Edit tour

Windows Analysis Report
sqx.dll.dll

Overview

General Information

Sample name:	sqx.dll.dll renamed because original name is a hash value
Original sample name:	sqx.dll.exe
Analysis ID:	1558851
MD5:	dd862590d9e4ea1791df147912ae4c8f
SHA1:	852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256:	14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
Tags:	exeuser-pr0xylife
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Potentially Suspicious Malware Callback Communication

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6368 cmdline: loaddll64.exe "C:\Users\user\Desktop\sqx.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5480 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 3980 cmdline: rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 280 cmdline: rundll32.exe C:\Users\user\Desktop\sqx.dll.dll,GetDbInterface MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3288 cmdline: rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",GetDbInterface MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 94.232.40.38, DestinationIsIpv6: false, DestinationPort: 4438, EventID: 3, Image: C:\Windows\System32\rundll32.exe, Initiated: true, ProcessId: 3980, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: sqx.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: edb.pdb source: rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, sqx.dll.dll
Source:	Binary string: edb.pdbH source: rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, sqx.dll.dll

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.38 4438			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 46.249.49.83 4438			Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 94.232.40.38:4438
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 46.249.49.83:4438

Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL
Source: Joe Sandbox View	ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: uayyau.com
Source: global traffic	DNS traffic detected: DNS query: guaaug.com
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: rundll32.exe, 00000003.00000003.3356345540.0000026AEB226000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB220000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795311394.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99927000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000003.00000003.3356345540.0000026AEB226000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB220000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795311394.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99927000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: rundll32.exe, 00000003.00000003.3356329446.0000026AEB25D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99926000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000003.00000003.3356329446.0000026AEB25D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99926000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com/
Source: rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com/6
Source: rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com/r
Source: rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/
Source: rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/almaz.php
Source: rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/almaz.php6
Source: rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/riseCertificates
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/topaz.php
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/topaz.php.
Source: rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/topaz.phpile.Y
Source: rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://guaaug.com:4438/topaz.phpt
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2033321626.00000215495A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com/
Source: rundll32.exe, 00000005.00000003.3388057962.0000019B99928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com/ol
Source: rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com/u
Source: rundll32.exe, 00000004.00000003.2033321626.00000215495A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B99922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/
Source: rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/1
Source: rundll32.exe, 00000003.00000003.3356345540.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3356290079.0000026AEB255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/almaz.php
Source: rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/almaz.phpA
Source: rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/almaz.phpX4
Source: rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/almaz.phpt4
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/topaz.php
Source: rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/topaz.phpho
Source: rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/topaz.phpy
Source: rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uayyau.com:4438/topaz.phpys.winy

Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000026AECD5D31D NtProtectVirtualMemory,	3_3_0000026AECD5D31D
Source: C:\Windows\System32\rundll32.exe	Code function: 3_3_0000026AECD5D2AD NtAllocateVirtualMemory,	3_3_0000026AECD5D2AD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01407924 NtAllocateVirtualMemory,	3_2_00007FFE01407924
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD951C0 NtReadVirtualMemory,	3_2_0000026AECD951C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD671B0 NtClose,	3_2_0000026AECD671B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD78149 NtSetContextThread,	3_2_0000026AECD78149
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD77A50 NtSetContextThread,	3_2_0000026AECD77A50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD94BE0 NtProtectVirtualMemory,	3_2_0000026AECD94BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD7F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	3_2_0000026AECD7F3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD94360 NtCreateThreadEx,	3_2_0000026AECD94360
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD945F0 NtDuplicateObject,	3_2_0000026AECD945F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD755C0 NtClose,NtTerminateThread,	3_2_0000026AECD755C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD94FF0 NtQueueApcThread,	3_2_0000026AECD94FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD94740 NtFreeVirtualMemory,	3_2_0000026AECD94740
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000215497FD31D NtProtectVirtualMemory,	4_3_00000215497FD31D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000215497FD2AD NtAllocateVirtualMemory,	4_3_00000215497FD2AD
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549818149 NtSetContextThread,	4_2_0000021549818149
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154981F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	4_2_000002154981F3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549834BE0 NtProtectVirtualMemory,	4_2_0000021549834BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549834FF0 NtQueueApcThread,	4_2_0000021549834FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549834740 NtFreeVirtualMemory,	4_2_0000021549834740
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549834360 NtCreateThreadEx,	4_2_0000021549834360
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549817A50 NtSetContextThread,	4_2_0000021549817A50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498351C0 NtReadVirtualMemory,	4_2_00000215498351C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498155C0 NtClose,NtTerminateThread,	4_2_00000215498155C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498345F0 NtDuplicateObject,	4_2_00000215498345F0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000019B998BD31D NtProtectVirtualMemory,	5_3_0000019B998BD31D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000019B998BD2AD NtAllocateVirtualMemory,	5_3_0000019B998BD2AD

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01343150	3_2_00007FFE01343150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013F6150	3_2_00007FFE013F6150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E7170	3_2_00007FFE013E7170
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B2200	3_2_00007FFE013B2200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013C6210	3_2_00007FFE013C6210
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0139B1F0	3_2_00007FFE0139B1F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01353110	3_2_00007FFE01353110
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E8390	3_2_00007FFE013E8390
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013DE340	3_2_00007FFE013DE340
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0139F420	3_2_00007FFE0139F420
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01366280	3_2_00007FFE01366280
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013482B0	3_2_00007FFE013482B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0138E260	3_2_00007FFE0138E260
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0134D310	3_2_00007FFE0134D310
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0135F330	3_2_00007FFE0135F330
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013922C7	3_2_00007FFE013922C7
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013782C8	3_2_00007FFE013782C8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013DD2F0	3_2_00007FFE013DD2F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A0580	3_2_00007FFE013A0580
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01368590	3_2_00007FFE01368590
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B3570	3_2_00007FFE013B3570
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A1570	3_2_00007FFE013A1570
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013635C0	3_2_00007FFE013635C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01388480	3_2_00007FFE01388480
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01361490	3_2_00007FFE01361490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A74A0	3_2_00007FFE013A74A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01332440	3_2_00007FFE01332440
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0136F4E0	3_2_00007FFE0136F4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0137C790	3_2_00007FFE0137C790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013367A0	3_2_00007FFE013367A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013BA7B0	3_2_00007FFE013BA7B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01332800	3_2_00007FFE01332800
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B2820	3_2_00007FFE013B2820
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01345680	3_2_00007FFE01345680
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013D4690	3_2_00007FFE013D4690
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0134E6A0	3_2_00007FFE0134E6A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0139B6B0	3_2_00007FFE0139B6B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0136A640	3_2_00007FFE0136A640
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A5650	3_2_00007FFE013A5650
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013C5710	3_2_00007FFE013C5710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0133C990	3_2_00007FFE0133C990
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013FB95C	3_2_00007FFE013FB95C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013D7950	3_2_00007FFE013D7950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01346A20	3_2_00007FFE01346A20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013CCA30	3_2_00007FFE013CCA30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A98A0	3_2_00007FFE013A98A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0138B8A0	3_2_00007FFE0138B8A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B1857	3_2_00007FFE013B1857
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013CD850	3_2_00007FFE013CD850
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013EF860	3_2_00007FFE013EF860
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E4900	3_2_00007FFE013E4900
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013378D0	3_2_00007FFE013378D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01387B80	3_2_00007FFE01387B80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E2B40	3_2_00007FFE013E2B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B0C30	3_2_00007FFE013B0C30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0139DA70	3_2_00007FFE0139DA70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0134CB20	3_2_00007FFE0134CB20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013C9AD0	3_2_00007FFE013C9AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0139CD90	3_2_00007FFE0139CD90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01385DB0	3_2_00007FFE01385DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013D4DB0	3_2_00007FFE013D4DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013B5E20	3_2_00007FFE013B5E20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013AFE30	3_2_00007FFE013AFE30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01340DD0	3_2_00007FFE01340DD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01388DD0	3_2_00007FFE01388DD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E5C40	3_2_00007FFE013E5C40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01351C60	3_2_00007FFE01351C60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01377C7A	3_2_00007FFE01377C7A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E7F70	3_2_00007FFE013E7F70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013E1000	3_2_00007FFE013E1000
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE0136AEB0	3_2_00007FFE0136AEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013A1F10	3_2_00007FFE013A1F10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE01339F20	3_2_00007FFE01339F20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD755C0	3_2_0000026AECD755C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD87220	3_2_0000026AECD87220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD90210	3_2_0000026AECD90210
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD699D0	3_2_0000026AECD699D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD742A0	3_2_0000026AECD742A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD882A0	3_2_0000026AECD882A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD8FBC0	3_2_0000026AECD8FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD82BB0	3_2_0000026AECD82BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD7CBE0	3_2_0000026AECD7CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD813A3	3_2_0000026AECD813A3
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD69500	3_2_0000026AECD69500
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD7B4E0	3_2_0000026AECD7B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD91490	3_2_0000026AECD91490
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD74DB0	3_2_0000026AECD74DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD855E0	3_2_0000026AECD855E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD8B5E0	3_2_0000026AECD8B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD65D60	3_2_0000026AECD65D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD84550	3_2_0000026AECD84550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD666C0	3_2_0000026AECD666C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD866E0	3_2_0000026AECD866E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD7BED0	3_2_0000026AECD7BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD716A0	3_2_0000026AECD716A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD92812	3_2_0000026AECD92812
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD91F40	3_2_0000026AECD91F40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD6A730	3_2_0000026AECD6A730
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD92F60	3_2_0000026AECD92F60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD7A100	3_2_0000026AECD7A100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000026AECD79120	3_2_0000026AECD79120
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498155C0	4_2_00000215498155C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154981A100	4_2_000002154981A100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549809500	4_2_0000021549809500
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549819120	4_2_0000021549819120
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549824550	4_2_0000021549824550
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549805D60	4_2_0000021549805D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549831490	4_2_0000021549831490
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154981B4E0	4_2_000002154981B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549832812	4_2_0000021549832812
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498213A3	4_2_00000215498213A3
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549822BB0	4_2_0000021549822BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154982FBC0	4_2_000002154982FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154981CBE0	4_2_000002154981CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154980A730	4_2_000002154980A730
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549831F40	4_2_0000021549831F40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549832F60	4_2_0000021549832F60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498282A0	4_2_00000215498282A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498116A0	4_2_00000215498116A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498142A0	4_2_00000215498142A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498066C0	4_2_00000215498066C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154981BED0	4_2_000002154981BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498266E0	4_2_00000215498266E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549830210	4_2_0000021549830210
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549827220	4_2_0000021549827220
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000021549814DB0	4_2_0000021549814DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498099D0	4_2_00000215498099D0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002154982B5E0	4_2_000002154982B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000215498255E0	4_2_00000215498255E0

