF
                                                                        • strrchr.MSVCRT ref: 1000480D
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC93
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC9A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$#825strrchr$DirectoryPathstrcpy
                                                                        • String ID: 123
                                                                        • API String ID: 3295485176-2286445522
                                                                        • Opcode ID: 9a2c712c00234a5387822c86c12811c9ff99d1725d08523d8c864846657c358e
                                                                        • Instruction ID: a8b34575d82df1a2a640fea0855918061287e9e4bc387d8eb88593b54901316a
                                                                        • Opcode Fuzzy Hash: 9a2c712c00234a5387822c86c12811c9ff99d1725d08523d8c864846657c358e
                                                                        • Instruction Fuzzy Hash: 272181F64043996BFB20DB70CC85F9F3B9CDF413D0F114866FA449608ADE74A98487A5
                                                                        Function 100044AD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78libraryloadernetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 100044C4
                                                                        • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 100044D3
                                                                        • malloc.MSVCRT ref: 100044F7
                                                                        • htons.WS2_32(00000000), ref: 10004529
                                                                        • free.MSVCRT ref: 1000454C
                                                                        • FreeLibrary.KERNEL32(?), ref: 10004556
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProcfreehtonsmalloc
                                                                        • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                                        • API String ID: 3287369011-1809394930
                                                                        • Opcode ID: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction ID: b3820e473f6cbb65c967c2771bb036efaa047e66d01719392f57f806c4aad594
                                                                        • Opcode Fuzzy Hash: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction Fuzzy Hash: 6C21F6B1800559FFFB10DBA8CC88DAE7BBCFB443D2B210915F451E2195EB309E80CA64
                                                                        Function 10005318 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                        • strchr.MSVCRT ref: 10005367
                                                                        • strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                        • strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                        • strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                        • strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                        • strchr.MSVCRT ref: 100053AB
                                                                        Strings
                                                                        • , xrefs: 10005382
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$strchr$strcpy
                                                                        • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 1601127630-230412946
                                                                        • Opcode ID: 1d90cbdcf37be64873000595b9d8ca5cfa45eeb3ecb3ca10e8950bbbe4a57853
                                                                        • Instruction ID: a6a5a67d86e8b927bc33642b6afb12583160e86d38cb06b733c3e3ee002f1740
                                                                        • Opcode Fuzzy Hash: 1d90cbdcf37be64873000595b9d8ca5cfa45eeb3ecb3ca10e8950bbbe4a57853
                                                                        • Instruction Fuzzy Hash: 1301923690025D7AEB22D728CC41FCE7F58EF483C1F144475F6486A096D7B1BE845A90
                                                                        Function 10007112 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95stringsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 1000717C
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823Sleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: http://107.160.131.252:23588/article.php
                                                                        • API String ID: 1027432993-2036118572
                                                                        • Opcode ID: 1aec09a4e13976e852865b95fd8d92a853e28749acacd00b353c995128e555c0
                                                                        • Instruction ID: 5486f43503b26e233c42defc0be38958001ce26b0c4cd5fd0b99a09dc76495a5
                                                                        • Opcode Fuzzy Hash: 1aec09a4e13976e852865b95fd8d92a853e28749acacd00b353c995128e555c0
                                                                        • Instruction Fuzzy Hash: E3213E7AD0465576F724D328CC56FDF7BACEF053C4F2000A6F608A50C6EB799A818A61
                                                                        Function 10006D08 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                          • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                        • wsprintfA.USER32 ref: 10006D99
                                                                        • strlen.MSVCRT ref: 10006DA6
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006DBF
                                                                          • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                          • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10004096
                                                                        Strings
                                                                        • %s "%s",InvCMAP, xrefs: 10006D93
                                                                        • cmap, xrefs: 10006DB7
                                                                        • REG_SZ, xrefs: 10006D55
                                                                        • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D5B
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateFormatNamePathShortTimeValue___crtstrlenwsprintf
                                                                        • String ID: %s "%s",InvCMAP$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$cmap
                                                                        • API String ID: 3689556866-1482889639
                                                                        • Opcode ID: 393e70f6274e3d20f930f6ba6a3e61475364b52998ee578191dd1c75811da724
                                                                        • Instruction ID: 7dc0f1b3fd9e1d9418d14e8918f8b50030fd009d3d489128e72a392b119d986e
                                                                        • Opcode Fuzzy Hash: 393e70f6274e3d20f930f6ba6a3e61475364b52998ee578191dd1c75811da724
                                                                        • Instruction Fuzzy Hash: 6311C4B694421CBEFB11D3A4DC86FEA776CDB14344F1404B1F704B6085DAB16FC88AA4
                                                                        Function 10007A73 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007A78
                                                                        • VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 1000504D: _EH_prolog.MSVCRT ref: 10005052
                                                                          • Part of subcall function 1000504D: #823.MFC42(0000000C,00000000,?,10004E4F,WQL,?), ref: 1000505D
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007D3F: _EH_prolog.MSVCRT ref: 10007D44
                                                                          • Part of subcall function 10007D3F: SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                          • Part of subcall function 10007D3F: SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                          • Part of subcall function 10007D3F: SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 10007D3F: InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                          • Part of subcall function 10007BA9: InterlockedIncrement.KERNEL32(-00000008), ref: 10007BBB
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$ArrayH_prologIncrementSafeVariant$ClearData$#823#825AccessDecrementInitUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 4001368842-3916222277
                                                                        • Opcode ID: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction ID: 16e68ad5d50085e4c10e12c9d7be0e27fc14601c0442ffb24b2420ebed866ce4
                                                                        • Opcode Fuzzy Hash: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction Fuzzy Hash: 71418275D0015A9BEF14DFA4C884AEEB7F8FF48285F10446DE91AA3245D738BE48CB61
                                                                        Function 10005620 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000001), ref: 10005655
                                                                        • VirtualQueryEx.KERNEL32(?,?,0000001C), ref: 1000567A
                                                                        • #825.MFC42(00000000), ref: 100056A9
                                                                        • #823.MFC42(?,00000000), ref: 100056B5
                                                                        • ReadProcessMemory.KERNEL32(?,00000000,?,00000000), ref: 100056CD
                                                                        • #825.MFC42(00000000), ref: 100056F4
                                                                        • CloseHandle.KERNEL32 ref: 10005700
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823#825$CloseHandleMemoryProcessQueryReadVirtual
                                                                        • String ID:
                                                                        • API String ID: 2613863258-0
                                                                        • Opcode ID: 0f9680c4f3fef52aed6cdbdb973800681c1211301e0a2ae4b758067bd0b481e1
                                                                        • Instruction ID: 4db0274d55e25b68ee7d3e13ac28b9df299f601e2e192f3360f90a931f98b51e
                                                                        • Opcode Fuzzy Hash: 0f9680c4f3fef52aed6cdbdb973800681c1211301e0a2ae4b758067bd0b481e1
                                                                        • Instruction Fuzzy Hash: 6B318431A00219ABFB00CB54CD89FAE7BB8EB483D5F554029F904AB254D777AD41CB61
                                                                        Function 10004564 Relevance: 10.6, APIs: 7, Instructions: 76fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100045A0
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 100045B5
                                                                        • #823.MFC42(00000000), ref: 100045BC
                                                                        • memset.MSVCRT ref: 100045DB
                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 100045F3
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10004610
                                                                        • CloseHandle.KERNEL32(?), ref: 10004622
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$#823CloseCreateHandleReadSizememcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3874965551-0
                                                                        • Opcode ID: 7a149f2bd9bb8e42033a10b9f991dccdaa8256abe57a07cc96fa15bb1d1c7981
                                                                        • Instruction ID: b8e15c26b79344f892a994df82a26dd1cf42bd8fa36d8d7a2bc0f72dde553fdd
                                                                        • Opcode Fuzzy Hash: 7a149f2bd9bb8e42033a10b9f991dccdaa8256abe57a07cc96fa15bb1d1c7981
                                                                        • Instruction Fuzzy Hash: C7218EB1900249BFEB11CFA4CC85ECA3BADEB08391F104461FA49E7154D671AE848B64
                                                                        Function 10006B30 Relevance: 10.5, APIs: 7, Instructions: 45sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006B48
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006B66
                                                                        • CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B7C
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B87
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B8E
                                                                        • Sleep.KERNEL32(00002710), ref: 10006B99
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006BA2
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3243752880-0
                                                                        • Opcode ID: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction ID: 4de3013a68fbd2a0a9bee951070d024d9b213cabf77efd8d8e5562ee79781ab3
                                                                        • Opcode Fuzzy Hash: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction Fuzzy Hash: D4F0FF71805170BBF6116BB08CCDCAF3E2CEF8A3E0B100120FA09E2089CB604C4186B2
                                                                        Function 100058A4 Relevance: 8.8, APIs: 7, Instructions: 53stringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strlen.MSVCRT ref: 100058B5
                                                                        • GlobalAlloc.KERNEL32(00000040,00000001), ref: 100058C7
                                                                        • memset.MSVCRT ref: 100058D3
                                                                        • strcpy.MSVCRT(00000000,?,00000000,00000000,00000001), ref: 100058DA
                                                                        • memset.MSVCRT ref: 100058FC
                                                                        • strcpy.MSVCRT(?,00000000,?,00000000,00000001), ref: 10005908
                                                                        • GlobalFree.KERNEL32(00000000), ref: 10005911
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Globalmemsetstrcpy$AllocFreestrlen
                                                                        • String ID:
                                                                        • API String ID: 1071719858-0
                                                                        • Opcode ID: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction ID: 78a2fa517b2917b970834adb5cd9272944c22913aa7c801b0364ce0a5f020401
                                                                        • Opcode Fuzzy Hash: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction Fuzzy Hash: 2201D4B6901269BBF72097148C4AF8B7AACDF417D5F200465F802B2147D665EE4082B8
                                                                        Function 10008805 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepprocessfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteExecFileSleepwsprintf
                                                                        • String ID: Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                        • API String ID: 3112201625-3621208895
                                                                        • Opcode ID: 48778a85303ae446d5a66b1286e7842b85f34bd2375e78a60d62b6eb7f6f5f20
                                                                        • Instruction ID: 08be347dabe4e69125defaea18d67bebded8d0a374800736b22a7d520ac7fbac
                                                                        • Opcode Fuzzy Hash: 48778a85303ae446d5a66b1286e7842b85f34bd2375e78a60d62b6eb7f6f5f20
                                                                        • Instruction Fuzzy Hash: 85F08272500199EBEB118BA4CC897DA7769FF04385F040875F301F5094DBB09ED48B55
                                                                        Function 1000BB8A Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000001,00000000,?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?), ref: 1000BBDE
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,?,1000CABA,?,?,?,76789DE0), ref: 1000BC18
                                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 1000BC72
                                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?,?,00000003), ref: 1000BC8F
                                                                        • CloseHandle.KERNEL32(?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?), ref: 1000BC9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Create$CloseHandleMappingPointerView
                                                                        • String ID:
                                                                        • API String ID: 1737989552-0
                                                                        • Opcode ID: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction ID: 52b7da836c05925aaa6f9b96ed88e0255cb2f85f02a575bc541db1582194b3b7
                                                                        • Opcode Fuzzy Hash: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction Fuzzy Hash: 37317EB0604B86EBF330CF1488C4E0BBAE9EB043D8F108A3EF59596549DB70ED849751
                                                                        Function 1000BCFD Relevance: 7.6, APIs: 5, Instructions: 86fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #825.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD20
                                                                        • #823.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD32
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD45
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD91
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?), ref: 1000BDB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$#823#825FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3892973715-0
                                                                        • Opcode ID: 9483cfc177f2eea3f362af61a9b441a9c3cf23005946e804f02d0662f11cc69a
                                                                        • Instruction ID: eade77e95de1ab09ce47e5abe9d45642cf2deb7cfcad3d271b4ca3a4ff9751d3
                                                                        • Opcode Fuzzy Hash: 9483cfc177f2eea3f362af61a9b441a9c3cf23005946e804f02d0662f11cc69a
                                                                        • Instruction Fuzzy Hash: 0921BF79605B44AFE760CF54C995E57BBF8FF84780B50092FE48687A19EA30F844CB60
                                                                        Function 10007D3F Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007D44
                                                                        • SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ArrayH_prologSafe$#823DataInterlocked$#825AccessDecrementIncrementUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 1452789435-0
                                                                        • Opcode ID: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction ID: ea9047e10af159b7580fc06cd53243e613a27a56fa66aaec08421a04c4a394ba
                                                                        • Opcode Fuzzy Hash: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction Fuzzy Hash: 11214875D0015A9BDB00DF98C9858BEFBB8FF44381F50402EE919A3285D738AE45CBA2
                                                                        Function 1000678B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100067C6
                                                                        • memset.MSVCRT ref: 100067ED
                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 10006805
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10006820
                                                                        • CloseHandle.KERNEL32(?), ref: 10006832
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleReadmemcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3052882905-0
                                                                        • Opcode ID: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction ID: 5372e76102180c80e4120fc22f7e4cb3026b0456e1d7771b076241391e3a1f27
                                                                        • Opcode Fuzzy Hash: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction Fuzzy Hash: 2F115E7290015DBFEB11CF58CC81FCA77ADEB08395F208461FB59E6144D671AF948B64
                                                                        Function 10006C7A Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$malloctolowertoupper
                                                                        • String ID:
                                                                        • API String ID: 1610385915-0
                                                                        • Opcode ID: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction ID: c0d6b828c61c7d5c2e34b190325b5f457e34af4db0ec980d6b37c81afeaef70f
                                                                        • Opcode Fuzzy Hash: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction Fuzzy Hash: CA019675840558EAFB12DB58DC45FFD7BBAEB092C0F600091E885D621AC735AF029795
                                                                        Function 1000D133 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 1000D146
                                                                        • #823.MFC42(00000002,?,?,?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D150
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,?,?,00000000,10005199,?,75C03D70,10004FB4), ref: 1000D172
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D182
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D188
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$#823ByteCharMultiWidewcslen
                                                                        • String ID:
                                                                        • API String ID: 902154227-0
                                                                        • Opcode ID: 8fcfbf944bd75e8ca63ebcbc40b67b334ae05222430b33155ef7a1d018156ff2
                                                                        • Instruction ID: 6bb69d995878b1488902086bddc70bddf1cd9bd550ac255682a075b1bb48b8d2
                                                                        • Opcode Fuzzy Hash: 8fcfbf944bd75e8ca63ebcbc40b67b334ae05222430b33155ef7a1d018156ff2
                                                                        • Instruction Fuzzy Hash: E8F0F67624415A7DF220F7754C84EAFBB9CDB813F8722463BF554E6049DD15EC0081B1
                                                                        Function 1000D0BE Relevance: 7.5, APIs: 5, Instructions: 45memorystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,?,1000510C,10005078), ref: 1000D0D0
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,1000510C,10005078), ref: 1000D0F7
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D107
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D10D
                                                                        • SysAllocString.OLEAUT32 ref: 1000D124
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
                                                                        • String ID:
                                                                        • API String ID: 4196186757-0
                                                                        • Opcode ID: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction ID: 2c08bb26518ab0f280075e55d60ce098becb15f14d51ddb0b8ccd9ff930e194d
                                                                        • Opcode Fuzzy Hash: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction Fuzzy Hash: C301F93250011AB6F720AB30CC45B9E3FA8EF013E1F104032F914D6098EB74A96186B5
                                                                        Function 100061BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                                        Strings
                                                                        • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInternetOpenTime___crt
                                                                        • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                                        • API String ID: 483802873-1756078650
                                                                        • Opcode ID: 285ead89953b67e2f9ef198d0df487b3dccbd9a20955d6e9e0ce310b6f5314bf
                                                                        • Instruction ID: ab7613da0529a9e7ad045271e1496bf6998c2837bea1459af3b68005a9a4b910
                                                                        • Opcode Fuzzy Hash: 285ead89953b67e2f9ef198d0df487b3dccbd9a20955d6e9e0ce310b6f5314bf
                                                                        • Instruction Fuzzy Hash: 3D21C275D0014DBAEF21DB65DC89D9F7BBEDB852D0F20807AF608A6045EA31AA818660
                                                                        Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167D0), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$http://$search
                                                                        • API String ID: 1721638100-482061809
                                                                        • Opcode ID: 4f55ebd7538e01380f92eaf68533f816d87fc1a3a0b2a3390822ea77045be476
                                                                        • Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
                                                                        • Opcode Fuzzy Hash: 4f55ebd7538e01380f92eaf68533f816d87fc1a3a0b2a3390822ea77045be476
                                                                        • Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60
                                                                        Function 10004318 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,cmd.exe,10004399,?), ref: 10004338
                                                                        • CloseHandle.KERNEL32(00000000,?,cmd.exe,10004399,?), ref: 10004346
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpenTerminate
                                                                        • String ID: cmd.exe
                                                                        • API String ID: 2026632969-723907552
                                                                        • Opcode ID: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction ID: f86e1008737f822a82b35af81a2ba7d261664a8727063637e60ae571ff64eda0
                                                                        • Opcode Fuzzy Hash: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction Fuzzy Hash: 91E08C327041B0BBE2715B376C4CE8B2EA8EFC97E27020524F525E2148DA604982C0B5
                                                                        Function 1000BF37 Relevance: 6.1, APIs: 4, Instructions: 97timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,1000473F,?,00000000,1000C494,?,?,?,?), ref: 1000BF78
                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 1000BFA8
                                                                        • GetLocalTime.KERNEL32(?), ref: 1000BFD6
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 1000BFE4
                                                                          • Part of subcall function 1000B9EF: GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                        • String ID:
                                                                        • API String ID: 3986731826-0
                                                                        • Opcode ID: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction ID: a661c7283e1e9e859b50db88ed376cc691573cb3dc5a3d1bc11cebbdbb99f212
                                                                        • Opcode Fuzzy Hash: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction Fuzzy Hash: 2E310AB5900B49EFE721CF69C88099BBBF9FF08394B10492EE596D2660D774E944CB60
                                                                        Function 1000CA74 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000CA79
                                                                        • #823.MFC42(00004086,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CA85
                                                                        • #825.MFC42(00000000,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CACF
                                                                          • Part of subcall function 1000CAF7: strlen.MSVCRT ref: 1000CB33
                                                                          • Part of subcall function 1000CAF7: #823.MFC42(00000001,?,00000001,76789DE0,1000CAA0,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?), ref: 1000CB3A
                                                                          • Part of subcall function 1000CAF7: strcpy.MSVCRT(00000000,?,00000001,?,00000001,76789DE0,1000CAA0,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6), ref: 1000CB43
                                                                        • #823.MFC42(00000008,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CADB
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825H_prologstrcpystrlen
                                                                        • String ID:
                                                                        • API String ID: 958000321-0
                                                                        • Opcode ID: d68c586b0ef76905bb92551b34fee602402322c66fcd8ba141cf85a2aa6e9245
                                                                        • Instruction ID: 4daa850a962544825f29420b50c2e7fca5cf2665263421bc6ff588bbe2bec9b2
                                                                        • Opcode Fuzzy Hash: d68c586b0ef76905bb92551b34fee602402322c66fcd8ba141cf85a2aa6e9245
                                                                        • Instruction Fuzzy Hash: BE01D43160031CAFFB15DF64C906F5E3AA0EF443E4F01412DF40AA71D4CB709800D692
                                                                        Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167D0), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$http://
                                                                        • API String ID: 1721638100-679094439
                                                                        • Opcode ID: c856a97939651e49d90e4edb29315b17c6344d594ceeb1ef05cfab926841b6fd
                                                                        • Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
                                                                        • Opcode Fuzzy Hash: c856a97939651e49d90e4edb29315b17c6344d594ceeb1ef05cfab926841b6fd
                                                                        • Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660
                                                                        Function 1000611F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 1000616C
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                        • memset.MSVCRT ref: 10006187
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                          • Part of subcall function 10003F58: InternetCloseHandle.WININET(00000000), ref: 10003F5C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Open$CloseFileFormatHandleReadTime___crtmemset
                                                                        • String ID: http
                                                                        • API String ID: 1631465489-2541227442
                                                                        • Opcode ID: 7876b14777ea6601040d5705dedfb783ef26cb49a54b5a0319494ff4d4d3ca0e
                                                                        • Instruction ID: e803b75fad12bc2b196d73d519180cebb6b4d95abcf79e6c0b0238ba5ed24b07
                                                                        • Opcode Fuzzy Hash: 7876b14777ea6601040d5705dedfb783ef26cb49a54b5a0319494ff4d4d3ca0e
                                                                        • Instruction Fuzzy Hash: 2A01B1B690029D7EFB23D6A8DCC2EFF72ADCB0C2D4F0000B5F708A6145DAA56E8145B5
                                                                        Function 10005F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                                          • Part of subcall function 10004015: CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 1000402D
                                                                        • strlen.MSVCRT ref: 10005FEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000009.00000002.2983421158.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000009.00000002.2983399780.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983449156.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983478368.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983537690.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983593244.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983631449.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983659799.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983683958.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983706984.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983733863.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983771563.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000009.00000002.2983799915.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
                                                                        • String ID: %s\lang.ini
                                                                        • API String ID: 3442345488-1858510373
                                                                        • Opcode ID: 37c25204e2ce4c684cc2f7e4c8449ce8e590c90d8ebf649cc1631dd5d50def24
                                                                        • Instruction ID: fdba07edcaf4c5d9f8880ce60f62221f71be709bcd2a0296a9a45e1c288e65da
                                                                        • Opcode Fuzzy Hash: 37c25204e2ce4c684cc2f7e4c8449ce8e590c90d8ebf649cc1631dd5d50def24
                                                                        • Instruction Fuzzy Hash: A5F0F6768011187AE621D6659C0BFEF3E6CDF857E0F104121FA48E90C5EB75AAC196E1

                                                                        Execution Graph

                                                                        Execution Coverage:2.1%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:35
                                                                        Total number of Limit Nodes:3
                                                                        execution_graph 5913 100019a0 5914 100019a5 LoadLibraryA 5913->5914 5917 10001ae2 5918 10001ae7 5917->5918 5921 10001000 strlen 5918->5921 5920 10001af1 GetProcAddress 5922 100016d9 #823 memset 5921->5922 5925 10001713 #823 lstrcpyA #825 5922->5925 5925->5920 5926 10002523 5927 10002528 5926->5927 5928 10001000 6 API calls 5927->5928 5929 10002532 GetProcAddress 5928->5929 5938 10001ca9 5939 10001cae 5938->5939 5940 10001000 6 API calls 5939->5940 5941 10001cb8 GetProcAddress 5940->5941 5952 10001812 5953 10001817 5952->5953 5954 10001000 6 API calls 5953->5954 5955 10001821 5954->5955 5964 1000cfbc 5966 1000cfd8 5964->5966 5967 1000cfcf 5964->5967 5966->5967 5971 1000d000 5966->5971 5972 1000cf11 5966->5972 5968 1000d020 5967->5968 5970 1000cf11 3 API calls 5967->5970 5967->5971 5969 1000cf11 3 API calls 5968->5969 5968->5971 5969->5971 5970->5968 5973 1000cf19 5972->5973 5974 1000cf3a malloc 5973->5974 5976 1000cf4f 5973->5976 5977 1000cf79 5973->5977 5975 1000cf53 _initterm 5974->5975 5974->5976 5975->5976 5976->5967 5977->5976 5978 1000cfa6 free 5977->5978 5978->5976 5979 1000443d CreateFileA strlen WriteFile CloseHandle

                                                                        Executed Functions

                                                                        Function 10001000 Relevance: 66.9, APIs: 6, Strings: 32, Instructions: 400stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825lstrcpymemsetstrlen
                                                                        • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?