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFE0137EA80 appears 127 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFE013599C0 appears 40 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFE01360740 appears 167 times

Source: sqx.dll.dll

Binary or memory string: OriginalFilenameedb.dll< vs sqx.dll.dll

Source: sqx.dll.dll

Static PE information: Section: .rsrc ZLIB complexity 0.9957094637423936

Source: classification engine

Classification label: mal64.evad.winDLL@10/0@5/2

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000026AECD7F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,

3_2_0000026AECD7F3A0

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: sqx.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sqx.dll.dll,GetDbInterface

Source: rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\sqx.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sqx.dll.dll,GetDbInterface
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",GetDbInterface
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sqx.dll.dll,GetDbInterface	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",GetDbInterface	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: sqx.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: sqx.dll.dll

Static file information: File size 1330688 > 1048576

Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sqx.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sqx.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: sqx.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: edb.pdb source: rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, sqx.dll.dll
Source:	Binary string: edb.pdbH source: rundll32.exe, 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.3548941510.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3548914792.00007FFE01408000.00000002.00000001.01000000.00000003.sdmp, sqx.dll.dll

Source: sqx.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sqx.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sqx.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sqx.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sqx.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE013F0290 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00007FFE013F0290

Source: sqx.dll.dll

Static PE information: real checksum: 0x11271d should be: 0x14702c

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE013A3B5F push D8E80007h; retf

3_2_00007FFE013A3B65

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,		3_2_0000026AECD84D00
Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,		4_2_0000021549824D00

Source: C:\Windows\System32\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-81795

Source: C:\Windows\System32\rundll32.exe

API coverage: 9.1 %

Source: C:\Windows\System32\loaddll64.exe TID: 6324

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3356345540.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2033321626.00000215495CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795311394.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.3547931750.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3356345540.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000026AECD6CCE0 LdrGetProcedureAddress,

3_2_0000026AECD6CCE0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE013F12C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00007FFE013F12C0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE013F0290 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00007FFE013F0290

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013F12C0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFE013F12C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013F0568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFE013F0568
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE013F6EC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFE013F6EC8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.38 4438			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 46.249.49.83 4438			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3980	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3980	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 280	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 280	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3980	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 3980	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 3980 1

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_00007FFE014022E0
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFE01402648
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFE01402718
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFE013FA9A8
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00007FFE01402B58
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	3_2_00007FFE013FAD3C
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFE01402D3C

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE013310B0 GetSystemTimeAsFileTime,

3_2_00007FFE013310B0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000026AECD84D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

3_2_0000026AECD84D00

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sqx.dll.dll	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://guaaug.com:4438/riseCertificates	0%	Avira URL Cloud	safe
https://uayyau.com:4438/1	0%	Avira URL Cloud	safe
https://uayyau.com:4438/almaz.php	0%	Avira URL Cloud	safe
https://uayyau.com/ol	0%	Avira URL Cloud	safe
https://guaaug.com:4438/almaz.php6	0%	Avira URL Cloud	safe
https://uayyau.com:4438/almaz.phpX4	0%	Avira URL Cloud	safe
https://uayyau.com/u	0%	Avira URL Cloud	safe
https://uayyau.com:4438/topaz.phpho	0%	Avira URL Cloud	safe
https://guaaug.com:4438/topaz.php	0%	Avira URL Cloud	safe
https://uayyau.com:4438/topaz.phpys.winy	0%	Avira URL Cloud	safe
https://uayyau.com:4438/topaz.phpy	0%	Avira URL Cloud	safe
https://guaaug.com/	0%	Avira URL Cloud	safe
https://guaaug.com:4438/topaz.php.	0%	Avira URL Cloud	safe
https://guaaug.com/r	0%	Avira URL Cloud	safe
https://guaaug.com:4438/topaz.phpt	0%	Avira URL Cloud	safe
https://guaaug.com:4438/	0%	Avira URL Cloud	safe
https://guaaug.com:4438/topaz.phpile.Y	0%	Avira URL Cloud	safe
https://guaaug.com:4438/almaz.php	0%	Avira URL Cloud	safe
https://uayyau.com:4438/topaz.php	0%	Avira URL Cloud	safe
https://uayyau.com:4438/almaz.phpt4	0%	Avira URL Cloud	safe
https://uayyau.com:4438/	0%	Avira URL Cloud	safe
https://guaaug.com/6	0%	Avira URL Cloud	safe
https://uayyau.com/	0%	Avira URL Cloud	safe
https://uayyau.com:4438/almaz.phpA	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
guaaug.com	46.249.49.83	true	true	unknown
uayyau.com	94.232.40.38	true	true	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://uayyau.com:4438/topaz.phpho	rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/almaz.phpX4	rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/topaz.phpys.winy	rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/topaz.php	rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com/u	rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	rundll32.exe, 00000003.00000003.3356345540.0000026AEB226000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB220000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795311394.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99927000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uayyau.com:4438/1	rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/almaz.php	rundll32.exe, 00000003.00000003.3356345540.0000026AEB231000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.3356290079.0000026AEB255000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com/ol	rundll32.exe, 00000005.00000003.3388057962.0000019B99928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/almaz.php6	rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/riseCertificates	rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/topaz.phpy	rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	rundll32.exe, 00000003.00000003.3356329446.0000026AEB25D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99926000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rundll32.exe, 00000003.00000003.3356329446.0000026AEB25D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99926000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	false		high
https://guaaug.com:4438/topaz.phpt	rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/topaz.php.	rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com/r	rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com/	rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/	rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/topaz.php	rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2033321626.0000021549586000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/topaz.phpile.Y	rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/almaz.phpt4	rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://guaaug.com:4438/almaz.php	rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/	rundll32.exe, 00000004.00000003.2033321626.00000215495A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B99922000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com:4438/almaz.phpA	rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.i.lencr.org/0	rundll32.exe, 00000003.00000003.3356345540.0000026AEB226000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB220000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB254000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.0000021549548000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2896272792.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795311394.0000019B9994F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132908868.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548460425.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795202518.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548128726.0000019B998E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2795222053.0000019B99927000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2132981768.0000019B99962000.00000004.00000020.00020000.00000000.sdmp	false		high
https://guaaug.com/6	rundll32.exe, 00000004.00000002.3548009227.00000215495DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uayyau.com/	rundll32.exe, 00000003.00000002.3547931750.0000026AEB1C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.3548009227.000002154959E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2033321626.00000215495A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3548487916.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3387995089.0000019B99968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3388057962.0000019B99928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.232.40.38	uayyau.com	Russian Federation		44477	WELLWEBNL	true
46.249.49.83	guaaug.com	Netherlands		50673	SERVERIUS-ASNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558851
Start date and time:	2024-11-19 21:33:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sqx.dll.dll renamed because original name is a hash value
Original Sample Name:	sqx.dll.exe
Detection:	MAL
Classification:	mal64.evad.winDLL@10/0@5/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 23 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 3288 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: sqx.dll.dll

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.232.40.38	merd.msi	Get hash	malicious	Unknown	Browse
46.249.49.83	merd.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
guaaug.com	merd.msi	Get hash	malicious	Unknown	Browse	46.249.49.83
uayyau.com	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WELLWEBNL	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse	94.232.43.213
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	94.232.45.36
	JeZHGKJvrB.exe	Get hash	malicious	Unknown	Browse	94.232.44.144
	hFoVk4DJXG.exe	Get hash	malicious	Unknown	Browse	94.232.44.144
	JbZaDxFXF3.exe	Get hash	malicious	NetSupport RAT	Browse	94.232.42.28
	file.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	94.232.45.38
SERVERIUS-ASNL	merd.msi	Get hash	malicious	Unknown	Browse	46.249.49.83
	https://www.packs.nl/tracktrace/?zendingnr=UT1301675937&pc6hnr=4813XC	Get hash	malicious	Phisher	Browse	195.238.75.6
	pitU5Y4aKy.js	Get hash	malicious	Unknown	Browse	188.119.112.115
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	185.79.113.7
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	178.19.118.180
	https://www.filemail.com/t/cFCAI9C4	Get hash	malicious	HtmlDropper	Browse	178.21.23.182
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	91.210.175.3
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	91.210.175.3
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	46.249.49.17

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.910483690960765
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	sqx.dll.dll
File size:	1'330'688 bytes
MD5:	dd862590d9e4ea1791df147912ae4c8f
SHA1:	852d7a9ea4db5ff4cd51a92447a8d5701cfb322b
SHA256:	14ffcbbfb305287ea15264df3363567f36a26917ae2018af0f40e2009b8a7184
SHA512:	3e9222d8bd91d3e53f5e378318a78a7c5aa12011272031f7c0d8c36c5b255db1d0a168cc02e1159eb021dd18206352dd6dcb857fefc2222937c467350dc6d568
SSDEEP:	24576:pQrDp6J8JM3IgVvF7EtPCo1Frk5fRJhqYEjTvpAbHT0HRZonw4by:pQpI8JM3IwEtPCo1F45fvhq/jTyb4HR+
TLSH:	FB55BF46F3B900BCD857C2788A675607EBB274052364DBDB4690866A6F33FE11A7E334
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...............@.......@.......@........~.......~.......~.. ...@.......................C...[...C.......C.........r.....C......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1800c0e30
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x671FB409 [Mon Oct 28 15:55:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9a0edf641145d454a005af877887e965

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F6720E8CB87h
call 00007F6720E8CBE4h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F6720E8CA20h
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F6720E8C1D7h
dec eax
lea edx, dword ptr [00039033h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F6720E8E41Ah
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F6720DCDE87h
dec eax
lea edx, dword ptr [0003911Bh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F6720E8E3FAh
int3
dec eax
mov dword ptr [esp+18h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov eax, dword ptr [0003A1BCh]
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax+3Bh], cl
ret
jne 00007F6720E8CBF6h
dec eax
and dword ptr [ebp+10h], 00000000h
dec eax
lea ecx, dword ptr [ebp+10h]
call dword ptr [00017156h]
dec eax
mov eax, dword ptr [ebp+10h]
dec eax
mov dword ptr [ebp-10h], eax
call dword ptr [00017298h]
mov eax, eax
dec eax
xor dword ptr [ebp-10h], eax
call dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfa010	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfa05c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10a000	0x3d9ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x100000	0x90c0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x107a00	0x5370
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x148000	0x10e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xee510	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xee3d0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd8000	0x2a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd6890	0xd6a00	cc0ddbedc7c30a59a1a8c7fb34340f71	False	0.5615513067850902	data	6.455181281656058	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd8000	0x22916	0x22a00	62b2e76722f0feec6815cddc086dca12	False	0.42075389214801445	data	5.596240788025772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfb000	0x4e38	0x3800	7290f63eebf151d7085a937dae9047e2	False	0.13288225446428573	data	2.1663059532354643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x100000	0x90c0	0x9200	4247303e0773d644b24c430bcd71f30e	False	0.4702482876712329	data	5.995125976590941	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x10a000	0x3d9ac	0x3da00	102a9dba4e2b1d28c4c32281255c4d0f	False	0.9957094637423936	data	7.9979650032296865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x148000	0x10e0	0x1200	5c0a3338fc3861202f586a99ba86a90b	False	0.4728732638888889	data	5.405877006582534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x10a0e8	0x3d39d	data			0.9987000610094066
RT_VERSION	0x147488	0x3a4	data	English	United States	0.47854077253218885
RT_MANIFEST	0x14782c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

GetFileSize, DeleteFileW, GetTempPathW, FlushFileBuffers, GetFileInformationByHandle, LockFileEx, UnlockFileEx, GetSystemTimeAsFileTime, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, SetFilePointer, LoadLibraryW, GetProcAddress, FreeLibrary, GetCurrentProcess, GetLocaleInfoW, GetModuleFileNameW, LoadLibraryExW, WideCharToMultiByte, MultiByteToWideChar, GetFullPathNameW, WriteConsoleW, GetConsoleMode, GetConsoleOutputCP, HeapSize, SetStdHandle, GetStringTypeW, SetEndOfFile, WriteFile, ReadFile, FindClose, FindNextFileW, FindFirstFileExW, Sleep, GetLastError, GetCurrentProcessId, GetModuleHandleW, GetTickCount, InitializeCriticalSection, SetLastError, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, InitializeSListHead, GetStartupInfoW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedFlushSList, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, HeapAlloc, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, GetStdHandle, GetFileType, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap

Exports

Name	Ordinal	Address
GetDbInterface	1	0x1800041d0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 21:34:41.799674034 CET	49730	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.804588079 CET	4438	49730	94.232.40.38	192.168.2.4
Nov 19, 2024 21:34:41.804668903 CET	49730	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.817966938 CET	49731	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.822916031 CET	4438	49731	94.232.40.38	192.168.2.4
Nov 19, 2024 21:34:41.822989941 CET	49731	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.826225042 CET	49730	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.831083059 CET	4438	49730	94.232.40.38	192.168.2.4
Nov 19, 2024 21:34:41.874057055 CET	49731	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:34:41.878859043 CET	4438	49731	94.232.40.38	192.168.2.4
Nov 19, 2024 21:34:44.918771029 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:44.923585892 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:34:44.923674107 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:44.931293964 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:44.936137915 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:34:51.759507895 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:34:51.759533882 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:34:51.759552002 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:34:51.759612083 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:51.759612083 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:51.796564102 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:34:51.801448107 CET	4438	49732	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:13.877382040 CET	49730	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:13.939884901 CET	49731	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:23.830657959 CET	49732	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:39.938237906 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.943149090 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:35:39.943232059 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.943485022 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.949122906 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:35:39.984078884 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.989552975 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:35:39.989609003 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.989818096 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:35:39.995136976 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:35:54.904489994 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:54.909359932 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:54.909442902 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:54.911418915 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:54.917674065 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:58.005455971 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:58.005573034 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:58.005604029 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:58.005639076 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:35:58.005660057 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:58.005660057 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:58.005660057 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:58.005707026 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:58.010798931 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:35:58.015594006 CET	4438	52249	46.249.49.83	192.168.2.4
Nov 19, 2024 21:36:08.042356968 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.042424917 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.042469025 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.042476892 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.042521000 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.042521000 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.045488119 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.045532942 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.045552015 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.045578003 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.045583010 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.045624971 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.045630932 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.045675039 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.059282064 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.061731100 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:08.064532042 CET	4438	52152	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:08.066628933 CET	4438	52154	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:30.065094948 CET	52249	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:36:40.158710003 CET	52154	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:40.174515963 CET	52152	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:57.274498940 CET	52394	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:57.280174971 CET	4438	52394	94.232.40.38	192.168.2.4
Nov 19, 2024 21:36:57.280371904 CET	52394	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:57.280688047 CET	52394	4438	192.168.2.4	94.232.40.38
Nov 19, 2024 21:36:57.286942005 CET	4438	52394	94.232.40.38	192.168.2.4
Nov 19, 2024 21:37:26.354265928 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.354545116 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.359277010 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:26.359358072 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.359461069 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:26.359527111 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.359910011 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.359967947 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:26.364948034 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:26.364978075 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.610488892 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.610548973 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.610584021 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.610603094 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.610629082 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.610645056 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.612641096 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.612696886 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.612726927 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.612730980 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.612782955 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.612783909 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.615492105 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.615788937 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.620310068 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.620642900 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.789757013 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.789820910 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.793634892 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.793709040 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.798880100 CET	52396	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.803776026 CET	4438	52396	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:28.804122925 CET	52395	4438	192.168.2.4	46.249.49.83
Nov 19, 2024 21:37:28.809055090 CET	4438	52395	46.249.49.83	192.168.2.4
Nov 19, 2024 21:37:29.346527100 CET	52394	4438	192.168.2.4	94.232.40.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 21:34:41.623991013 CET	60265	53	192.168.2.4	1.1.1.1
Nov 19, 2024 21:34:41.782665014 CET	53	60265	1.1.1.1	192.168.2.4
Nov 19, 2024 21:34:44.601665020 CET	57189	53	192.168.2.4	1.1.1.1
Nov 19, 2024 21:34:44.913929939 CET	53	57189	1.1.1.1	192.168.2.4
Nov 19, 2024 21:35:10.041002035 CET	53	52259	162.159.36.2	192.168.2.4
Nov 19, 2024 21:35:10.514581919 CET	59846	53	192.168.2.4	1.1.1.1
Nov 19, 2024 21:35:10.577364922 CET	53	59846	1.1.1.1	192.168.2.4
Nov 19, 2024 21:36:57.114876986 CET	53860	53	192.168.2.4	1.1.1.1
Nov 19, 2024 21:36:57.273436069 CET	53	53860	1.1.1.1	192.168.2.4
Nov 19, 2024 21:37:26.194266081 CET	59052	53	192.168.2.4	1.1.1.1
Nov 19, 2024 21:37:26.353324890 CET	53	59052	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 21:34:41.623991013 CET	192.168.2.4	1.1.1.1	0xd806	Standard query (0)	uayyau.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:34:44.601665020 CET	192.168.2.4	1.1.1.1	0x60df	Standard query (0)	guaaug.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:35:10.514581919 CET	192.168.2.4	1.1.1.1	0xb944	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 19, 2024 21:36:57.114876986 CET	192.168.2.4	1.1.1.1	0x2d1d	Standard query (0)	uayyau.com	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:37:26.194266081 CET	192.168.2.4	1.1.1.1	0xfcc2	Standard query (0)	guaaug.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 21:34:41.782665014 CET	1.1.1.1	192.168.2.4	0xd806	No error (0)	uayyau.com		94.232.40.38	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:34:44.913929939 CET	1.1.1.1	192.168.2.4	0x60df	No error (0)	guaaug.com		46.249.49.83	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:35:10.577364922 CET	1.1.1.1	192.168.2.4	0xb944	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 19, 2024 21:36:57.273436069 CET	1.1.1.1	192.168.2.4	0x2d1d	No error (0)	uayyau.com		94.232.40.38	A (IP address)	IN (0x0001)	false
Nov 19, 2024 21:37:26.353324890 CET	1.1.1.1	192.168.2.4	0xfcc2	No error (0)	guaaug.com		46.249.49.83	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:34:37
Start date:	19/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\sqx.dll.dll"
Imagebase:	0x7ff67ede0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:34:37
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:34:37
Start date:	19/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1
Imagebase:	0x7ff7160f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:34:37
Start date:	19/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\sqx.dll.dll,GetDbInterface
Imagebase:	0x7ff7191b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:34:37
Start date:	19/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",#1
Imagebase:	0x7ff7191b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:34:40
Start date:	19/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\sqx.dll.dll",GetDbInterface
Imagebase:	0x7ff7191b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	98.6%
Signature Coverage:	30.1%
Total number of Nodes:	937
Total number of Limit Nodes:	37