                                                                        • API String ID: 3251808775-1038084669
                                                                        • Opcode ID: b11ca45e2396e9c86b8ddb6aba5292ea4cd214887a5bfd65de22252d69a1cce1
                                                                        • Instruction ID: 1e2c39c5481c49465f245eab400177fe17c9ce5cbd2174da6fe3dd4c7a143f85
                                                                        • Opcode Fuzzy Hash: b11ca45e2396e9c86b8ddb6aba5292ea4cd214887a5bfd65de22252d69a1cce1
                                                                        • Instruction Fuzzy Hash: 44323BB0D252798BEB65CF49C9987DDBBB8FB09B44F1081DBE158A6241C7B50B85CF80
                                                                        Function 1000CF11 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 29 1000cf11-1000cf17 30 1000cf27-1000cf38 29->30 31 1000cf19-1000cf1f 29->31 32 1000cf79-1000cf7b 30->32 33 1000cf3a-1000cf4d malloc 30->33 34 1000cf21 31->34 35 1000cf4f-1000cf51 31->35 38 1000cfb6-1000cfb8 32->38 39 1000cf7d-1000cf84 32->39 33->35 36 1000cf53-1000cf77 _initterm 33->36 34->30 37 1000cfb9 35->37 36->38 38->37 39->38 40 1000cf86-1000cf8d 39->40 41 1000cf90-1000cf92 40->41 42 1000cf94-1000cf98 41->42 43 1000cfa6-1000cfb5 free 41->43 44 1000cfa1-1000cfa4 42->44 45 1000cf9a-1000cf9c 42->45 43->38 44->41 45->44
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _inittermfreemalloc
                                                                        • String ID: k{v
                                                                        • API String ID: 1678931842-443568515
                                                                        • Opcode ID: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction ID: 0e2fbd444cc1af3c64615f742c80b3cddb005ce76f3f19b4b4b8d30d748738d8
                                                                        • Opcode Fuzzy Hash: e22a484bf679a76c19f1a629799cb8ec736153d85daa04d90a1ee1a8e2bcb78f
                                                                        • Instruction Fuzzy Hash: 8E11EC716043279BF714CBA4DE84B6677F6F7083D1B11807EE909D7168EB31E8418B56
                                                                        Function 1000443D Relevance: 6.0, APIs: 4, Instructions: 27filestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 47 1000443d-10004481 CreateFileA strlen WriteFile CloseHandle
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                        • strlen.MSVCRT ref: 10004467
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleWritestrlen
                                                                        • String ID:
                                                                        • API String ID: 1350020999-0
                                                                        • Opcode ID: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction ID: 674abdbc6602e5f6a43210abfac0cc78235cd9a48f578be9d5b3dbb9807df2d8
                                                                        • Opcode Fuzzy Hash: 8f9b36861bd51ec2b2c2dd01103e89400b661b260cc24c09508f4dab87319e4f
                                                                        • Instruction Fuzzy Hash: EFE048351402087BF7111B50DC4EFAA3B2CE784B50F208011F744A80D0DBB17D455654
                                                                        Function 10002983 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 68 10002983-1000298d call 10001000 71 10002992-100029a5 GetProcAddress 68->71
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000299A
                                                                        Strings
                                                                        • R2V0TW9kdWxlRmlsZU5hbWVB, xrefs: 10002988
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlRmlsZU5hbWVB
                                                                        • API String ID: 190572456-4201997209
                                                                        • Opcode ID: 1557f5d79256d7c8ac66964af858d2a5d3a9d876618c51bceefced0cd8189c30
                                                                        • Instruction ID: b1a1b435f00da94364d5068d1a7261ba1d721826fe38f5c424aadfdcf37e0a94
                                                                        • Opcode Fuzzy Hash: 1557f5d79256d7c8ac66964af858d2a5d3a9d876618c51bceefced0cd8189c30
                                                                        • Instruction Fuzzy Hash: CBC09BB4411555DEF711DB30DD45A543675F7183C3B504215F450D413DDFB06981D610
                                                                        Function 10001AE2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 48 10001ae2-10001aec call 10001000 51 10001af1-10001b04 GetProcAddress 48->51
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001AF9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: U2V0RXJyb3JNb2Rl
                                                                        • API String ID: 190572456-495186574
                                                                        • Opcode ID: b81d5d325cadc815cdd1632931e62b9bb143e88e1171eecaeda0c1d789539086
                                                                        • Instruction ID: b3207cb24b35482d93af76edd0b439524cf254a3b1688944550d3917fc20d73e
                                                                        • Opcode Fuzzy Hash: b81d5d325cadc815cdd1632931e62b9bb143e88e1171eecaeda0c1d789539086
                                                                        • Instruction Fuzzy Hash: D8C04C74421550EAF711DB60DC496693A66F749281F104115F4419412CEB705881D615
                                                                        Function 10001CA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 52 10001ca9-10001cb3 call 10001000 55 10001cb8-10001ccb GetProcAddress 52->55
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001CC0
                                                                        Strings
                                                                        • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB, xrefs: 10001CAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB
                                                                        • API String ID: 190572456-1897290307
                                                                        • Opcode ID: aac3f6f07ca681beb31007582e3c0fefaca278ca4a11224ae424bf2c9ba99a53
                                                                        • Instruction ID: 679180479ed6cfc3c3ab9d5752cbc6c40d3ed07f1b9e890cc62039329d529da3
                                                                        • Opcode Fuzzy Hash: aac3f6f07ca681beb31007582e3c0fefaca278ca4a11224ae424bf2c9ba99a53
                                                                        • Instruction Fuzzy Hash: 2AC09B745101549FF711DB61DD45B543726F7083C17508115F4409413CDBB1D881DF15
                                                                        Function 10002523 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 56 10002523-10002545 call 10001000 GetProcAddress
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000253A
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEVudW0=, xrefs: 10002528
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEVudW0=
                                                                        • API String ID: 190572456-980335172
                                                                        • Opcode ID: 327d9bad702a7a7c842a33e500bfd4edb7a997bbbb3fa120786fb7268e4a0849
                                                                        • Instruction ID: 63a1c40aa0e56be92247ee1fed4819ec6860f7f49589733cfa06d56f95f5deb7
                                                                        • Opcode Fuzzy Hash: 327d9bad702a7a7c842a33e500bfd4edb7a997bbbb3fa120786fb7268e4a0849
                                                                        • Instruction Fuzzy Hash: DBC02BB0402010DEF302CF20FC48B143650E30C3C3B204054F4004003DDF7058C05911
                                                                        Function 10002546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 60 10002546-10002550 call 10001000 63 10002555-10002568 GetProcAddress 60->63
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000255D
                                                                        Strings
                                                                        • TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=, xrefs: 1000254B
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0TG9jYWxHcm91cEFkZE1lbWJlcnM=
                                                                        • API String ID: 190572456-3430808999
                                                                        • Opcode ID: c3c83eeaad7e8c410e6871171806503969bcfb26dab9e11f60b75c50dcd8f11e
                                                                        • Instruction ID: ca1272d1c6c5ba21fa127b69b1bf27ffee5f9a6a4e26c013838c333b549259fb
                                                                        • Opcode Fuzzy Hash: c3c83eeaad7e8c410e6871171806503969bcfb26dab9e11f60b75c50dcd8f11e
                                                                        • Instruction Fuzzy Hash: BEC02B70800010DEF7019F20DC54A243A10F30C3C2B208160F4004003CDF70D8C0A900
                                                                        Function 100025AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 64 100025af-100025d1 call 10001000 GetProcAddress
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100025C6
                                                                        Strings
                                                                        • TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 100025B4
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: TmV0QXBpQnVmZmVyRnJlZQ==
                                                                        • API String ID: 190572456-3244026974
                                                                        • Opcode ID: 642dc9320d71326d07a2f0d470ae2b62ddec43ef6150d903d9759c8aea796598
                                                                        • Instruction ID: dfe5daf16c6b78ace36240ce5652ccc2d6de07b8baeb264f7ad7c7904fcf06df
                                                                        • Opcode Fuzzy Hash: 642dc9320d71326d07a2f0d470ae2b62ddec43ef6150d903d9759c8aea796598
                                                                        • Instruction Fuzzy Hash: 32C02BB04030109EF312CB20DC946543620E38C3C2B214005F8004003DDF7199C09910
                                                                        Function 1000363A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 72 1000363a-10003644 call 10001000 75 10003649-1000365c GetProcAddress 72->75
                                                                        APIs
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10003651
                                                                        Strings
                                                                        • R2V0TW9kdWxlQmFzZU5hbWVB, xrefs: 1000363F
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: R2V0TW9kdWxlQmFzZU5hbWVB
                                                                        • API String ID: 190572456-2033685547
                                                                        • Opcode ID: b997374319e8bd926180a74ce876fca69aa3ba4c39f33a98ea0eb4ca7101dc0c
                                                                        • Instruction ID: 5df146e122e72d039630dbb6b0b3531cff15eb77738ab70f128977c83543ccad
                                                                        • Opcode Fuzzy Hash: b997374319e8bd926180a74ce876fca69aa3ba4c39f33a98ea0eb4ca7101dc0c
                                                                        • Instruction Fuzzy Hash: F0C09BB44055A0EEF7119B24EC496653715F7083C2B11C115F4419513CDF7158C19514
                                                                        Function 100019A0 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 76 100019a0-100019b6 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction ID: b66798628aae855c83bf7f686cb25124971be1b6095d86ea20a0bb19a8bac96f
                                                                        • Opcode Fuzzy Hash: 7098f20e71c02270bb2eaf5ef833034602421d6e80e0f6197a28e700d7704e37
                                                                        • Instruction Fuzzy Hash: 92B002749015B0DFF7119F14DCDC5447B62E749341B61C055E8415113CD7714455EF55
                                                                        Function 100019CE Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 78 100019ce-100019e4 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction ID: abcc7ed5f68379418d9c40dbe7f79a1e4d6a15d0a0615b498f296ba2a9f239dc
                                                                        • Opcode Fuzzy Hash: 6e132613e7eca362e7f45d600d2fb17153e476bbb744908e5f25d371ae058448
                                                                        • Instruction Fuzzy Hash: 97B012B0401660CFF7014F20DCC80087F33F308382B008113E8019053CD7304510EA00
                                                                        Function 100019FC Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 80 100019fc-10001a12 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction ID: 47b57bf21aca614cddfcfaea860b1cc3e38cf6dbd9f820980586a8aa178d607c
                                                                        • Opcode Fuzzy Hash: 2c8bea18dbdd8aacdd272c5e91ec760c891f17ebb79b1c00953cfafc40362904
                                                                        • Instruction Fuzzy Hash: F7B00274551560DFFB119F20DCC45447A73E74D382B61C056E8515113CDB72C490EE11
                                                                        Function 10001A41 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 82 10001a41-10001a57 LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction ID: 24c90ffc9fcf9f59ee58c84600115bd45079cb77f81d8688bd4f2d963a816155
                                                                        • Opcode Fuzzy Hash: c0d3116e682aedf87baae9e529e28630e474b3a4de6ab528fa6401d4cf041306
                                                                        • Instruction Fuzzy Hash: 73B00274501560DBF7119F12DCC45447E67F74A7C1B11C055E8555163CD7714451AF11
                                                                        Function 10001AB4 Relevance: 1.5, APIs: 1, Instructions: 5libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 84 10001ab4-10001aca LoadLibraryA
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction ID: 44505aba912a868df48011d1cc75e83db32967a8423b7cb2a14cd0cb0a600a36
                                                                        • Opcode Fuzzy Hash: a98d907585158d12c514472a56832431ccf4a2ec9871ea9659bb2198c6e6d237
                                                                        • Instruction Fuzzy Hash: FBB012B4001560CBF7008F50CCC40047E23E30D345B20C015FD005013DC7314450AE00

                                                                        Non-executed Functions

                                                                        Function 1000490F Relevance: 91.3, APIs: 45, Strings: 7, Instructions: 325networksleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10004978
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 1000498A
                                                                        • socket.WS2_32(00000002,00000002,00000000), ref: 10004992
                                                                        • htons.WS2_32(00000035), ref: 100049A3
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 100049B4
                                                                        • htons.WS2_32(00000035), ref: 100049BB
                                                                        • inet_addr.WS2_32(?), ref: 100049C1
                                                                        • bind.WS2_32(?,?,00000010), ref: 100049CC
                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 100049E5
                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 10004A17
                                                                        • WSAGetLastError.WS2_32 ref: 10004A21
                                                                        • Sleep.KERNEL32(000003E8), ref: 10004A28
                                                                        • memset.MSVCRT ref: 10004A45
                                                                        • recvfrom.WS2_32(?,?,00000200,00000000,?,00000010), ref: 10004A61
                                                                        • memset.MSVCRT ref: 10004A87
                                                                        • wsprintfA.USER32 ref: 10004AC9
                                                                        • StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?), ref: 10004AE4
                                                                        • StrStrIA.SHLWAPI(?,alyac), ref: 10004AFC
                                                                        • StrStrIA.SHLWAPI(?,ahnlab), ref: 10004B0E
                                                                        • StrStrIA.SHLWAPI(?,v3lite), ref: 10004B20
                                                                        • malloc.MSVCRT ref: 10004B31
                                                                        • memcpy.MSVCRT(00000000,?,00000002), ref: 10004B40
                                                                        • memcpy.MSVCRT(?,?,?,00000000,?,00000002), ref: 10004B56
                                                                        • htons.WS2_32(00008180), ref: 10004B63
                                                                        • htons.WS2_32(00008182), ref: 10004B77
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004B88
                                                                        • htons.WS2_32(00000001), ref: 10004B92
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BA3
                                                                        • htons.WS2_32(0000C00C), ref: 10004BBE
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BCF
                                                                        • htons.WS2_32(00000001), ref: 10004BD9
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BE7
                                                                        • htons.WS2_32(00000001), ref: 10004BF1
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004BFF
                                                                        • htonl.WS2_32(0000007B), ref: 10004C09
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C1C
                                                                        • htons.WS2_32(00000004), ref: 10004C26
                                                                        • memcpy.MSVCRT(?,?,00000002), ref: 10004C34
                                                                        • inet_addr.WS2_32(127.0.0.1), ref: 10004C50
                                                                        • memcpy.MSVCRT(?,?,00000004), ref: 10004C63
                                                                        • memcpy.MSVCRT(?,?,?,?,?,00000004), ref: 10004C7B
                                                                        • sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 10004C95
                                                                        • closesocket.WS2_32(?), ref: 10004CB5
                                                                        • closesocket.WS2_32(?), ref: 10004CBA
                                                                        • WSACleanup.WS2_32 ref: 10004CBC
                                                                        Strings
                                                                        • ahnlab, xrefs: 10004B08
                                                                        • %s|, xrefs: 10004AC3
                                                                        • 127.0.0.1, xrefs: 100049AB, 10004C4B
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10004ADF
                                                                        • v3lite, xrefs: 10004B1A
                                                                        • alyac, xrefs: 10004AF6
                                                                        • 8.8.8.8, xrefs: 10004949
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$htons$inet_addr$closesocketmemsetsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtowsprintf
                                                                        • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 545395166-2566164256
                                                                        • Opcode ID: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction ID: f4d92e3438a437d2299d84abcf9c5d8c75e9b4238ea887dab6cfd6e428023447
                                                                        • Opcode Fuzzy Hash: 51a3529922d48c3e589b149c6dc4169ee7c3da7f33c0922d246f3985241574ca
                                                                        • Instruction Fuzzy Hash: 4FB12BB2D0025CAAEB11DBE4CC85EDFBBBCEB48340F014566E604F6155EB71AA44CFA1