Executed Functions

Function 0000026AECD84D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 0000026AECD84D92
GetComputerNameExW.KERNELBASE ref: 0000026AECD84DA7
GetComputerNameExW.KERNELBASE ref: 0000026AECD84DD6
GetTokenInformation.KERNELBASE ref: 0000026AECD84E12
GetNativeSystemInfo.KERNELBASE ref: 0000026AECD84EC4
GetAdaptersInfo.IPHLPAPI ref: 0000026AECD84FB0
GetAdaptersInfo.IPHLPAPI ref: 0000026AECD84FF5

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 6bbdf3e9da3f84258629889abaedb5d6ee25559e9894bdc264404470cb3fc362
Instruction ID: dcc7b432627d44a30627c9c1f6fcb50197aa0ee2fab4d46be22894c50c45e7ec
Opcode Fuzzy Hash: 6bbdf3e9da3f84258629889abaedb5d6ee25559e9894bdc264404470cb3fc362
Instruction Fuzzy Hash: 4FA1D835218B048FE756AB18D8A97DAB3D1FB94300F40453DA85BD3291DA7BDA45CF83

Function 0000026AECD7F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000026AECD7F406
Thread32First.KERNEL32 ref: 0000026AECD7F42B
Thread32Next.KERNEL32 ref: 0000026AECD7F602

Strings

0, xrefs: 0000026AECD7F47E

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: Thread32$CreateFirstNextSnapshotToolhelp32
String ID: 0
API String ID: 3779972765-4108050209
Opcode ID: 4c371dbba18af4bf193cfc37c22306e9a99c47be7f858c51f084a8ce5b70d07d
Instruction ID: 5b94337f051b8dfd6b47182bf92c079073a8063d9c90705bc7ba5b978820540e
Opcode Fuzzy Hash: 4c371dbba18af4bf193cfc37c22306e9a99c47be7f858c51f084a8ce5b70d07d
Instruction Fuzzy Hash: 33719F34258B488FE7A5EF28C489BAAB7D1FB88304F50097DA55ED3292DB76D4058B43

Function 0000026AECD6CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 0000026AECD6CDB2

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: e7d77673ffdfbd8efe77a3e57e5c49f7456b9d3567c7b36c9e2e918282fe5768
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: 8631D475158B188BDA64AB08DC8A7BAB7E4FB85310F50062EE487C3251E632A8458FC7

Function 0000026AECD755C0 Relevance: .9, Instructions: 926
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID:
API String ID: 490256885-0
Opcode ID: a56186ac159eb5f0596d4835abd5748ed37d1b03d675cdace16199ffc87fca4e
Instruction ID: dc8df361902ed0807066bf26b73e9203147e013c8048241739e84e19881327f8
Opcode Fuzzy Hash: a56186ac159eb5f0596d4835abd5748ed37d1b03d675cdace16199ffc87fca4e
Instruction Fuzzy Hash: E1729434118B08CFE7A5DF18D889B95B7E0FB58304F11427ED45ED72A6DB36A846CB82

Function 0000026AECD671B0 Relevance: .1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27eee718951805be4d6d661cb21cbd310f36feb23d9644bec408e17137dbdd0c
Instruction ID: dc8f7367151a8f8d0e12463c6e67e7f326ea0ecb319e7d9b701230db0e9529fb
Opcode Fuzzy Hash: 27eee718951805be4d6d661cb21cbd310f36feb23d9644bec408e17137dbdd0c
Instruction Fuzzy Hash: 1841E5741646488FF749DF28D8897AAB3E1FB48314F50066DE46BD32D2CB7A8841CB82

Function 0000026AECD94360 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: b834c325e020b8b5711ce0219a1a38fc691ea3cc76bde05f11ff75cea4c08205
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: 26414D7555CB888FE7759F08A8467EAB7E0FB89720F00492FD5D983212D776A4428BC3

Function 0000026AECD945F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction ID: bc95dd2aed9e987df94a1036f4dbfa7a663a9923b5436b7c6454ae5ba194b896
Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction Fuzzy Hash: 9921837465D784CBE755DF0898867EAB7E4FB88721F20092FE849D3351D6769440CB83

Function 0000026AECD951C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction ID: dca108ccb84b759701d85652db08203a115f32ae1dd3902e43163655b23dc231
Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction Fuzzy Hash: 2111E734698B488FEB54DF48988A7AA73E4E788715F40453EE88AC2250E67BD441CF83

Function 0000026AECD94BE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction ID: 3cb04b76d8c3e748d4ba906dd74b0fd0f3f388ee00b91bea1b675bf352ab85d3
Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction Fuzzy Hash: 6111B23569CB498FEB559F48988A76973D4E748316F40442EE89AC3291E67B9880CB83

Function 0000026AECD77A50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction ID: dcc01035ea3dcd719955b2706ab6bae364c0dcba39cb193fa5fc5ed656b3ac89
Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction Fuzzy Hash: 4B11E774158B489FFB669A18D4CA37A73C0F784324F500D2EE99ED21D1DBB755488A43

Function 0000026AECD94FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: 3e3c5eda13c79c6008494507023d5309a3d98480da63cbb8269d141379f5d46a
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: DF11943465CB45CFEB149F08988BBA977E0F748711F40052EE48AC2290E67B9440CBC3

Function 0000026AECD94740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: 9f3f7d03afdb024467ab745a60158e2f50b6dcc27002d7f1bd898a357c1e3762
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: 2C010838668B498FEB49BB1894472A533E1F788710F10492EE85AC3651E66BD8408EC3

Function 0000026AECD5D2AD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1707361803.0000026AECD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026AECD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_26aecd20000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction ID: 1afbca4f42b2bb89753405fe40139d24c2a8506383f8a335964d3991d986fcaa
Opcode Fuzzy Hash: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction Fuzzy Hash: 6FF08170618B408BE7449F1884CA63677E1FB98755F24452EE89AD7361CB3298428A43

Function 0000026AECD5D31D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1707361803.0000026AECD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026AECD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_26aecd20000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction ID: 738ee851f6fd362299989b86c2d36e28ffba969c431acca23193a31c3fd8abeb
Opcode Fuzzy Hash: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction Fuzzy Hash: 55F0B474A24F048BD704AF2C888A67573D1F7A8605F54453EA449D7361DB36E4428B43

Function 0000026AECD78149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction ID: 94cc2fe56b6b067afec797afb1053a630f983915be7ba974f615b4dc58019a5b
Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction Fuzzy Hash: D0D0A97658DB188EE7209AA8F8873E9B3D0F780328F40483EC18DC2043E67F40468B07

Function 0000026AECD67830 Relevance: 7.8, APIs: 5, Instructions: 340
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 0000026AECD6788A
InternetConnectW.WININET ref: 0000026AECD678CB
HttpOpenRequestW.WININET ref: 0000026AECD6791F
HttpSendRequestA.WININET ref: 0000026AECD679DA
InternetCloseHandle.WININET ref: 0000026AECD67B11

Part of subcall function 0000026AECD8B4E0: RtlFreeHeap.NTDLL ref: 0000026AECD8B51D

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: Internet$HttpOpenRequest$CloseConnectFreeHandleHeapSend
String ID:
API String ID: 3224957877-0
Opcode ID: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction ID: 4436b6be1184e561bc14fd7993693352cb4f042c7229c43b85ce61259e6ef513
Opcode Fuzzy Hash: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction Fuzzy Hash: EDB1A234218A088BEB55EB28D8997AAB3D5FB98310F05057DA85BD3291DF77D841CB83

Function 0000026AECD78C60 Relevance: 3.2, APIs: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiber.KERNELBASE ref: 0000026AECD78E01
DeleteFiber.KERNELBASE ref: 0000026AECD78E1C

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: a81c3d8a98be896dd9ba18f06cc8f029549e5d5c5a40f868ab439c78b2d98936
Instruction ID: 86911c4c4923aab338f99f3b6fc3625f7c4f7dcc5fc374748b538de5b3e0d9d6
Opcode Fuzzy Hash: a81c3d8a98be896dd9ba18f06cc8f029549e5d5c5a40f868ab439c78b2d98936
Instruction Fuzzy Hash: 6E51EB35658A148FEB69AB289C8976573D1F758311F200339E8ABE31D1DB379C528BC2

Function 0000026AECD68ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNELBASE ref: 0000026AECD68F00

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: 93d5468c674251dc370b599cc521d3c8910de7035b7a934f2d3de85f49d56c75
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: E7E12475408A0D8FE751EF18E895BE6B7F4F768340F10067BE84AC2261EB799245CB86

Function 0000026AECD8B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 0000026AECD8B51D

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction ID: 98dade8dd29ecd21dff9bfc8c440e3a52cac48bedf3c323b4ef7cbf917e0b1d1
Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction Fuzzy Hash: 92F01C34350A088BFB59E7BAACD876537E6FB9C341B4480A4A416C6194EB3A9941CB02

Function 00007FFE013F0AE0 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE013F0B10

Part of subcall function 00007FFE013F0E70: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE013F0E79

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: d8ba32d3aeddf103bc5a018b16ca6ac48feccc558b7e427f7e9957ee7a58d25b
Instruction ID: c9d24e537df0f93005da9412f1592366245fc7357fbfe49f3b9ca10157feb3ba
Opcode Fuzzy Hash: d8ba32d3aeddf103bc5a018b16ca6ac48feccc558b7e427f7e9957ee7a58d25b
Instruction Fuzzy Hash: A7E0EC80E5D1CB45FF1C356A18160B540424F65771E1A1B3CF97E2D2F3AD1CE4558150

Function 00007FFE013F1100 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE013F1114

Part of subcall function 00007FFE013F286C: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFE013F2874
Part of subcall function 00007FFE013F286C: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE013F2879

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: e1844762edc638c08c617c9bf97e15cfdb26e133e3ab7bcaa5fe0919b20a78e9
Instruction ID: 2f24fbc33ab71c2f00123accdfe83ea167afe9abf34526fcc00fe6ea11dae857
Opcode Fuzzy Hash: e1844762edc638c08c617c9bf97e15cfdb26e133e3ab7bcaa5fe0919b20a78e9
Instruction Fuzzy Hash: A9E0E250E1D2C3C1FFA8366569422F94B440F21344F82147CE85D7E1F39E4E74461A62

Function 00007FFE013F9784 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FFE013FA7BA,?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013F97D9

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: e2d5b7430ce25b2c9267f187cacd0046a4a12b3df5020a07f7f07231c417547b
Instruction ID: fc507c4ee77eccf6e14f1aa6b42350d6b4370644bbc3d7217b62c89483a7a27f
Opcode Fuzzy Hash: e2d5b7430ce25b2c9267f187cacd0046a4a12b3df5020a07f7f07231c417547b
Instruction Fuzzy Hash: 6EF09044F0978345FF587FA299503B512945F84B88F5E0038DC0EAE3F2ED2CE5888320

Function 0000026AECD5CA4D Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1707361803.0000026AECD20000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000026AECD20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_26aecd20000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction ID: c7e8afc9b02e52757cf8ad5f25fc053daec61c619fca8b020839a2a500230b4e
Opcode Fuzzy Hash: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction Fuzzy Hash: 5A017D3864995ACBE79AF76868C476276C1F7DC340F544075D81AC32C9C92FC8424751

Non-executed Functions

Function 00007FFE0136AEB0 Relevance: 29.9, Strings: 23, Instructions: 1193COMMON

Download Yara Rule

Strings

there is already a table named %s, xrefs: 00007FFE0136B3D3
BINARY, xrefs: 00007FFE0136B7EE, 00007FFE0136B991, 00007FFE0136BA12
virtual tables may not be indexed, xrefs: 00007FFE0136B2AE
index, xrefs: 00007FFE0136B04F, 00007FFE0136B383, 00007FFE0136B64A
sqlite_, xrefs: 00007FFE0136B206
invalid rootpage, xrefs: 00007FFE0136BD50
CREATE%s INDEX %.*s, xrefs: 00007FFE0136BE4A
sqlite_temp_master, xrefs: 00007FFE0136B4F5
sqlite_autoindex_%s_%d, xrefs: 00007FFE0136B4B1
unsupported use of NULLS %s, xrefs: 00007FFE0136B138
INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 00007FFE0136BE75
views may not be indexed, xrefs: 00007FFE0136B290
FIRST, xrefs: 00007FFE0136B131
conflicting ON CONFLICT clauses specified, xrefs: 00007FFE0136BCF4
UNIQUE, xrefs: 00007FFE0136BE1B
expressions prohibited in PRIMARY KEY and UNIQUE constraints, xrefs: 00007FFE0136B9F9
name='%q' AND type='index', xrefs: 00007FFE0136BF30
LAST, xrefs: 00007FFE0136B125
too many columns in %s, xrefs: 00007FFE0136B654
index %s already exists, xrefs: 00007FFE0136B442
cannot create a TEMP index on non-TEMP table "%s", xrefs: 00007FFE0136B0F9
sqlite_master, xrefs: 00007FFE0136B4E9
table %s may not be indexed, xrefs: 00007FFE0136B26E

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: UNIQUE$BINARY$CREATE%s INDEX %.*s$FIRST$INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);$LAST$cannot create a TEMP index on non-TEMP table "%s"$conflicting ON CONFLICT clauses specified$expressions prohibited in PRIMARY KEY and UNIQUE constraints$index$index %s already exists$invalid rootpage$name='%q' AND type='index'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$sqlite_temp_master$table %s may not be indexed$there is already a table named %s$too many columns in %s$unsupported use of NULLS %s$views may not be indexed$virtual tables may not be indexed
API String ID: 0-2483461966
Opcode ID: d7c0c18ccbea3f5780cd58bdf531708999542d4204fc7ca0f47c626bc0992c34
Instruction ID: f9afc8b60130bce7158dffd250d471d9d34a0928bc4448562b5d3c61a9a6fbe6
Opcode Fuzzy Hash: d7c0c18ccbea3f5780cd58bdf531708999542d4204fc7ca0f47c626bc0992c34
Instruction Fuzzy Hash: 7FC2CC62B08B9285EB608B15D4446BDBBA5FB45BC4F468136DE8D8B7B9DF3CE441CB00

Function 00007FFE013782C8 Relevance: 20.6, Strings: 15, Instructions: 1841COMMON

Download Yara Rule

Strings

BINARY, xrefs: 00007FFE013795E2, 00007FFE01379699, 00007FFE0137970F
missing from index , xrefs: 00007FFE013794C9
TEXT value in %s.%s, xrefs: 00007FFE0137907A
CHECK constraint failed in %s, xrefs: 00007FFE0137923F
NUMERIC value in %s.%s, xrefs: 00007FFE01378F44
database disk image is malformed, xrefs: 00007FFE01379F30
wrong # of entries in index , xrefs: 00007FFE01379CA0
NULL value in %s.%s, xrefs: 00007FFE01378D18
non-%s value in %s.%s, xrefs: 00007FFE01378ECF
q, xrefs: 00007FFE013788E7
row , xrefs: 00007FFE01379461, 00007FFE0137976F
non-unique entry in index , xrefs: 00007FFE01379ADB
values differ from index , xrefs: 00007FFE013797DA
*** in database %s ***, xrefs: 00007FFE01378585
row not in PRIMARY KEY order for %s, xrefs: 00007FFE01378937

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: missing from index $ values differ from index $*** in database %s ***$BINARY$CHECK constraint failed in %s$NULL value in %s.%s$NUMERIC value in %s.%s$TEXT value in %s.%s$database disk image is malformed$non-%s value in %s.%s$non-unique entry in index $q$row $row not in PRIMARY KEY order for %s$wrong # of entries in index
API String ID: 0-2842236643
Opcode ID: 8b0ce0ab506f2e8606d43e5365e028eb3fedbddf92bc12b9280e71352f5b2aa9
Instruction ID: bc00b802a97c5e421769fdb61236280c3e9075c647167f9419fc561ec7e7cbbc
Opcode Fuzzy Hash: 8b0ce0ab506f2e8606d43e5365e028eb3fedbddf92bc12b9280e71352f5b2aa9
Instruction Fuzzy Hash: FA137D72A08B818AEB20DF15D4447AD7BA1FB84F98F568236DA4E5BBA4DF3DD441C700

Function 00007FFE01368590 Relevance: 18.1, Strings: 14, Instructions: 600COMMON

Download Yara Rule

Strings

unknown datatype for %s.%s: "%s", xrefs: 00007FFE01368743
PRIMARY KEY missing on table %s, xrefs: 00007FFE0136877A
must have at least one non-generated column, xrefs: 00007FFE0136893D
AUTOINCREMENT not allowed on WITHOUT ROWID tables, xrefs: 00007FFE013686DA
CREATE %s %.*s, xrefs: 00007FFE01368D80
TABLE, xrefs: 00007FFE01368A93
view, xrefs: 00007FFE01368AA5
tbl_name='%q' AND type!='trigger', xrefs: 00007FFE01368E88
VIEW, xrefs: 00007FFE01368A8A
missing datatype for %s.%s, xrefs: 00007FFE0136875F
sqlite_sequence, xrefs: 00007FFE01368EDE
table, xrefs: 00007FFE01368A9A
UPDATE %Q.sqlite_master SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 00007FFE01368DD2
CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 00007FFE01368E76

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: AUTOINCREMENT not allowed on WITHOUT ROWID tables$CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$PRIMARY KEY missing on table %s$TABLE$UPDATE %Q.sqlite_master SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$missing datatype for %s.%s$must have at least one non-generated column$sqlite_sequence$table$tbl_name='%q' AND type!='trigger'$unknown datatype for %s.%s: "%s"$view
API String ID: 0-2402647485
Opcode ID: fa64730fd2762ed6dba9d95a655f1bce0a9b6b574417d3228855b4aebedf1199
Instruction ID: 22a965d9ac57df616d3edb2a1d7bb737912e599fdf2559c5e8225fd243e94a0e
Opcode Fuzzy Hash: fa64730fd2762ed6dba9d95a655f1bce0a9b6b574417d3228855b4aebedf1199
Instruction Fuzzy Hash: E5528E72A0878286EB649F25E4407B97BA0FB48BC8F069175DA8E4B7A5DF3CE545C700