                                                                        Function 10007F4F Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 218stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileFindlstrcpy$#823DirectoryFirstNextPath_strcmpi
                                                                        • String ID: %s\%s$*.*$.$107.160.131.252:23588/article.php$L2ltYWdlLnBocA==$NPKI$P
                                                                        • API String ID: 2329406363-814645805
                                                                        • Opcode ID: 37b47c7ba2c27473b8910e5e435b14cdcd88c29ffb91b507766bf1329a5379fd
                                                                        • Instruction ID: d457cdbbe753c7b4e7560833b0a44fa5530ca94c09af8d9545d2bbe4c99e139f
                                                                        • Opcode Fuzzy Hash: 37b47c7ba2c27473b8910e5e435b14cdcd88c29ffb91b507766bf1329a5379fd
                                                                        • Instruction Fuzzy Hash: 3271607290425DAEEB51DBA4CC45FDABBBCFB48381F1004E6E608F6195DB709B888F50
                                                                        Function 100051D3 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 92stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000004), ref: 10005210
                                                                        • #823.MFC42(000000FF,00000004), ref: 10005225
                                                                        • #823.MFC42(00000000,000000FF,00000004), ref: 1000523F
                                                                        • strrchr.MSVCRT ref: 10005250
                                                                        • strncpy.MSVCRT ref: 10005267
                                                                        • strncpy.MSVCRT ref: 10005271
                                                                        • GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                        • GetCurrentProcess.KERNEL32(00000020,?), ref: 10005296
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 100052AD
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                        • CloseHandle.KERNEL32(?), ref: 100052E2
                                                                        • strlen.MSVCRT ref: 100052EE
                                                                        • sscanf.MSVCRT ref: 1000530A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrlenstrrchr
                                                                        • String ID: %[^$SeDebugPrivilege
                                                                        • API String ID: 1460262115-1521022383
                                                                        • Opcode ID: dd54c802b8f8b7ecd1266b55cc8fef6123e2c6864af47b6229623f8ae5d47dda
                                                                        • Instruction ID: 1d4034c089aeb94910ddb95873c9201c7a3e8f51f79135a92f0693b8715c0055
                                                                        • Opcode Fuzzy Hash: dd54c802b8f8b7ecd1266b55cc8fef6123e2c6864af47b6229623f8ae5d47dda
                                                                        • Instruction Fuzzy Hash: 3631FDB5801228EFF700DFA4CDC9E9A7BB8EB08742F14802AF514EA264D7729942CF51
                                                                        Function 10008B8B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 121stringfilewindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • sprintf.MSVCRT ref: 10008BA5
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 10008BC0
                                                                        • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,10008A8C,00000000), ref: 10008BE6
                                                                        • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 10008BF7
                                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 10008C04
                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,10008A8C), ref: 10008C46
                                                                        • memset.MSVCRT ref: 10008C71
                                                                        • strcpy.MSVCRT(00000044,00000000,00000013), ref: 10008C8B
                                                                        • memset.MSVCRT ref: 10008C97
                                                                        • strcpy.MSVCRT(00000004,00000000,0000002E,?,?,?,?,00000013), ref: 10008CB1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memsetstrcpy$CloseControlCreateDeviceErrorFileFormatHandleLastMessagesprintf
                                                                        • String ID: 12051805$\\.\PHYSICALDRIVE%d
                                                                        • API String ID: 1986549085-3647642929
                                                                        • Opcode ID: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction ID: 4125160363e842b8e7a1d76db44e57ca0f3beb1210815641832f8c97af22e03e
                                                                        • Opcode Fuzzy Hash: acbfd8a12bd757b9287e670d97e34f8c911fe85aec8c424d0e9dfc58dd7dcc77
                                                                        • Instruction Fuzzy Hash: 1231D0B6640229BEFB10D7A0CD86FEE736CEB05394F104221FA45A60C4EB74AF4587B5
                                                                        Function 10004630 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Find$File$#825CloseFirstNextstrcatstrcpystrlenwsprintf
                                                                        • String ID: %s\%s$.$\*.*
                                                                        • API String ID: 842957512-2210278135
                                                                        • Opcode ID: b4c73bc3ca2c33e5ad31019ee68780f9b663d34cc684c3e582d2d03e2533959f
                                                                        • Instruction ID: 3547d33416261faf8458c6710b5cd13efccda21bf8dfe0cc576b5eff074e2184
                                                                        • Opcode Fuzzy Hash: b4c73bc3ca2c33e5ad31019ee68780f9b663d34cc684c3e582d2d03e2533959f
                                                                        • Instruction Fuzzy Hash: 97314DB2C0025CBBEF12DFA4CC45ADE7B79EB04380F1104E6E619A2055DB719B989F51
                                                                        Function 100042A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 100042AF
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 100042B6
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 100042CA
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 100042FF
                                                                        • CloseHandle.KERNEL32(?), ref: 10004308
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                                                        • String ID:
                                                                        • API String ID: 3038321057-0
                                                                        • Opcode ID: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction ID: b0a8796efaa8e3b84787a9bca2c6b8d54da9404ad25a0782a1589f7175c46836
                                                                        • Opcode Fuzzy Hash: 48c8a8b62aeca1ae66fe4ceac2ed7693a64b83dd0d2846575f8c7491ea7827f4
                                                                        • Instruction Fuzzy Hash: 1A011672900129BFEB10DFA4CC89AEFBBFCEF08380F004051F905E2154EBB09A408BA0
                                                                        Function 10006499 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 262stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000649E
                                                                        • memset.MSVCRT ref: 100064DA
                                                                        • wsprintfA.USER32 ref: 100064F7
                                                                        • #823.MFC42(0007D000), ref: 10006503
                                                                        • memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                        • strlen.MSVCRT ref: 1000656F
                                                                        • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                        • memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • #823.MFC42(?), ref: 100065D2
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 100065E6
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100065F3
                                                                        • #823.MFC42(00000001), ref: 100065FE
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 10006614
                                                                        • #825.MFC42(?), ref: 1000661D
                                                                        • strlen.MSVCRT ref: 10006625
                                                                        • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000), ref: 10006633
                                                                        • #825.MFC42(?), ref: 1000663C
                                                                        • strlen.MSVCRT ref: 1000664D
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(title,00000000,00000000), ref: 10006659
                                                                        • strlen.MSVCRT ref: 10006667
                                                                        • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(10015660,00000005,00000000), ref: 10006676
                                                                        • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,-00000006,-00000006), ref: 1000668D
                                                                        • strlen.MSVCRT ref: 100066A5
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066B9
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 100066C7
                                                                        • wsprintfA.USER32 ref: 100066E9
                                                                        • strlen.MSVCRT ref: 100066F0
                                                                        • #825.MFC42(?), ref: 10006724
                                                                        • strrchr.MSVCRT ref: 1000672C
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006745
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006753
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 1000676A
                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 10006778
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Tidy@?$basic_string@$strlen$ByteCharMultiWide$#823#825InternetV12@memset$?find@?$basic_string@Openwsprintf$?append@?$basic_string@?assign@?$basic_string@?substr@?$basic_string@FileFormatH_prologReadTime___crtstrrchr
                                                                        • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
                                                                        • API String ID: 1229813879-2496724313
                                                                        • Opcode ID: 9b4abc579768af9e6d288c688c0c4273486453251afc56da2ed0f4637ad25651
                                                                        • Instruction ID: 10439b61b20b70afd7aa5347c4b54e4e6ebd0b7274b3fc8efdd7ca783922ac27
                                                                        • Opcode Fuzzy Hash: 9b4abc579768af9e6d288c688c0c4273486453251afc56da2ed0f4637ad25651
                                                                        • Instruction Fuzzy Hash: D091CFB6801258BFFB01DBA4CD89EEE7F7DEF08394F244065F505B6295DA315E808BA1
                                                                        Function 100053B7 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 222filesleepinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • memcmp.MSVCRT(00000000,-00000001), ref: 10005406
                                                                        • wsprintfA.USER32 ref: 10005437
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 1000549E
                                                                        • wsprintfA.USER32 ref: 100054BC
                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 100054CA
                                                                        • PrintFile.PQZ6GU98EH(?,?), ref: 100054DE
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                        • WriteProcessMemory.KERNEL32(?,?,00000009,00000000), ref: 100054FC
                                                                        • time.MSVCRT(00000000), ref: 1000551B
                                                                        • srand.MSVCRT ref: 10005522
                                                                        • rand.MSVCRT ref: 1000552A
                                                                        • rand.MSVCRT ref: 10005538
                                                                        • rand.MSVCRT ref: 10005543
                                                                        • rand.MSVCRT ref: 1000554E
                                                                        • rand.MSVCRT ref: 10005559
                                                                        • rand.MSVCRT ref: 10005564
                                                                        • wsprintfA.USER32 ref: 10005582
                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000559C
                                                                        • CloseHandle.KERNEL32(00000000), ref: 100055A3
                                                                        • Sleep.KERNEL32(000003E8), ref: 100055AE
                                                                        • DeleteFileA.KERNEL32(?), ref: 100055BB
                                                                        • memcmp.MSVCRT(?,-000000FE), ref: 10005602
                                                                        Strings
                                                                        • c:\windows\system32\drivers\%s, xrefs: 10005498
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
                                                                        • %s\%s, xrefs: 10005431
                                                                        • Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: rand$File$strcatwsprintf$Create$CloseHandleWritememcmpstrchr$DeleteDirectoryMemoryPrintProcessSleepsrandstrcpystrlentime
                                                                        • String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
                                                                        • API String ID: 3546221339-455112146
                                                                        • Opcode ID: 77dc5654d890d41b8df4c3bfc927f4e08fa7dbbc842ad33926e75cec058c366f
                                                                        • Instruction ID: 023f1052d7a0be8e83d6270df64d4839765010a646a328037934ecf360ce8854
                                                                        • Opcode Fuzzy Hash: 77dc5654d890d41b8df4c3bfc927f4e08fa7dbbc842ad33926e75cec058c366f
                                                                        • Instruction Fuzzy Hash: FF610873A40258BFFB10DB64CC49FDE776DEB84351F184466F604AB180CBB5EA848B64
                                                                        Function 10004D36 Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 299stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10004D3B
                                                                        • memset.MSVCRT ref: 10004D59
                                                                        • CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?), ref: 10004D63
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?), ref: 10004D8E
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10004DE2
                                                                        • wcscat.MSVCRT ref: 10004E18
                                                                        • VariantInit.OLEAUT32(?), ref: 10004EC5
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ECB
                                                                        • VariantInit.OLEAUT32(?), ref: 10004ED1
                                                                        • strcpy.MSVCRT(?,00000000,?), ref: 10004F52
                                                                        • _strcmpi.MSVCRT ref: 10004F75
                                                                        • strcpy.MSVCRT(?,00000000,?), ref: 10004FC0
                                                                        • StrStrIA.SHLWAPI(?,svchost.exe -k NetworkService,?), ref: 10004FE6
                                                                        • VariantClear.OLEAUT32(?), ref: 10005009
                                                                        • VariantClear.OLEAUT32(?), ref: 1000500F
                                                                        • CoUninitialize.OLE32 ref: 10005035
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$Init$ClearH_prologInitializestrcpy$#823BlanketCreateInstanceProxySecurityUninitialize_strcmpimemsetwcscat
                                                                        • String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
                                                                        • API String ID: 53594991-2685825574
                                                                        • Opcode ID: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction ID: f36072ad76851ef4156648f9e7cf886c39e7a66da788ed21f351d69932db9bd7
                                                                        • Opcode Fuzzy Hash: 32bbd442a5894e4c4c77f8e60968ee9c55a165d2d03a557a698ee9a98ac4a9f6
                                                                        • Instruction Fuzzy Hash: 26A12AB1900259AFEB04DF94CC84DEEBBB8FF48394F104569F615AB294DB31AE45CB60
                                                                        Function 1000721F Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 363stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007224
                                                                          • Part of subcall function 1000774B: CoInitializeEx.OLE32(00000000,00000000,00080000,?,10007235,00080000), ref: 1000776E
                                                                          • Part of subcall function 100077B2: _EH_prolog.MSVCRT ref: 100077B7
                                                                          • Part of subcall function 100077B2: strlen.MSVCRT ref: 100077D2
                                                                          • Part of subcall function 100077B2: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                          • Part of subcall function 100077B2: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100077B2: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • InterlockedIncrement.KERNEL32(-00000008), ref: 1000728C
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • strlen.MSVCRT ref: 100072ED
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
                                                                        • VariantInit.OLEAUT32(?), ref: 1000735E
                                                                        • SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
                                                                        • VariantInit.OLEAUT32(?), ref: 10007388
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007462
                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 10007467
                                                                        • strlen.MSVCRT ref: 10007481
                                                                        • strlen.MSVCRT ref: 10007497
                                                                          • Part of subcall function 10007A73: _EH_prolog.MSVCRT ref: 10007A78
                                                                          • Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                          • Part of subcall function 10007A73: VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007A73: InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        • SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
                                                                        • VariantInit.OLEAUT32(?), ref: 10007524
                                                                        • CoUninitialize.OLE32(Win32_NetworkAdapterConfiguration,IPEnabled=TRUE,00080000), ref: 1000760B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Variant$ArraySafe$CreateInitstrlen$H_prologInterlocked$ClearDestroyIncrementInitialize$#825BlanketDecrementInstanceProxySecurityUninitialize
                                                                        • String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
                                                                        • API String ID: 3394522676-1668994663
                                                                        • Opcode ID: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction ID: a4af8c9dca73a5c283ada5a53ee1da82c278c6dc42568daf6e2b053f761370a2
                                                                        • Opcode Fuzzy Hash: ddec0e85c928e73a2f40de25e5a61fc965fff2af67b5860898a81e8712b9e1c8
                                                                        • Instruction Fuzzy Hash: 45D14C70D00219EFEB15CFA4C880AEEBBB8FF45781F104019F519AB259DB75AA45CFA1
                                                                        Function 10006EEF Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 173stringsleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(0000EA60), ref: 10006F35
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F7E
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 10006F88
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006F9C
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FB3
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 10006FBE
                                                                        • memset.MSVCRT ref: 10007035
                                                                        • Sleep.KERNEL32 ref: 1000706A
                                                                        • strlen.MSVCRT ref: 10007098
                                                                        • wsprintfA.USER32 ref: 100070AE
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000), ref: 100070E7
                                                                        • PrintFile.PQZ6GU98EH(00000000,?,00000000,?,00000000), ref: 100070FA
                                                                        • strcmp.MSVCRT ref: 10007105
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryFilePrintSleepSystemstrcat$#823memsetstrcmpstrlenwsprintf
                                                                        • String ID: QVNEU3ZjLmV4ZQ==$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.160.131.252:23588/article.php$iOffset
                                                                        • API String ID: 2115399682-1682937122
                                                                        • Opcode ID: 34783836d23a8db4268eedaf92dd829836002f85e3c0af5e734622589c8d7944
                                                                        • Instruction ID: 72fa86c02a68da5800153c7bf3c705a219ab7ae35cbe7a85c82bd612e58ef154
                                                                        • Opcode Fuzzy Hash: 34783836d23a8db4268eedaf92dd829836002f85e3c0af5e734622589c8d7944
                                                                        • Instruction Fuzzy Hash: BE51C9B6D04359AAF721D764CC46FCF77ACEB083C1F1045A5F208A6086DA75AB848E55
                                                                        Function 100062E1 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 153stringnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcspnstrstr$strcpystrncpy$FormatStartupTime___crtatoiclosesocketconnecthtonsmemsetsocket
                                                                        • String ID: http://
                                                                        • API String ID: 1412329544-1121587658
                                                                        • Opcode ID: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction ID: bda3bb5fe2d8b3d060f482acd811e7885a41a1d7ee8f75e9f264fd4272d9bcff
                                                                        • Opcode Fuzzy Hash: 2e54cfd12861dc96e4c85eb825d6bad95e4ba449bddefa9c48a5188d09549e0a
                                                                        • Instruction Fuzzy Hash: E851567290426CABFB10DBA4DC89FDE77ACEF04394F1004A6F608E6195DA749F458BA1
                                                                        Function 1000C3AB Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 464COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: /$UT
                                                                        • API String ID: 0-1626504983
                                                                        • Opcode ID: 852622564ec4b07a6b6f7f536fb0b8595a6822e117332c7ee593b18b30d01d06
                                                                        • Instruction ID: f54fcba8cf9e0f27e2bd44127f596e67299a7ae9ee4814bd1667c505b59f09c1
                                                                        • Opcode Fuzzy Hash: 852622564ec4b07a6b6f7f536fb0b8595a6822e117332c7ee593b18b30d01d06
                                                                        • Instruction Fuzzy Hash: D002D375A0439D9BEB21CF68C844F9EBBF5EF04380F1444AEE449A7246CB70AE85CB55
                                                                        Function 1000827D Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 143stringsleepprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082CA
                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 100082D4
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082E8
                                                                        • strcat.MSVCRT(00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 100082FF
                                                                        • #823.MFC42(00080000,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,00000000,00000000,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 1000830A
                                                                        • memset.MSVCRT ref: 10008381
                                                                        • Sleep.KERNEL32 ref: 100083A5
                                                                        • strlen.MSVCRT ref: 100083D3
                                                                        • strcmp.MSVCRT ref: 100083E5
                                                                        • wsprintfA.USER32 ref: 100083F7
                                                                        • WinExec.KERNEL32(00000000,00000000), ref: 10008422
                                                                        Strings
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 10008364
                                                                        • Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
                                                                        • 127.0.0.1, xrefs: 10008405
                                                                        • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
                                                                        • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
                                                                        • 8.8.8.8, xrefs: 10008400
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DirectorySystemstrcat$#823ExecSleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 2179988888-3096136484
                                                                        • Opcode ID: eb8ee1f67ef8b6176ace78af9f5f151e4eb5de1024bbfe4c57946852b65a3e88
                                                                        • Instruction ID: 326cc2718642543c1dd7a400e4c7d0959c533b8060c56875ff79f0cc4eb49833
                                                                        • Opcode Fuzzy Hash: eb8ee1f67ef8b6176ace78af9f5f151e4eb5de1024bbfe4c57946852b65a3e88
                                                                        • Instruction Fuzzy Hash: 0441E3B6D04258B6FB21D364CC46FCB7B6CEB44380F2040A5F248BA086DAB4BB848F55
                                                                        Function 10005989 Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 81stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000598E
                                                                        • wsprintfA.USER32 ref: 100059AE
                                                                        • GetModuleFileNameA.KERNEL32(00000000,100165C8,00000104,10008666), ref: 100059C6
                                                                        • GetModuleFileNameA.KERNEL32(100166CC,00000104), ref: 100059D5
                                                                        • strcpy.MSVCRT(100167D0,100166CC), ref: 100059DE
                                                                        • strrchr.MSVCRT ref: 100059E6
                                                                        • wsprintfA.USER32 ref: 100059FB
                                                                        • wsprintfA.USER32 ref: 10005A08
                                                                        • wsprintfA.USER32 ref: 10005A19
                                                                        • #823.MFC42(00000084), ref: 10005A20
                                                                        • strcpy.MSVCRT(10016AF0,00000044), ref: 10005A50
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: wsprintf$FileModuleNamestrcpy$#823H_prologmemsetstrrchr
                                                                        • String ID: %s\%s$%s\version.txt$12051805$F896SD5DAE$M%s$host123.zz.am:6658
                                                                        • API String ID: 292421652-2736149435
                                                                        • Opcode ID: e5172cdacd31d8d7d1381340ee94b22184651f32abae94e719a96e510908b970
                                                                        • Instruction ID: 400d6614f39ff7cd744ddab951aebd9dcb408de85795f0dded65be8652f6b733
                                                                        • Opcode Fuzzy Hash: e5172cdacd31d8d7d1381340ee94b22184651f32abae94e719a96e510908b970
                                                                        • Instruction Fuzzy Hash: F22102322003687BF210E7958C85F5B7F9CDB856AAF01412AF741AE181CB72E8808A72
                                                                        Function 10004139 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 121stringfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(?,?), ref: 10004170
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10004184
                                                                        • strrchr.MSVCRT ref: 10004193
                                                                        • strcat.MSVCRT(?,log.txt), ref: 100041B2
                                                                        • CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000), ref: 100041D0
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 100041E6
                                                                        • time.MSVCRT(00000000), ref: 100041ED
                                                                        • localtime.MSVCRT(?), ref: 100041FA
                                                                        • strftime.MSVCRT ref: 1000420C
                                                                        • vsprintf.MSVCRT ref: 1000424F
                                                                        • sprintf.MSVCRT ref: 1000426C
                                                                        • strlen.MSVCRT ref: 10004281
                                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004290
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004297
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleModuleNamePointerWritelocaltimesprintfstrcatstrcpystrftimestrlenstrrchrtimevsprintf
                                                                        • String ID: %s%s$log.txt
                                                                        • API String ID: 2918410534-1489102009
                                                                        • Opcode ID: 6a96db00d658787538a7c9d728de0d35d20d0f261e33c19072dcf104bd009eb6
                                                                        • Instruction ID: d7a24dcdaf8e6b49f461e4f1291d64edd5db5d0b5c8b00a4d6a5de73979513ca
                                                                        • Opcode Fuzzy Hash: 6a96db00d658787538a7c9d728de0d35d20d0f261e33c19072dcf104bd009eb6
                                                                        • Instruction Fuzzy Hash: 1E41377690125CBFFB11DBA4CC89EDE7B6CEB08385F1044A6F709E6054DA70AE848B61
                                                                        Function 1000B8C7 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: _mbsicmp$strlen
                                                                        • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                        • API String ID: 2479270535-51310709
                                                                        • Opcode ID: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction ID: 73947956ff5f80da35e905b20d3a22064da75616644d11fbfe3e9aabf24defd8
                                                                        • Opcode Fuzzy Hash: 595e718e4ecb8c606292edc7990fc0f32a28d53f105d0413bb222dd9cd2becee
                                                                        • Instruction Fuzzy Hash: 9611823F619E27687659F966AC149DF17C8CF930F2337002BE750EA488FF25CA864661
                                                                        Function 10004351 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 80sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • StrStrIA.SHLWAPI(?,cmd.exe), ref: 10004366
                                                                        • GetCurrentProcessId.KERNEL32 ref: 10004373
                                                                          • Part of subcall function 10004318: OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • Sleep.KERNEL32(?), ref: 100043A6
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 100043BB
                                                                          • Part of subcall function 10001000: strlen.MSVCRT ref: 100016BB
                                                                          • Part of subcall function 10001000: #823.MFC42(00000007), ref: 100016EB
                                                                          • Part of subcall function 10001000: memset.MSVCRT ref: 100016F9
                                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 100043D9
                                                                        • DeleteFileA.KERNEL32(?), ref: 100043DE
                                                                        • Sleep.KERNEL32(000003E8), ref: 100043E5
                                                                        • PathFileExistsA.SHLWAPI(?), ref: 100043EA
                                                                        • GetTickCount.KERNEL32 ref: 1000440B
                                                                        • wsprintfA.USER32 ref: 10004421
                                                                        • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 10004436
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$DeleteMoveProcessSleep$#823CountCurrentExistsOpenPathTickmemsetstrlenwsprintf
                                                                        • String ID: %s.%d$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
                                                                        • API String ID: 13915177-3916765701
                                                                        • Opcode ID: 8abbd0928008d068458f6ec8a9b8eb2790f2a58190247dfe79be96e1ab9430c7
                                                                        • Instruction ID: 963a348ca2d5bfb4595b212cae23924ed86a21a29487051e768ee2e180cf1c8b
                                                                        • Opcode Fuzzy Hash: 8abbd0928008d068458f6ec8a9b8eb2790f2a58190247dfe79be96e1ab9430c7
                                                                        • Instruction Fuzzy Hash: CC2162B2500258BBFB11AB60DC89BDE7B6CEB043D1F154061F644A9095DFB59E808A65
                                                                        Function 10005ACA Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$Versionmemsetsprintf
                                                                        • String ID: 2000$2003$2008$Vista$Win %s SP%d
                                                                        • API String ID: 313931894-2264339393
                                                                        • Opcode ID: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction ID: 7d42eae51c3aa3afb7aca7336a245172d168173812804ea46fc3bd7bd3e3ba23
                                                                        • Opcode Fuzzy Hash: 4af578f40ec95c3672ae94be35fa3b4448fd4b6fa0afa84c65eb22b6e7640dd3
                                                                        • Instruction Fuzzy Hash: F5415031D4032CEEFB24C6649C46FDAB7A8DB013A7F1044A7E20CA5086D776AEC5CA91
                                                                        Function 10005DB4 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 114stringregistrytimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10005DE0
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10005E11
                                                                          • Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2
                                                                          • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10004096
                                                                        • strcpy.MSVCRT(000000C8,?,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10005E29
                                                                        • strcpy.MSVCRT(?,Find CPU Error), ref: 10005E3C
                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 10005E5F
                                                                        • strcpy.MSVCRT(?,12051805,?,%u MB,-00000001), ref: 10005E95
                                                                        • GetSystemDefaultUILanguage.KERNEL32 ref: 10005E9D
                                                                        • strcpy.MSVCRT(?,00000000), ref: 10005EEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcpy$CloseDefaultFormatGlobalLanguageMemoryOpenQueryStatusSystemTimeValue___crt
                                                                        • String ID: %u MB$12051805$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.160.131.252:23588/article.php
                                                                        • API String ID: 335664808-297510382
                                                                        • Opcode ID: f5c445e53940849268ae1e19965f9d3b92ecee27d3a80da98793b752984bbc1e
                                                                        • Instruction ID: 64a10f69e166a7139f234e211cfa4612f73fd1769519a57ef44d38a5129d0f72
                                                                        • Opcode Fuzzy Hash: f5c445e53940849268ae1e19965f9d3b92ecee27d3a80da98793b752984bbc1e
                                                                        • Instruction Fuzzy Hash: C031F376804218BBFB20CB64CC46FDF77BCEB08341F10446AF654BA085EB71BA448B54
                                                                        Function 1000600F Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 95librarystringloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(urlmon.dll), ref: 10006026
                                                                        • LoadLibraryA.KERNEL32(wininet.dll), ref: 10006030
                                                                        • GetProcAddress.KERNEL32(?,URLDownloadToCacheFileA), ref: 1000605B
                                                                        • GetProcAddress.KERNEL32(?,GetUrlCacheEntryInfoA), ref: 10006068
                                                                        • #823.MFC42(00000050), ref: 1000606E
                                                                        • strcat.MSVCRT(?,10015560), ref: 100060BB
                                                                        • strcat.MSVCRT(?,?,?,10015560), ref: 100060CE
                                                                        • strcat.MSVCRT(?,10015560,?,?,?,10015560), ref: 100060DB
                                                                        • memset.MSVCRT ref: 100060E7
                                                                          • Part of subcall function 10003FC8: CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10003FE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$AddressLibraryLoadProc$#823CreateProcessmemset
                                                                        • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$urlmon.dll$wininet.dll
                                                                        • API String ID: 1308283570-2475139894
                                                                        • Opcode ID: 10015ed59732541beb5642d44f753a41e84aebf18f2d39d3c00af53a476127d6
                                                                        • Instruction ID: 5bc36e72ee7a02c1c0e69050cea4439c3b038a47dfce127ca0f0f16504b8aeec
                                                                        • Opcode Fuzzy Hash: 10015ed59732541beb5642d44f753a41e84aebf18f2d39d3c00af53a476127d6
                                                                        • Instruction Fuzzy Hash: C2312CB290065CBAEB11DBA4CC45FDF7F7DEB08341F5444A6E208AB181E7716A458EA0