Function 00007FFE013A98A0 Relevance: 16.6, Strings: 11, Instructions: 2803COMMON

Download Yara Rule

Strings

max, xrefs: 00007FFE013AAC3C
USE TEMP B-TREE FOR %s, xrefs: 00007FFE013AB036, 00007FFE013AC3CC
SCAN %s%s%s, xrefs: 00007FFE013AC0D9
GROUP BY, xrefs: 00007FFE013AB02F
CO-ROUTINE %!S, xrefs: 00007FFE013A9EBF
DISTINCT, xrefs: 00007FFE013AB026, 00007FFE013AC3C3
USING COVERING INDEX , xrefs: 00007FFE013AC0CF
min, xrefs: 00007FFE013AAC12
MATERIALIZE %!S, xrefs: 00007FFE013AA017
expected %d columns for '%s' but got %d, xrefs: 00007FFE013A9DD9
target object/alias may not appear in FROM clause: %s, xrefs: 00007FFE013A99DC

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: USING COVERING INDEX $CO-ROUTINE %!S$DISTINCT$GROUP BY$MATERIALIZE %!S$SCAN %s%s%s$USE TEMP B-TREE FOR %s$expected %d columns for '%s' but got %d$max$min$target object/alias may not appear in FROM clause: %s
API String ID: 0-1030564652
Opcode ID: b202d8f1604caf37fa9b79c5c216c4e7bd9aaac1d539025cac5c7be896275b32
Instruction ID: aafbcb23f9d834b1a584ed159f12774e92d760a2e4d8475e055546c4483727d7
Opcode Fuzzy Hash: b202d8f1604caf37fa9b79c5c216c4e7bd9aaac1d539025cac5c7be896275b32
Instruction Fuzzy Hash: B1538073A09A818AEB54CF25D080BAD7BA4FB84B84F928136DB4D4B7A5DF3DD451CB40

Function 00007FFE013A74A0 Relevance: 16.2, Strings: 12, Instructions: 1246COMMON

Download Yara Rule

Strings

%!S, xrefs: 00007FFE013A76F1
'%s' is not a function, xrefs: 00007FFE013A7A53
%s.%s.%s, xrefs: 00007FFE013A8518
too many columns in result set, xrefs: 00007FFE013A87AE
Expression tree is too large (maximum depth %d), xrefs: 00007FFE013A8214, 00007FFE013A83A6
too many references to "%s": max 65535, xrefs: 00007FFE013A7A6A
unsafe use of virtual table "%s", xrefs: 00007FFE013A78AB
no tables specified, xrefs: 00007FFE013A8711
%s.%s, xrefs: 00007FFE013A85D0
..%s, xrefs: 00007FFE013A7DB7
no such table: %s, xrefs: 00007FFE013A8703
access to view "%s" prohibited, xrefs: 00007FFE013A785E

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %!S$%s.%s$%s.%s.%s$'%s' is not a function$..%s$Expression tree is too large (maximum depth %d)$access to view "%s" prohibited$no such table: %s$no tables specified$too many columns in result set$too many references to "%s": max 65535$unsafe use of virtual table "%s"
API String ID: 0-3486433936
Opcode ID: 1da39b2d3640856c719886071d137ac9fc7873f92111d025289bbc8ce5571c6e
Instruction ID: 46c3ccda07f816b674432884881e38017f5c944276aac1a7c970de9de953f302
Opcode Fuzzy Hash: 1da39b2d3640856c719886071d137ac9fc7873f92111d025289bbc8ce5571c6e
Instruction Fuzzy Hash: 1AC2CF62A08B8286EB65CF15D4803BA77A0FB44B94F869235DF9D0B7A5DF3DE490C700

Function 00007FFE01332800 Relevance: 15.5, Strings: 12, Instructions: 541COMMON

Download Yara Rule

Strings

temp, xrefs: 00007FFE01337318
BINARY, xrefs: 00007FFE01336F3B, 00007FFE01337016, 00007FFE01337030
%s at line %d of [%.10s], xrefs: 00007FFE013370BB, 00007FFE01337229, 00007FFE013373AB, 00007FFE0133759F
automatic extension loading failed: %s, xrefs: 00007FFE013374B1
v, xrefs: 00007FFE01337337
API call with %s database connection pointer, xrefs: 00007FFE01337208, 00007FFE01337386, 00007FFE0133757A
NOCASE, xrefs: 00007FFE01337052
main, xrefs: 00007FFE0133730A
RTRIM, xrefs: 00007FFE01337074
invalid, xrefs: 00007FFE013371FE, 00007FFE0133737C, 00007FFE01337570
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE01337083, 00007FFE013371C5, 00007FFE01337392, 00007FFE01337586, 00007FFE013375B7, 00007FFE013375DA
misuse, xrefs: 00007FFE013370B4, 00007FFE0133721F, 00007FFE0133739F, 00007FFE01337593

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API call with %s database connection pointer$BINARY$NOCASE$RTRIM$automatic extension loading failed: %s$invalid$main$misuse$temp$v
API String ID: 0-3707469561
Opcode ID: 1cce1f10229e4fddfb2db882d5f02692312283c700ff9b81b6cd8583de597cc6
Instruction ID: 9054fdb1d69a1b6f9a843287377e6affdfa00e10630c7844dfe67d0823d174ba
Opcode Fuzzy Hash: 1cce1f10229e4fddfb2db882d5f02692312283c700ff9b81b6cd8583de597cc6
Instruction Fuzzy Hash: D6427AA2E0DB8685EB658F2AE85027937A1FB84F84F954136DA4E4B7B4CF3CE445C344

Function 00007FFE0134CB20 Relevance: 15.5, Strings: 12, Instructions: 509COMMON

Download Yara Rule

Strings

unable to get the page. error code=%d, xrefs: 00007FFE0134CBED
Fragmentation of %d bytes reported as %d on page %u, xrefs: 00007FFE0134D26E
Offset %d out of range %d..%d, xrefs: 00007FFE0134D204
btreeInitPage() returns error code %d, xrefs: 00007FFE0134CC5E
On page %u at right child: , xrefs: 00007FFE0134CD3C
Multiple uses for byte %u of page %u, xrefs: 00007FFE0134D22A
Page %u: , xrefs: 00007FFE0134CBBD
Extends off end of page, xrefs: 00007FFE0134CE19
Child page depth differs, xrefs: 00007FFE0134CF72
On tree page %u cell %d: , xrefs: 00007FFE0134CC99
free space corruption, xrefs: 00007FFE0134CC81
Rowid %lld out of order, xrefs: 00007FFE0134CE66

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Child page depth differs$Extends off end of page$Fragmentation of %d bytes reported as %d on page %u$Multiple uses for byte %u of page %u$Offset %d out of range %d..%d$On page %u at right child: $On tree page %u cell %d: $Page %u: $Rowid %lld out of order$btreeInitPage() returns error code %d$free space corruption$unable to get the page. error code=%d
API String ID: 0-934750177
Opcode ID: e7bd4d9c7646848d33e68cd7fef50520113914b1b2705274c3fc1ad2220088b3
Instruction ID: 308c7ac720f42f7bb63ca97f1773f42597ae97d87e3b84918cc916ec73b400a2
Opcode Fuzzy Hash: e7bd4d9c7646848d33e68cd7fef50520113914b1b2705274c3fc1ad2220088b3
Instruction Fuzzy Hash: 5422DF76A096918BD764CF29E00067EBBA0F785B84F059135EF8A4BB68DF3DE455CB00

Function 00007FFE013367A0 Relevance: 15.4, Strings: 12, Instructions: 436COMMON

Download Yara Rule

Strings

access, xrefs: 00007FFE01336BF5
localhos, xrefs: 00007FFE0133690E
mode, xrefs: 00007FFE01336B0E
mode, xrefs: 00007FFE01336C95
cach, xrefs: 00007FFE01336B1F
%s mode not allowed: %s, xrefs: 00007FFE01336D99
no such %s mode: %s, xrefs: 00007FFE01336C5E
cach, xrefs: 00007FFE01336CB4
file, xrefs: 00007FFE01336822
cache, xrefs: 00007FFE01336BCB
invalid uri authority: %.*s, xrefs: 00007FFE01336937
no such vfs: %s, xrefs: 00007FFE01336CFD

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
API String ID: 0-1067337024
Opcode ID: 99a78c5a55c126cc88e460cda838c4a2039a9417c8cdd440bb7dd26b4a88603e
Instruction ID: 3ddb7e0e5df6471b4826b9154851c154af3bbb5a4258497e688aed0cf0c3db5f
Opcode Fuzzy Hash: 99a78c5a55c126cc88e460cda838c4a2039a9417c8cdd440bb7dd26b4a88603e
Instruction Fuzzy Hash: B80236E2E0C28669FF758B1584163792BD1EB51F54F168235CA9E4F2F1CE7DE6828308

Function 00007FFE01366280 Relevance: 14.3, Strings: 11, Instructions: 557COMMON

Download Yara Rule

Strings

bolb, xrefs: 00007FFE01366983
always, xrefs: 00007FFE01366338
rahc, xrefs: 00007FFE01366956
bolc, xrefs: 00007FFE01366969
txet, xrefs: 00007FFE01366976
generated, xrefs: 00007FFE013663E3
duplicate column name: %s, xrefs: 00007FFE013666D8
laer, xrefs: 00007FFE013669A3
buod, xrefs: 00007FFE013669C9
aolf, xrefs: 00007FFE013669B6
too many columns on %s, xrefs: 00007FFE013662D4

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: always$aolf$bolb$bolc$buod$duplicate column name: %s$generated$laer$rahc$too many columns on %s$txet
API String ID: 0-2711416707
Opcode ID: f2edbba5a3046b78e4b4417d45e1888326175b152c936902df131ca6e4ca4370
Instruction ID: 0b93c55b62a81a6b5e4ef250b8a77b4b07747bb23ef3515d4b003650cc91e7c7
Opcode Fuzzy Hash: f2edbba5a3046b78e4b4417d45e1888326175b152c936902df131ca6e4ca4370
Instruction Fuzzy Hash: 783249A2A0CAD385EB658B2594523BD7BE1FB41BC4F56C136DA9E4B2B1CE2CE541C300

Function 00007FFE014022E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE013FA524: GetLastError.KERNEL32 ref: 00007FFE013FA533
Part of subcall function 00007FFE013FA524: FlsGetValue.KERNEL32 ref: 00007FFE013FA548
Part of subcall function 00007FFE013FA524: SetLastError.KERNEL32 ref: 00007FFE013FA5D3

TranslateName.LIBCMT ref: 00007FFE0140234A
TranslateName.LIBCMT ref: 00007FFE01402385
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FFE013FBB14), ref: 00007FFE014023CC
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FFE013FBB14), ref: 00007FFE01402404
GetLocaleInfoW.KERNEL32 ref: 00007FFE014025CD

Strings

utf8, xrefs: 00007FFE014024E8

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 5487e5a400001d4f56018c9c310e9b95909492dba264b8e7cd6f344830101e2f
Instruction ID: 4cc7baccb679611dbbfc3a1caa0198c7d1975f3ea36e37bf651f21334ad2bbbc
Opcode Fuzzy Hash: 5487e5a400001d4f56018c9c310e9b95909492dba264b8e7cd6f344830101e2f
Instruction Fuzzy Hash: FD91CF32A0878282EB26AFA2D4146B933A4EF84B80F454139DE4D5B7F5DFBDE955C700

Function 00007FFE01402D3C Relevance: 10.7, APIs: 7, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE013FA524: GetLastError.KERNEL32 ref: 00007FFE013FA533
Part of subcall function 00007FFE013FA524: FlsGetValue.KERNEL32 ref: 00007FFE013FA548
Part of subcall function 00007FFE013FA524: SetLastError.KERNEL32 ref: 00007FFE013FA5D3

Part of subcall function 00007FFE013FA524: FlsSetValue.KERNEL32 ref: 00007FFE013FA569

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FFE01402EAC

Part of subcall function 00007FFE013FA524: FlsSetValue.KERNEL32 ref: 00007FFE013FA596
Part of subcall function 00007FFE013FA524: FlsSetValue.KERNEL32 ref: 00007FFE013FA5A7
Part of subcall function 00007FFE013FA524: FlsSetValue.KERNEL32 ref: 00007FFE013FA5B8

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FFE013FBB0D), ref: 00007FFE01402E93
ProcessCodePage.LIBCMT ref: 00007FFE01402ED6
IsValidCodePage.KERNEL32 ref: 00007FFE01402EE8
IsValidLocale.KERNEL32 ref: 00007FFE01402EFE
GetLocaleInfoW.KERNEL32 ref: 00007FFE01402F5A
GetLocaleInfoW.KERNEL32 ref: 00007FFE01402F76

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 076d886bfa2acd654b465ba083faac6f3c9cc38e7c0957c6ce594343932ecb80
Instruction ID: 417442589e3466e17b5656495ac88b59c869952ce68cbff5667203c2a4abf695
Opcode Fuzzy Hash: 076d886bfa2acd654b465ba083faac6f3c9cc38e7c0957c6ce594343932ecb80
Instruction Fuzzy Hash: EA716D22F1865289FB529BA2D858ABC23A0BF48758F44443DCE1D5B6F5DF7CAC45C350

Function 00007FFE013378D0 Relevance: 10.6, Strings: 8, Instructions: 578COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFE01337949, 00007FFE01337A71
unopened, xrefs: 00007FFE01337918
API call with %s database connection pointer, xrefs: 00007FFE01337924
NULL, xrefs: 00007FFE013378F8
API called with finalized prepared statement, xrefs: 00007FFE01337A47
invalid, xrefs: 00007FFE0133790D
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE01337930, 00007FFE01337A58
misuse, xrefs: 00007FFE0133793D, 00007FFE01337A65

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API call with %s database connection pointer$API called with finalized prepared statement$NULL$invalid$misuse$unopened
API String ID: 0-2588185155
Opcode ID: 2fd9805eb42e1f6ef22a2f79b6ecac734beb7452c482b6757f9efba3e5c02a25
Instruction ID: 78e00a17744653a34efbe4802f046ade7cd658b50745bb00d691433187ebc79f
Opcode Fuzzy Hash: 2fd9805eb42e1f6ef22a2f79b6ecac734beb7452c482b6757f9efba3e5c02a25
Instruction Fuzzy Hash: CC42BAA2A09A8281FB659F15D4443BA73A5FF84F84F564232DA5E4F3B5EF3CE8418344

Function 00007FFE013F12C0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE013F12DC
RtlCaptureContext.KERNEL32 ref: 00007FFE013F1309
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE013F1323
RtlVirtualUnwind.KERNEL32 ref: 00007FFE013F1364
IsDebuggerPresent.KERNEL32 ref: 00007FFE013F13B8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE013F13D5
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE013F13E0

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 55f9487a3a37d419e32935d06c83ee3204da43ce5e5de20929af22de147d5fc1
Instruction ID: 665429a5c7c109ca24c6924b54e462d3edcb22cd504174831c84c49adc9204af
Opcode Fuzzy Hash: 55f9487a3a37d419e32935d06c83ee3204da43ce5e5de20929af22de147d5fc1
Instruction Fuzzy Hash: 05315E76A09B81CAEB609FA1E8407EE7364FB84744F44443ADA4E5BBA4DF3CD548C710

Function 00007FFE013B5E20 Relevance: 10.4, Strings: 7, Instructions: 1634COMMON

Download Yara Rule

Strings

table %S has no column named %s, xrefs: 00007FFE013B626D
UPSERT not implemented for virtual table "%s", xrefs: 00007FFE013B6815
table %S has %d columns but %d values were supplied, xrefs: 00007FFE013B668D
cannot INSERT into generated column "%s", xrefs: 00007FFE013B61BB
%d values for %d columns, xrefs: 00007FFE013B66D2
cannot UPSERT a view, xrefs: 00007FFE013B6835
rows inserted, xrefs: 00007FFE013B7572

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %d values for %d columns$UPSERT not implemented for virtual table "%s"$cannot INSERT into generated column "%s"$cannot UPSERT a view$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-3663672232
Opcode ID: 11d4e5e0a5b9128f3ee1de285a23c5adc91e58bd92c5378f8b9b173659030bb9
Instruction ID: 277989e16a162439585a9a6c9d183371dd0ab0c3aa2f5af5482de1ca9b08681b
Opcode Fuzzy Hash: 11d4e5e0a5b9128f3ee1de285a23c5adc91e58bd92c5378f8b9b173659030bb9
Instruction Fuzzy Hash: C5F27E72A096918AEB60CF25C4857AD3BA5FB84B88F524136DF4D4B7A6EF3CE441C740

Function 00007FFE0134D310 Relevance: 9.2, Strings: 7, Instructions: 425COMMON

Download Yara Rule

Strings

Page %d is never used, xrefs: 00007FFE0134D708
max rootpage (%d) disagrees with header (%d), xrefs: 00007FFE0134D51B
Pointer map page %d is referenced, xrefs: 00007FFE0134D772
Failed to read ptrmap key=%d, xrefs: 00007FFE0134D5EE
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00007FFE0134D616
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00007FFE0134D53F
Main freelist: , xrefs: 00007FFE0134D4A3

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Main freelist: $Page %d is never used$Pointer map page %d is referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%d) disagrees with header (%d)
API String ID: 0-2103957143
Opcode ID: c9613edc4a1164fa6205d489438b2c7308cfcab2ed5c76fbf947250ec92436bd
Instruction ID: cfcba2ae1bf4c7002920c659a9033ccb109c63d1fb74f3590969fdad64894490
Opcode Fuzzy Hash: c9613edc4a1164fa6205d489438b2c7308cfcab2ed5c76fbf947250ec92436bd
Instruction Fuzzy Hash: 83125B72A08A828BEB65CFA9E44027D7BA1FB94758F554139DA4D4BBB4DF3CF4418B00

Function 00007FFE013F0290 Relevance: 9.1, APIs: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F02B3
LoadLibraryW.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F02C8
GetProcAddress.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F032C
GetProcAddress.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F034B
GetProcAddress.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F036C
GetProcAddress.KERNEL32(?,?,?,00007FFE013F0152), ref: 00007FFE013F038B

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 1afc37d47e21fe4db280e3a57abc0f00bd42785e735c5657d2df56b21c99e1b5
Instruction ID: f48893de7fc3fadca82e975de74bb396dc034bbb3061ad697ee113f7b6c354fc
Opcode Fuzzy Hash: 1afc37d47e21fe4db280e3a57abc0f00bd42785e735c5657d2df56b21c99e1b5
Instruction Fuzzy Hash: 45416462A09B8686EF1ADF66D55023937A1FB44F84F098036DE4E2B775DF3CE8518300

Function 00007FFE013F6EC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFE013F6F41
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE013F6F59
RtlVirtualUnwind.KERNEL32 ref: 00007FFE013F6F94
IsDebuggerPresent.KERNEL32 ref: 00007FFE013F6FCD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE013F6FD7
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE013F6FE2