                                                                        Function 10007E03 Relevance: 21.1, APIs: 14, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007E08
                                                                        • #389.MFC42(00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E2D
                                                                        • #6059.MFC42(00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60,00000000), ref: 10007E4C
                                                                        • #6059.MFC42(00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,771A8A60), ref: 10007E60
                                                                        • #3229.MFC42(00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002,?,00000004,00000000,00000000,00000001,00000000,00000000), ref: 10007E70
                                                                        • #5204.MFC42(00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003,00001388,00000004,00000000,00000002), ref: 10007E89
                                                                        • #5808.MFC42(00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000,00000003), ref: 10007E9D
                                                                        • #825.MFC42(?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EA9
                                                                        • #1988.MFC42 ref: 10007EC3
                                                                        • #690.MFC42 ref: 10007ECF
                                                                        • #5356.MFC42(?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000,00000000), ref: 10007EE1
                                                                        • #825.MFC42(000000C8,?,00000000,00000000,?,?,00000000,?,00000000,00000001,00000000,00000000,20000000,00000050,?,00000000), ref: 10007F10
                                                                        • #1988.MFC42 ref: 10007F27
                                                                        • #690.MFC42 ref: 10007F39
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #1988#6059#690#825$#3229#389#5204#5356#5808H_prolog
                                                                        • String ID:
                                                                        • API String ID: 686017586-0
                                                                        • Opcode ID: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction ID: 65d52c856144c7dc343c998bea728568d717a918c34615c3037e65eeb0ab1587
                                                                        • Opcode Fuzzy Hash: cc0548f1314b3cbf95e6bc4ddad020abca3fc05560baba2be6dae5f049c12ffe
                                                                        • Instruction Fuzzy Hash: AF417C7590121DAFEF14DF94D985DDEBFB9EF49390F10002AF40AA3295CB346A45CBA1
                                                                        Function 1000570F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101filethreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000004), ref: 10005210
                                                                          • Part of subcall function 100051D3: #823.MFC42(000000FF,00000004), ref: 10005225
                                                                          • Part of subcall function 100051D3: #823.MFC42(00000000,000000FF,00000004), ref: 1000523F
                                                                          • Part of subcall function 100051D3: strrchr.MSVCRT ref: 10005250
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005267
                                                                          • Part of subcall function 100051D3: strncpy.MSVCRT ref: 10005271
                                                                          • Part of subcall function 100051D3: GetSystemInfo.KERNEL32(?), ref: 1000527A
                                                                          • Part of subcall function 100051D3: GetCurrentProcess.KERNEL32(00000020,?), ref: 10005296
                                                                          • Part of subcall function 100051D3: OpenProcessToken.ADVAPI32(00000000), ref: 1000529D
                                                                          • Part of subcall function 100051D3: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 100052AD
                                                                          • Part of subcall function 100051D3: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 100052D9
                                                                          • Part of subcall function 100051D3: CloseHandle.KERNEL32(?), ref: 100052E2
                                                                          • Part of subcall function 100051D3: strlen.MSVCRT ref: 100052EE
                                                                          • Part of subcall function 100051D3: sscanf.MSVCRT ref: 1000530A
                                                                        • wsprintfA.USER32 ref: 1000574F
                                                                          • Part of subcall function 10005318: strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 10005367
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                          • Part of subcall function 10005318: strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                          • Part of subcall function 10005318: strchr.MSVCRT ref: 100053AB
                                                                        • wsprintfA.USER32 ref: 100057B1
                                                                        • wsprintfA.USER32 ref: 100057C5
                                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 100057D4
                                                                        • PrintFile.PQZ6GU98EH(?,?), ref: 100057E8
                                                                          • Part of subcall function 1000443D: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 10004456
                                                                          • Part of subcall function 1000443D: strlen.MSVCRT ref: 10004467
                                                                          • Part of subcall function 1000443D: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10004472
                                                                          • Part of subcall function 1000443D: CloseHandle.KERNEL32(00000000), ref: 10004479
                                                                          • Part of subcall function 10004D36: _EH_prolog.MSVCRT ref: 10004D3B
                                                                          • Part of subcall function 10004D36: memset.MSVCRT ref: 10004D59
                                                                          • Part of subcall function 10004D36: CoInitializeEx.OLE32(00000000,00000000,Win32_process,?,?), ref: 10004D63
                                                                          • Part of subcall function 10004D36: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 10004D74
                                                                          • Part of subcall function 10004D36: CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?), ref: 10004D8E
                                                                          • Part of subcall function 10004D36: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10004DE2
                                                                          • Part of subcall function 10004D36: wcscat.MSVCRT ref: 10004E18
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10005810
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005620,00000000,00000000), ref: 10005835
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Createstrcat$#823FileProcesswsprintf$CloseHandleInitializeOpenTokenstrchrstrlenstrncpy$AdjustBlanketCurrentDirectoryH_prologInfoInstanceLookupPrintPrivilegePrivilegesProxySecuritySystemThreadValueWritememsetsscanfstrcpystrrchrwcscat
                                                                        • String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
                                                                        • API String ID: 3029756400-1421401311
                                                                        • Opcode ID: ad18d1a8a1d4ce6432a8a8d11d10060157b86576ffbf362925edad6276568f5f
                                                                        • Instruction ID: 28587ef57c74646f6200826593ba84f0ee4a51bfb79cbc35cab65446596f3e80
                                                                        • Opcode Fuzzy Hash: ad18d1a8a1d4ce6432a8a8d11d10060157b86576ffbf362925edad6276568f5f
                                                                        • Instruction Fuzzy Hash: 75317772910178BBEB11D7A4CC84FCF7B6CEB08746F1405A6F209FA051DB71AA858B95
                                                                        Function 1000B9EF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 160fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        • GetFileSize.KERNEL32(?,00000000,?,00000000), ref: 1000BA6A
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1000BA86
                                                                        • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1000BA9A
                                                                        • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 1000BAA3
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BAB3
                                                                        • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 1000BACE
                                                                        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000BADE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$PointerRead$HandleInformationSize
                                                                        • String ID: $@$@
                                                                        • API String ID: 2979504256-3743272326
                                                                        • Opcode ID: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction ID: 300477372e44d699427ff54a679b45810dd7889e5983b4805fee524b870b0fb0
                                                                        • Opcode Fuzzy Hash: 26cf0c60490d6e4c0696df124d7e28d63d2f4be6d6220123ecc5eb32fa62ab80
                                                                        • Instruction Fuzzy Hash: 33516AB1A0064DAFEB10DF94CC81AAEBBF9EF44394F108069F641E6164D770AE80CB51
                                                                        Function 1000842D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111registrysleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?), ref: 10008491
                                                                        • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 100084BC
                                                                        • memset.MSVCRT ref: 100084DE
                                                                        • memset.MSVCRT ref: 100084EC
                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?), ref: 10008523
                                                                        • StrStrIA.SHLWAPI(?,svchsot.exe), ref: 1000853B
                                                                        • RegDeleteValueA.ADVAPI32(?,?), ref: 1000854F
                                                                        • RegCloseKey.ADVAPI32(?), ref: 10008562
                                                                        • Sleep.KERNEL32(000493E0), ref: 1000856D
                                                                        Strings
                                                                        • U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10008480
                                                                        • svchsot.exe, xrefs: 10008535
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Valuememset$CloseDeleteEnumInfoOpenQuerySleep
                                                                        • String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
                                                                        • API String ID: 1121228644-2214221337
                                                                        • Opcode ID: b033cfff7d98bde0bff13e71afadec912eb6ecabbaa77eabc96f46338b5dae00
                                                                        • Instruction ID: 41e6ea02effd465f5a8e3b964bebe7f7f026d5d666a2e96095e75d2e8622051d
                                                                        • Opcode Fuzzy Hash: b033cfff7d98bde0bff13e71afadec912eb6ecabbaa77eabc96f46338b5dae00
                                                                        • Instruction Fuzzy Hash: 0F3106B290015DBEEB11CB94CD85DEFB7BDFB08381F1040A6E645F6114EA70AF848BA0
                                                                        Function 10006A7F Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 60sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00001218), ref: 10006A8E
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006AA0
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006AB9
                                                                        • memset.MSVCRT ref: 10006AD2
                                                                          • Part of subcall function 10006499: _EH_prolog.MSVCRT ref: 1000649E
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 100064DA
                                                                          • Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
                                                                          • Part of subcall function 10006499: #823.MFC42(0007D000), ref: 10006503
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006511
                                                                          • Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546
                                                                          • Part of subcall function 10006499: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 10006563
                                                                          • Part of subcall function 10006499: strlen.MSVCRT ref: 1000656F
                                                                          • Part of subcall function 10006499: ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(10017B9C,00000000), ref: 1000657A
                                                                          • Part of subcall function 10006499: memset.MSVCRT ref: 10006595
                                                                          • Part of subcall function 10006499: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 100065C8
                                                                        • Sleep.KERNEL32(0002BF20), ref: 10006AEE
                                                                        • CreateThread.KERNEL32(00000000,00000000,1000687E,00000000,00000000,00000000), ref: 10006B02
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B0D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B14
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B1D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memset$#823CloseCreateD@2@@std@@D@std@@HandleU?$char_traits@V?$allocator@$?assign@?$basic_string@ByteCharErrorFormatH_prologLastMultiMutexObjectSingleSleepStartupThreadTidy@?$basic_string@TimeV12@WaitWide___crtstrlenwsprintf
                                                                        • String ID: 0x5d65r455f$5762479093
                                                                        • API String ID: 667822095-2446933972
                                                                        • Opcode ID: 7fef6f5394270c5f89689a20f937946811b0a18946ee1a53cbc7a8a1d9bb0782
                                                                        • Instruction ID: 8cdb2823aa61e5ac7bb0c892828062c090cb3bd64512b72bfa76aaf67c22daa6
                                                                        • Opcode Fuzzy Hash: 7fef6f5394270c5f89689a20f937946811b0a18946ee1a53cbc7a8a1d9bb0782
                                                                        • Instruction Fuzzy Hash: 90012871544258BBF310E7B09CCEDBF3A5CDB463E1F140138FA15A508ADB659C1546B3
                                                                        Function 100077B2 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 227stringcomCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 100077B7
                                                                        • strlen.MSVCRT ref: 100077D2
                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,00080000), ref: 100077EB
                                                                        • CoCreateInstance.OLE32(100101A8,00000000,00000001,100100D8,?,?,?,00080000), ref: 100077FF
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                        • CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,00080000), ref: 10007864
                                                                        • strlen.MSVCRT ref: 10007909
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: H_prolog$#823strlen$BlanketCreateInitializeInstanceProxySecurity
                                                                        • String ID: WHERE $ROOT\CIMV2$SELECT * FROM $WQL
                                                                        • API String ID: 2251539122-2582412207
                                                                        • Opcode ID: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction ID: b5d22a176f2e9897db3186ef54651fb278fb7d6c126efc4cfaa591b9760a4b79
                                                                        • Opcode Fuzzy Hash: 43ae68365b7d9c16232d13277ef60b3e0eeaab6c95975254fc598db2741319f5
                                                                        • Instruction Fuzzy Hash: CA817D34901219EFEF15CF94C885AEE7B79FF057D0F208409F51AAB199DB34AA44CBA1
                                                                        Function 10008578 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81sleepprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNEL32(00002710), ref: 1000858F
                                                                        • #823.MFC42(00300000,aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=), ref: 100085A4
                                                                        • memset.MSVCRT ref: 100085B1
                                                                        • Sleep.KERNEL32(001B7740), ref: 100085D0
                                                                        • GetTickCount.KERNEL32 ref: 100085EA
                                                                        • wsprintfA.USER32 ref: 100085FD
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10008648
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Sleep$#823CountCreateProcessTickmemsetwsprintf
                                                                        • String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log
                                                                        • API String ID: 3077700110-1533272838
                                                                        • Opcode ID: 9c7c0fc28da91c3447766d1f79b0ee7ffa5bf468e5b711f49d6b7a35b3051f9e
                                                                        • Instruction ID: b7caa614f7a4c108a39e01f2f415c9d76805585370d17942aa5233dc0422d24d
                                                                        • Opcode Fuzzy Hash: 9c7c0fc28da91c3447766d1f79b0ee7ffa5bf468e5b711f49d6b7a35b3051f9e
                                                                        • Instruction Fuzzy Hash: 1C2181B690025CBAEB11DBE4CC46EDFBB7CEF48390F140465F704B6144DA755A858BA1
                                                                        Function 10006DD5 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 89stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10006DDA
                                                                        • strstr.MSVCRT ref: 10006DF1
                                                                        • #823.MFC42(00000084), ref: 10006E08
                                                                        • strcpy.MSVCRT(10016AF0,00000044), ref: 10006E31
                                                                          • Part of subcall function 10008A6A: memset.MSVCRT ref: 10008A7B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823H_prologmemsetstrcpystrstr
                                                                        • String ID: %s|NULL|%s|%s$12051805$JXMvam95LmFzcD9zaWQ9JXM=$http://$http://107.160.131.251:18659/
                                                                        • API String ID: 983634193-1290726177
                                                                        • Opcode ID: 243f683b57c2e1fe972a3f83381904fa47b5ea202852c667d08b0b67eb33b8bd
                                                                        • Instruction ID: 8b9bdae4842b9c152c707f293006ae36ec67aa252ce097f8c2e94734218e6b38
                                                                        • Opcode Fuzzy Hash: 243f683b57c2e1fe972a3f83381904fa47b5ea202852c667d08b0b67eb33b8bd
                                                                        • Instruction Fuzzy Hash: 4E2107B6900259AEEB10D7B4CC41BEF77BDFF48240F1045BAF209E7585DB70AA448A25
                                                                        Function 10008CC1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • %02X%02X%02X%02X%02X%02X, xrefs: 10008DC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Netbiosmemset$sprintfstrcpy
                                                                        • String ID: %02X%02X%02X%02X%02X%02X
                                                                        • API String ID: 3158056522-722279150
                                                                        • Opcode ID: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction ID: 0c2184180702e586fc1ca5cffc2268ba39a058ecf45d59ffc9b9d4e10b1a28f8
                                                                        • Opcode Fuzzy Hash: 75eb2348c3b05d480fe50d299f7ee77d4a3ea5ef115d79e4b98d4f595c338f84
                                                                        • Instruction Fuzzy Hash: 86315B71C042ECAAEF22D7A58C45FEE7BBCAF05284F0401D6F688B6186D7749746CB61
                                                                        Function 10004770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PathIsDirectoryA.SHLWAPI(?), ref: 1000477F
                                                                        • strlen.MSVCRT ref: 1000478E
                                                                        • strlen.MSVCRT ref: 1000479C
                                                                        • strlen.MSVCRT ref: 100047AA
                                                                        • strrchr.MSVCRT ref: 100047C1
                                                                        • strcpy.MSVCRT(00000000,?,00000000,00000001,?,?,123), ref: 100047FF
                                                                        • strrchr.MSVCRT ref: 1000480D
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC93
                                                                          • Part of subcall function 1000CC56: #825.MFC42(?,?,?,1000486F,?), ref: 1000CC9A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$#825strrchr$DirectoryPathstrcpy
                                                                        • String ID: 123
                                                                        • API String ID: 3295485176-2286445522
                                                                        • Opcode ID: 9a2c712c00234a5387822c86c12811c9ff99d1725d08523d8c864846657c358e
                                                                        • Instruction ID: a8b34575d82df1a2a640fea0855918061287e9e4bc387d8eb88593b54901316a
                                                                        • Opcode Fuzzy Hash: 9a2c712c00234a5387822c86c12811c9ff99d1725d08523d8c864846657c358e
                                                                        • Instruction Fuzzy Hash: 272181F64043996BFB20DB70CC85F9F3B9CDF413D0F114866FA449608ADE74A98487A5
                                                                        Function 100044AD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78libraryloadernetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 100044C4
                                                                        • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 100044D3
                                                                        • malloc.MSVCRT ref: 100044F7
                                                                        • htons.WS2_32(00000000), ref: 10004529
                                                                        • free.MSVCRT ref: 1000454C
                                                                        • FreeLibrary.KERNEL32(?), ref: 10004556
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProcfreehtonsmalloc
                                                                        • String ID: GetExtendedUdpTable$iphlpapi.dll
                                                                        • API String ID: 3287369011-1809394930
                                                                        • Opcode ID: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction ID: b3820e473f6cbb65c967c2771bb036efaa047e66d01719392f57f806c4aad594
                                                                        • Opcode Fuzzy Hash: 7397b5f760d4094d2372b8837abed1e52d2feef046bf54149c711ffe110fcd5c
                                                                        • Instruction Fuzzy Hash: 6C21F6B1800559FFFB10DBA8CC88DAE7BBCFB443D2B210915F451E2195EB309E80CA64
                                                                        Function 10005318 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(00000000,www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c), ref: 1000534D
                                                                        • strchr.MSVCRT ref: 10005367
                                                                        • strcat.MSVCRT(?,10016AE0), ref: 1000537D
                                                                        • strcat.MSVCRT(?, ,?,10016AE0), ref: 1000538A
                                                                        • strcat.MSVCRT(?,00000000,?, ,?,10016AE0), ref: 10005393
                                                                        • strcat.MSVCRT(?,1001538C,?,00000000,?, ,?,10016AE0), ref: 100053A0
                                                                        • strchr.MSVCRT ref: 100053AB
                                                                        Strings
                                                                        • , xrefs: 10005382
                                                                        • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strcat$strchr$strcpy
                                                                        • String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                                                        • API String ID: 1601127630-230412946
                                                                        • Opcode ID: 1d90cbdcf37be64873000595b9d8ca5cfa45eeb3ecb3ca10e8950bbbe4a57853
                                                                        • Instruction ID: a6a5a67d86e8b927bc33642b6afb12583160e86d38cb06b733c3e3ee002f1740
                                                                        • Opcode Fuzzy Hash: 1d90cbdcf37be64873000595b9d8ca5cfa45eeb3ecb3ca10e8950bbbe4a57853
                                                                        • Instruction Fuzzy Hash: 1301923690025D7AEB22D728CC41FCE7F58EF483C1F144475F6486A096D7B1BE845A90
                                                                        Function 10007112 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95stringsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • http://107.160.131.252:23588/article.php, xrefs: 1000717C
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823Sleepmemsetstrcmpstrlenwsprintf
                                                                        • String ID: http://107.160.131.252:23588/article.php
                                                                        • API String ID: 1027432993-2036118572
                                                                        • Opcode ID: 1aec09a4e13976e852865b95fd8d92a853e28749acacd00b353c995128e555c0
                                                                        • Instruction ID: 5486f43503b26e233c42defc0be38958001ce26b0c4cd5fd0b99a09dc76495a5
                                                                        • Opcode Fuzzy Hash: 1aec09a4e13976e852865b95fd8d92a853e28749acacd00b353c995128e555c0
                                                                        • Instruction Fuzzy Hash: E3213E7AD0465576F724D328CC56FDF7BACEF053C4F2000A6F608A50C6EB799A818A61
                                                                        Function 10006D08 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003
                                                                          • Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 1000408A
                                                                        • wsprintfA.USER32 ref: 10006D99
                                                                        • strlen.MSVCRT ref: 10006DA6
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006DBF
                                                                          • Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040E9
                                                                          • Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10005E1E,?,?,ProcessorNameString,00000000,00000004,?,?), ref: 10004096
                                                                        Strings
                                                                        • REG_SZ, xrefs: 10006D55
                                                                        • cmap, xrefs: 10006DB7
                                                                        • %s "%s",InvCMAP, xrefs: 10006D93
                                                                        • U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D5B
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateFormatNamePathShortTimeValue___crtstrlenwsprintf
                                                                        • String ID: %s "%s",InvCMAP$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$cmap
                                                                        • API String ID: 3689556866-1482889639
                                                                        • Opcode ID: 393e70f6274e3d20f930f6ba6a3e61475364b52998ee578191dd1c75811da724
                                                                        • Instruction ID: 7dc0f1b3fd9e1d9418d14e8918f8b50030fd009d3d489128e72a392b119d986e
                                                                        • Opcode Fuzzy Hash: 393e70f6274e3d20f930f6ba6a3e61475364b52998ee578191dd1c75811da724
                                                                        • Instruction Fuzzy Hash: 6311C4B694421CBEFB11D3A4DC86FEA776CDB14344F1404B1F704B6085DAB16FC88AA4
                                                                        Function 10007A73 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007A78
                                                                        • VariantInit.OLEAUT32(?), ref: 10007AB2
                                                                          • Part of subcall function 1000504D: _EH_prolog.MSVCRT ref: 10005052
                                                                          • Part of subcall function 1000504D: #823.MFC42(0000000C,00000000,?,10004E4F,WQL,?), ref: 1000505D
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B5F
                                                                        • VariantClear.OLEAUT32(?), ref: 10007B68
                                                                          • Part of subcall function 10007D3F: _EH_prolog.MSVCRT ref: 10007D44
                                                                          • Part of subcall function 10007D3F: SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                          • Part of subcall function 10007D3F: SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                          • Part of subcall function 10007D3F: SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 10007D3F: InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                          • Part of subcall function 10007BA9: InterlockedIncrement.KERNEL32(-00000008), ref: 10007BBB
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007B84
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Interlocked$ArrayH_prologIncrementSafeVariant$ClearData$#823#825AccessDecrementInitUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 4001368842-3916222277
                                                                        • Opcode ID: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction ID: 16e68ad5d50085e4c10e12c9d7be0e27fc14601c0442ffb24b2420ebed866ce4
                                                                        • Opcode Fuzzy Hash: fdb2bc760db1a244319458eeed6f023950d19f5c49e862236ee49855d4486fcd
                                                                        • Instruction Fuzzy Hash: 71418275D0015A9BEF14DFA4C884AEEB7F8FF48285F10446DE91AA3245D738BE48CB61
                                                                        Function 10005620 Relevance: 10.6, APIs: 7, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #823.MFC42(00000001), ref: 10005655
                                                                        • VirtualQueryEx.KERNEL32(?,?,0000001C), ref: 1000567A
                                                                        • #825.MFC42(00000000), ref: 100056A9
                                                                        • #823.MFC42(?,00000000), ref: 100056B5
                                                                        • ReadProcessMemory.KERNEL32(?,00000000,?,00000000), ref: 100056CD
                                                                        • #825.MFC42(00000000), ref: 100056F4
                                                                        • CloseHandle.KERNEL32 ref: 10005700
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823#825$CloseHandleMemoryProcessQueryReadVirtual
                                                                        • String ID:
                                                                        • API String ID: 2613863258-0
                                                                        • Opcode ID: 0f9680c4f3fef52aed6cdbdb973800681c1211301e0a2ae4b758067bd0b481e1
                                                                        • Instruction ID: 4db0274d55e25b68ee7d3e13ac28b9df299f601e2e192f3360f90a931f98b51e
                                                                        • Opcode Fuzzy Hash: 0f9680c4f3fef52aed6cdbdb973800681c1211301e0a2ae4b758067bd0b481e1
                                                                        • Instruction Fuzzy Hash: 6B318431A00219ABFB00CB54CD89FAE7BB8EB483D5F554029F904AB254D777AD41CB61
                                                                        Function 10004564 Relevance: 10.6, APIs: 7, Instructions: 76fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100045A0
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 100045B5
                                                                        • #823.MFC42(00000000), ref: 100045BC
                                                                        • memset.MSVCRT ref: 100045DB
                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 100045F3
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10004610
                                                                        • CloseHandle.KERNEL32(?), ref: 10004622
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$#823CloseCreateHandleReadSizememcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3874965551-0
                                                                        • Opcode ID: 7a149f2bd9bb8e42033a10b9f991dccdaa8256abe57a07cc96fa15bb1d1c7981
                                                                        • Instruction ID: b8e15c26b79344f892a994df82a26dd1cf42bd8fa36d8d7a2bc0f72dde553fdd
                                                                        • Opcode Fuzzy Hash: 7a149f2bd9bb8e42033a10b9f991dccdaa8256abe57a07cc96fa15bb1d1c7981
                                                                        • Instruction Fuzzy Hash: C7218EB1900249BFEB11CFA4CC85ECA3BADEB08391F104461FA49E7154D671AE848B64
                                                                        Function 10006B30 Relevance: 10.5, APIs: 7, Instructions: 45sleepsynchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WSAStartup.WS2_32(00000202,?), ref: 10006B48
                                                                          • Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?), ref: 10003EDA
                                                                        • GetLastError.KERNEL32 ref: 10006B66
                                                                        • CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B7C
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10006B87
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006B8E
                                                                        • Sleep.KERNEL32(00002710), ref: 10006B99
                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006BA2
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
                                                                        • String ID:
                                                                        • API String ID: 3243752880-0
                                                                        • Opcode ID: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction ID: 4de3013a68fbd2a0a9bee951070d024d9b213cabf77efd8d8e5562ee79781ab3
                                                                        • Opcode Fuzzy Hash: 43b85d349e9c91a12019694e557562f6a53a95edcf124f7203529c61acb02f71
                                                                        • Instruction Fuzzy Hash: D4F0FF71805170BBF6116BB08CCDCAF3E2CEF8A3E0B100120FA09E2089CB604C4186B2
                                                                        Function 100058A4 Relevance: 8.8, APIs: 7, Instructions: 53stringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strlen.MSVCRT ref: 100058B5
                                                                        • GlobalAlloc.KERNEL32(00000040,00000001), ref: 100058C7
                                                                        • memset.MSVCRT ref: 100058D3
                                                                        • strcpy.MSVCRT(00000000,?,00000000,00000000,00000001), ref: 100058DA
                                                                        • memset.MSVCRT ref: 100058FC
                                                                        • strcpy.MSVCRT(?,00000000,?,00000000,00000001), ref: 10005908
                                                                        • GlobalFree.KERNEL32(00000000), ref: 10005911
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Globalmemsetstrcpy$AllocFreestrlen
                                                                        • String ID:
                                                                        • API String ID: 1071719858-0
                                                                        • Opcode ID: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction ID: 78a2fa517b2917b970834adb5cd9272944c22913aa7c801b0364ce0a5f020401
                                                                        • Opcode Fuzzy Hash: 44023eacba013d303639c5b1305f9799fcbf58a88e73d56bb210fe93b9b86850
                                                                        • Instruction Fuzzy Hash: 2201D4B6901269BBF72097148C4AF8B7AACDF417D5F200465F802B2147D665EE4082B8
                                                                        Function 10008805 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepprocessfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: DeleteExecFileSleepwsprintf
                                                                        • String ID: Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
                                                                        • API String ID: 3112201625-3621208895
                                                                        • Opcode ID: 48778a85303ae446d5a66b1286e7842b85f34bd2375e78a60d62b6eb7f6f5f20
                                                                        • Instruction ID: 08be347dabe4e69125defaea18d67bebded8d0a374800736b22a7d520ac7fbac
                                                                        • Opcode Fuzzy Hash: 48778a85303ae446d5a66b1286e7842b85f34bd2375e78a60d62b6eb7f6f5f20
                                                                        • Instruction Fuzzy Hash: 85F08272500199EBEB118BA4CC897DA7769FF04385F040875F301F5094DBB09ED48B55
                                                                        Function 1000BB8A Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000001,00000000,?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?), ref: 1000BBDE
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,?,1000CABA,?,?,?,76789DE0), ref: 1000BC18
                                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000), ref: 1000BC72
                                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?,?,00000003), ref: 1000BC8F
                                                                        • CloseHandle.KERNEL32(?,?,1000CABA,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?), ref: 1000BC9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Create$CloseHandleMappingPointerView
                                                                        • String ID:
                                                                        • API String ID: 1737989552-0
                                                                        • Opcode ID: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction ID: 52b7da836c05925aaa6f9b96ed88e0255cb2f85f02a575bc541db1582194b3b7
                                                                        • Opcode Fuzzy Hash: 59e57f63eae3ae635959cd35c3659a05f4d3f0b828fba90afac6820c1e9bc437
                                                                        • Instruction Fuzzy Hash: 37317EB0604B86EBF330CF1488C4E0BBAE9EB043D8F108A3EF59596549DB70ED849751
                                                                        Function 1000BCFD Relevance: 7.6, APIs: 5, Instructions: 86fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • #825.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD20
                                                                        • #823.MFC42(?,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000,?,1000C81A), ref: 1000BD32
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD45
                                                                        • memcpy.MSVCRT(?,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?,?,00000000), ref: 1000BD91
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,00004000,1000C388,?,00000000,?,00004000,00000008,?), ref: 1000BDB0
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: memcpy$#823#825FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3892973715-0
                                                                        • Opcode ID: 9483cfc177f2eea3f362af61a9b441a9c3cf23005946e804f02d0662f11cc69a
                                                                        • Instruction ID: eade77e95de1ab09ce47e5abe9d45642cf2deb7cfcad3d271b4ca3a4ff9751d3
                                                                        • Opcode Fuzzy Hash: 9483cfc177f2eea3f362af61a9b441a9c3cf23005946e804f02d0662f11cc69a
                                                                        • Instruction Fuzzy Hash: 0921BF79605B44AFE760CF54C995E57BBF8FF84780B50092FE48687A19EA30F844CB60
                                                                        Function 10007D3F Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 10007D44
                                                                        • SafeArrayGetVartype.OLEAUT32(?,?), ref: 10007D65
                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 10007D76
                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 10007DCA
                                                                          • Part of subcall function 100050A1: _EH_prolog.MSVCRT ref: 100050A6
                                                                          • Part of subcall function 100050A1: #823.MFC42(0000000C,00000000,?,10004DA2,?), ref: 100050B1
                                                                          • Part of subcall function 1000762A: _EH_prolog.MSVCRT ref: 1000762F
                                                                          • Part of subcall function 1000762A: #823.MFC42(0000000C,?,00000000,?,100078F1,?,?,SELECT * FROM ,?,?,?,00080000), ref: 1000763B
                                                                          • Part of subcall function 1000515C: InterlockedDecrement.KERNEL32(?), ref: 10005164
                                                                          • Part of subcall function 1000515C: #825.MFC42(?), ref: 1000517A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 10007DE0
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ArrayH_prologSafe$#823DataInterlocked$#825AccessDecrementIncrementUnaccessVartype
                                                                        • String ID:
                                                                        • API String ID: 1452789435-0
                                                                        • Opcode ID: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction ID: ea9047e10af159b7580fc06cd53243e613a27a56fa66aaec08421a04c4a394ba
                                                                        • Opcode Fuzzy Hash: 07bed2e9eb0ed650c18ff8cc5c52a745ba276cb929426fdf1efd64fd7c24305d
                                                                        • Instruction Fuzzy Hash: 11214875D0015A9BDB00DF98C9858BEFBB8FF44381F50402EE919A3285D738AE45CBA2
                                                                        Function 1000678B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 100067C6
                                                                        • memset.MSVCRT ref: 100067ED
                                                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 10006805
                                                                        • memcpy.MSVCRT(?,?,?), ref: 10006820
                                                                        • CloseHandle.KERNEL32(?), ref: 10006832
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandleReadmemcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3052882905-0
                                                                        • Opcode ID: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction ID: 5372e76102180c80e4120fc22f7e4cb3026b0456e1d7771b076241391e3a1f27
                                                                        • Opcode Fuzzy Hash: dfe01d5a5c6f85184db293e61dc3fa2f346b240bb907ae12b0224ae7cd234476
                                                                        • Instruction Fuzzy Hash: 2F115E7290015DBFEB11CF58CC81FCA77ADEB08395F208461FB59E6144D671AF948B64
                                                                        Function 10006C7A Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: strlen$malloctolowertoupper
                                                                        • String ID:
                                                                        • API String ID: 1610385915-0
                                                                        • Opcode ID: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction ID: c0d6b828c61c7d5c2e34b190325b5f457e34af4db0ec980d6b37c81afeaef70f
                                                                        • Opcode Fuzzy Hash: 2038c462606458c51d0fca274a0a21f531b3a7395797f5ddf2286218d9046017
                                                                        • Instruction Fuzzy Hash: CA019675840558EAFB12DB58DC45FFD7BBAEB092C0F600091E885D621AC735AF029795
                                                                        Function 1000D133 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 1000D146
                                                                        • #823.MFC42(00000002,?,?,?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D150
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000002,00000000,00000000,?,?,?,00000000,10005199,?,75C03D70,10004FB4), ref: 1000D172
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D182
                                                                        • GetLastError.KERNEL32(?,?,00000000,10005199,?,75C03D70,10004FB4,?), ref: 1000D188
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$#823ByteCharMultiWidewcslen
                                                                        • String ID:
                                                                        • API String ID: 902154227-0
                                                                        • Opcode ID: 8fcfbf944bd75e8ca63ebcbc40b67b334ae05222430b33155ef7a1d018156ff2
                                                                        • Instruction ID: 6bb69d995878b1488902086bddc70bddf1cd9bd550ac255682a075b1bb48b8d2
                                                                        • Opcode Fuzzy Hash: 8fcfbf944bd75e8ca63ebcbc40b67b334ae05222430b33155ef7a1d018156ff2
                                                                        • Instruction Fuzzy Hash: E8F0F67624415A7DF220F7754C84EAFBB9CDB813F8722463BF554E6049DD15EC0081B1
                                                                        Function 1000D0BE Relevance: 7.5, APIs: 5, Instructions: 45memorystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,?,1000510C,10005078), ref: 1000D0D0
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,1000510C,10005078), ref: 1000D0F7
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D107
                                                                        • GetLastError.KERNEL32(?,00000001,?,1000510C,10005078), ref: 1000D10D
                                                                        • SysAllocString.OLEAUT32 ref: 1000D124
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
                                                                        • String ID:
                                                                        • API String ID: 4196186757-0
                                                                        • Opcode ID: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction ID: 2c08bb26518ab0f280075e55d60ce098becb15f14d51ddb0b8ccd9ff930e194d
                                                                        • Opcode Fuzzy Hash: 22c05752086d4cb219108d88f1dfe203e00642d1e2fd2f73ec18c721cf414485
                                                                        • Instruction Fuzzy Hash: C301F93250011AB6F720AB30CC45B9E3FA8EF013E1F104032F914D6098EB74A96186B5
                                                                        Function 100061BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 10006201
                                                                        Strings
                                                                        • TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: FormatInternetOpenTime___crt
                                                                        • String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
                                                                        • API String ID: 483802873-1756078650
                                                                        • Opcode ID: 285ead89953b67e2f9ef198d0df487b3dccbd9a20955d6e9e0ce310b6f5314bf
                                                                        • Instruction ID: ab7613da0529a9e7ad045271e1496bf6998c2837bea1459af3b68005a9a4b910
                                                                        • Opcode Fuzzy Hash: 285ead89953b67e2f9ef198d0df487b3dccbd9a20955d6e9e0ce310b6f5314bf
                                                                        • Instruction Fuzzy Hash: 3D21C275D0014DBAEF21DB65DC89D9F7BBEDB852D0F20807AF608A6045EA31AA818660
                                                                        Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167D0), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$http://$search
                                                                        • API String ID: 1721638100-482061809
                                                                        • Opcode ID: 4f55ebd7538e01380f92eaf68533f816d87fc1a3a0b2a3390822ea77045be476
                                                                        • Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
                                                                        • Opcode Fuzzy Hash: 4f55ebd7538e01380f92eaf68533f816d87fc1a3a0b2a3390822ea77045be476
                                                                        • Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60
                                                                        Function 10004318 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,cmd.exe,10004399,?), ref: 10004326
                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,cmd.exe,10004399,?), ref: 10004338
                                                                        • CloseHandle.KERNEL32(00000000,?,cmd.exe,10004399,?), ref: 10004346
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Process$CloseHandleOpenTerminate
                                                                        • String ID: cmd.exe
                                                                        • API String ID: 2026632969-723907552
                                                                        • Opcode ID: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction ID: f86e1008737f822a82b35af81a2ba7d261664a8727063637e60ae571ff64eda0
                                                                        • Opcode Fuzzy Hash: f8b9721063e2d7580c845c145d68e59383119d966c19cd45f783a3aac7c7f332
                                                                        • Instruction Fuzzy Hash: 91E08C327041B0BBE2715B376C4CE8B2EA8EFC97E27020524F525E2148DA604982C0B5
                                                                        Function 1000BF37 Relevance: 6.1, APIs: 4, Instructions: 97timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,1000473F,?,00000000,1000C494,?,?,?,?), ref: 1000BF78
                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 1000BFA8
                                                                        • GetLocalTime.KERNEL32(?), ref: 1000BFD6
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 1000BFE4
                                                                          • Part of subcall function 1000B9EF: GetFileInformationByHandle.KERNEL32(?,?,000000FF), ref: 1000B9FE
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                        • String ID:
                                                                        • API String ID: 3986731826-0
                                                                        • Opcode ID: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction ID: a661c7283e1e9e859b50db88ed376cc691573cb3dc5a3d1bc11cebbdbb99f212
                                                                        • Opcode Fuzzy Hash: 6da4a9c2d018e1766c22baa783e3e227b21529168b716f5ef6a4de00297fd1ab
                                                                        • Instruction Fuzzy Hash: 2E310AB5900B49EFE721CF69C88099BBBF9FF08394B10492EE596D2660D774E944CB60
                                                                        Function 1000CA74 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _EH_prolog.MSVCRT ref: 1000CA79
                                                                        • #823.MFC42(00004086,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CA85
                                                                        • #825.MFC42(00000000,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CACF
                                                                          • Part of subcall function 1000CAF7: strlen.MSVCRT ref: 1000CB33
                                                                          • Part of subcall function 1000CAF7: #823.MFC42(00000001,?,00000001,76789DE0,1000CAA0,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?), ref: 1000CB3A
                                                                          • Part of subcall function 1000CAF7: strcpy.MSVCRT(00000000,?,00000001,?,00000001,76789DE0,1000CAA0,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6), ref: 1000CB43
                                                                        • #823.MFC42(00000008,?,?,?,76789DE0,?,1000CB9E,?,?,00000003,?,100047D6,?,?,123), ref: 1000CADB
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: #823$#825H_prologstrcpystrlen
                                                                        • String ID:
                                                                        • API String ID: 958000321-0
                                                                        • Opcode ID: d68c586b0ef76905bb92551b34fee602402322c66fcd8ba141cf85a2aa6e9245
                                                                        • Instruction ID: 4daa850a962544825f29420b50c2e7fca5cf2665263421bc6ff588bbe2bec9b2
                                                                        • Opcode Fuzzy Hash: d68c586b0ef76905bb92551b34fee602402322c66fcd8ba141cf85a2aa6e9245
                                                                        • Instruction Fuzzy Hash: BE01D43160031CAFFB15DF64C906F5E3AA0EF443E4F01412DF40AA71D4CB709800D692
                                                                        Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(?,10005C92,?,?,%s\lang.ini,100167D0), ref: 10003F76
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
                                                                        • String ID: %s\lang.ini$http://
                                                                        • API String ID: 1721638100-679094439
                                                                        • Opcode ID: c856a97939651e49d90e4edb29315b17c6344d594ceeb1ef05cfab926841b6fd
                                                                        • Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
                                                                        • Opcode Fuzzy Hash: c856a97939651e49d90e4edb29315b17c6344d594ceeb1ef05cfab926841b6fd
                                                                        • Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660
                                                                        Function 1000611F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 10003F0A: InternetOpenA.WININET(?,?,?,?,?), ref: 10003F1C
                                                                        • ___crtGetTimeFormatEx.LIBCMT ref: 1000616C
                                                                          • Part of subcall function 10003F24: InternetOpenUrlA.WININET(?,?,?,?,?,?), ref: 10003F39
                                                                        • memset.MSVCRT ref: 10006187
                                                                          • Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51
                                                                          • Part of subcall function 10003F58: InternetCloseHandle.WININET(00000000), ref: 10003F5C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: Internet$Open$CloseFileFormatHandleReadTime___crtmemset
                                                                        • String ID: http
                                                                        • API String ID: 1631465489-2541227442
                                                                        • Opcode ID: 7876b14777ea6601040d5705dedfb783ef26cb49a54b5a0319494ff4d4d3ca0e
                                                                        • Instruction ID: e803b75fad12bc2b196d73d519180cebb6b4d95abcf79e6c0b0238ba5ed24b07
                                                                        • Opcode Fuzzy Hash: 7876b14777ea6601040d5705dedfb783ef26cb49a54b5a0319494ff4d4d3ca0e
                                                                        • Instruction Fuzzy Hash: 2A01B1B690029D7EFB23D6A8DCC2EFF72ADCB0C2D4F0000B5F708A6145DAA56E8145B5
                                                                        Function 10005F98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4
                                                                          • Part of subcall function 10004015: CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 1000402D
                                                                        • strlen.MSVCRT ref: 10005FEF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000010.00000002.3305846355.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                        • Associated: 00000010.00000002.3305729438.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3305964225.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306067719.0000000010012000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306146047.000000001001B000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306258961.0000000010031000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306377096.000000001004E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306460227.000000001004F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306576468.0000000010054000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306653491.0000000010055000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306721418.0000000010056000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306828611.0000000010057000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000010.00000002.3306960239.0000000010058000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd
                                                                        Similarity
                                                                        • API ID: CreateTimer$Concurrency::details::platform::__FileQueuestrlen
                                                                        • String ID: %s\lang.ini
                                                                        • API String ID: 3442345488-1858510373
                                                                        • Opcode ID: 37c25204e2ce4c684cc2f7e4c8449ce8e590c90d8ebf649cc1631dd5d50def24
                                                                        • Instruction ID: fdba07edcaf4c5d9f8880ce60f62221f71be709bcd2a0296a9a45e1c288e65da
                                                                        • Opcode Fuzzy Hash: 37c25204e2ce4c684cc2f7e4c8449ce8e590c90d8ebf649cc1631dd5d50def24
                                                                        • Instruction Fuzzy Hash: A5F0F6768011187AE621D6659C0BFEF3E6CDF857E0F104121FA48E90C5EB75AAC196E1