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 317b68d8b54ebd0cb2e48c5d5fcba97bb08197c4a9347119987f5a04022b063a
Instruction ID: 0ffd4e665a8643e7385d12254adce74ac14b79314deaf5f20240fbd8ab1b915e
Opcode Fuzzy Hash: 317b68d8b54ebd0cb2e48c5d5fcba97bb08197c4a9347119987f5a04022b063a
Instruction Fuzzy Hash: 7931A272608F8186DB60DF65E8402AE73A4FB88754F500239EA9D4BB78DF3CD559CB00

Function 00007FFE013E8390 Relevance: 9.1, Strings: 6, Instructions: 1581COMMON

Download Yara Rule

Strings

BINARY, xrefs: 00007FFE013E915E
ON clause references tables to its right, xrefs: 00007FFE013E86D0
Expression tree is too large (maximum depth %d), xrefs: 00007FFE013E8C64, 00007FFE013E8DE6, 00007FFE013E922C, 00007FFE013E952D, 00007FFE013E9A68
E, xrefs: 00007FFE013E98AA
NOCASE, xrefs: 00007FFE013E9157
false, xrefs: 00007FFE013E8B46

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: BINARY$E$Expression tree is too large (maximum depth %d)$NOCASE$ON clause references tables to its right$false
API String ID: 0-120726598
Opcode ID: ae553a65a4b773e1da32f7d4cedd146e51785b28b25b7cd3397d7335796026c6
Instruction ID: 9dfc08c64589bbfcadce3d45c3d53a7d031d39a843b2c9f7fe28e305e246560d
Opcode Fuzzy Hash: ae553a65a4b773e1da32f7d4cedd146e51785b28b25b7cd3397d7335796026c6
Instruction Fuzzy Hash: 6CE2CE62A0D78286EB64CB2691447797BE1FB64B88F069136DE4D4B7E9DF3CE841C700

Function 00007FFE0139CD90 Relevance: 8.3, Strings: 6, Instructions: 758COMMON

Download Yara Rule

Strings

a NATURAL join may not have an ON or USING clause, xrefs: 00007FFE0139D98F
cannot join using column %s - column not present in both tables, xrefs: 00007FFE0139D114
coalesce, xrefs: 00007FFE0139D6B0
ambiguous reference to %s in USING(), xrefs: 00007FFE0139D61A
Expression tree is too large (maximum depth %d), xrefs: 00007FFE0139D885
too many arguments on function %T, xrefs: 00007FFE0139D770

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)$a NATURAL join may not have an ON or USING clause$ambiguous reference to %s in USING()$cannot join using column %s - column not present in both tables$coalesce$too many arguments on function %T
API String ID: 0-1975222901
Opcode ID: 9a88fc45b173f08caf0adfc662823e2b4925ef482a29bbba591bcabe0683e6f2
Instruction ID: b9c06854584549c8897e58991abef0999dc9fc69a336ebca4e71971d3a13abf5
Opcode Fuzzy Hash: 9a88fc45b173f08caf0adfc662823e2b4925ef482a29bbba591bcabe0683e6f2
Instruction Fuzzy Hash: 8E72D162A08AC186EB64CF55E5417BA7BA0FB84BC4F469136DE8E4B7A5DF3CE441C700

Function 00007FFE013635C0 Relevance: 8.0, Strings: 6, Instructions: 479COMMON

Download Yara Rule

Strings

sqlite_, xrefs: 00007FFE013636B8, 00007FFE013639F2
schema, xrefs: 00007FFE01363772, 00007FFE01363879, 00007FFE01363A43
main, xrefs: 00007FFE01363650
sqlite_temp_master, xrefs: 00007FFE013637CF, 00007FFE01363834, 00007FFE01363B55, 00007FFE01363BB6
sqlite_master, xrefs: 00007FFE013638A6, 00007FFE01363914, 00007FFE01363A72, 00007FFE01363AE4
temp_schema, xrefs: 00007FFE0136370C, 00007FFE01363B29

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: main$schema$sqlite_$sqlite_master$sqlite_temp_master$temp_schema
API String ID: 0-3006123741
Opcode ID: 2f16469c78149c198eec2911a83ca5f7d968b4ca7d428e3531c44a61c104cc94
Instruction ID: 6b3d1dcb900eac40e290848d592eca6602b42674f2afc595cb18b1e2b8681570
Opcode Fuzzy Hash: 2f16469c78149c198eec2911a83ca5f7d968b4ca7d428e3531c44a61c104cc94
Instruction Fuzzy Hash: 54120562E0C9D740EB954F2680606BC3FA1FF51BC5B66913AEE9E4B3B1CE2CD9459700

Function 00007FFE013A1F10 Relevance: 7.2, Strings: 5, Instructions: 961COMMON

Download Yara Rule

Strings

COMPOUND QUERY, xrefs: 00007FFE013A2139
UNION ALL, xrefs: 00007FFE013A25BD
LEFT-MOST SUBQUERY, xrefs: 00007FFE013A214D
SCAN %d CONSTANT ROW%s, xrefs: 00007FFE013A20A0
%s USING TEMP B-TREE, xrefs: 00007FFE013A2238, 00007FFE013A2849

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s USING TEMP B-TREE$COMPOUND QUERY$LEFT-MOST SUBQUERY$SCAN %d CONSTANT ROW%s$UNION ALL
API String ID: 0-146987844
Opcode ID: 1454b05ddc824b0828ba6a6e2abbfe483e0d8b1592d0cf516529dfca885931f2
Instruction ID: 0afcf8e0ba31193ba089a2b7bfde5465adf35152db028b3c8569ad48802b8375
Opcode Fuzzy Hash: 1454b05ddc824b0828ba6a6e2abbfe483e0d8b1592d0cf516529dfca885931f2
Instruction Fuzzy Hash: 0092BD72A096428AEB64DF26D044BBE37A5FB45B88F868135DE4D4BBA5DF3DE401C700

Function 00007FFE013B3570 Relevance: 6.4, Strings: 4, Instructions: 1368COMMON

Download Yara Rule

Strings

first_value, xrefs: 00007FFE013B3683
lag, xrefs: 00007FFE013B3691
nth_value, xrefs: 00007FFE013B367C
lead, xrefs: 00007FFE013B368A

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: first_value$lag$lead$nth_value
API String ID: 0-1849363824
Opcode ID: 6abb138c9164899ef69d689318b61399e20871f2d70698f3ec524ba9009ae6c5
Instruction ID: 80824b06be70d7f2abc2b791fb1c20cd43ec44725a6972bb4b0396593db765cc
Opcode Fuzzy Hash: 6abb138c9164899ef69d689318b61399e20871f2d70698f3ec524ba9009ae6c5
Instruction Fuzzy Hash: 34E28272A14A51CAEB10DF25D090BAD3BA1F784F88F558236DB4E4BB69EB3DD405CB40

Function 00007FFE013DD2F0 Relevance: 6.0, Strings: 4, Instructions: 995COMMON

Download Yara Rule

Strings

BINARY, xrefs: 00007FFE013DDB13, 00007FFE013DDB76
automatic index on %s(%s), xrefs: 00007FFE013DD7B6
Expression tree is too large (maximum depth %d), xrefs: 00007FFE013DD6B9
auto-index, xrefs: 00007FFE013DD9B7

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: BINARY$Expression tree is too large (maximum depth %d)$auto-index$automatic index on %s(%s)
API String ID: 0-3626234020
Opcode ID: fda548d4cca40faa64e7c04495c2c94fc43deb2edc5870fda484c6531ce11dbc
Instruction ID: abbcbde4af71660de22151c754dff7810de28aa172e8a01f157eb11299702b8e
Opcode Fuzzy Hash: fda548d4cca40faa64e7c04495c2c94fc43deb2edc5870fda484c6531ce11dbc
Instruction Fuzzy Hash: 1FB29072A08B8186EB64DF25E4907AD7BA4FB84B84F528135DB8D4B7A5DF3CE451CB00

Function 00007FFE013A1570 Relevance: 5.6, Strings: 4, Instructions: 598COMMON

Download Yara Rule

Strings

cannot use window functions in recursive queries, xrefs: 00007FFE013A15AA
RECURSIVE STEP, xrefs: 00007FFE013A1DFE
recursive aggregate queries not supported, xrefs: 00007FFE013A1EB4
SETUP, xrefs: 00007FFE013A1AA8

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: RECURSIVE STEP$SETUP$cannot use window functions in recursive queries$recursive aggregate queries not supported
API String ID: 0-4261064685
Opcode ID: da3e82339614fec6f260c50b8955e63aaafa2301857181e9cd07d2b6493b7a94
Instruction ID: b112ae0f3bb6a36ba4e257b69c32a49397605d52c86ae45fc3289e399c9c183f
Opcode Fuzzy Hash: da3e82339614fec6f260c50b8955e63aaafa2301857181e9cd07d2b6493b7a94
Instruction Fuzzy Hash: BC529F72608A818BEB64DF25D140BADBBA5F784B84F928135CB8E4B765DF3DE451CB00

Function 00007FFE013B1857 Relevance: 5.5, Strings: 4, Instructions: 492COMMON

Download Yara Rule

Strings

first_value, xrefs: 00007FFE013B18DF, 00007FFE013B1C13, 00007FFE013B1C40
lag, xrefs: 00007FFE013B18E6, 00007FFE013B1C1A, 00007FFE013B1C39
nth_value, xrefs: 00007FFE013B18B7
lead, xrefs: 00007FFE013B16BB, 00007FFE013B18CA, 00007FFE013B1BFE, 00007FFE013B1C4D

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: first_value$lag$lead$nth_value
API String ID: 0-1849363824
Opcode ID: 805723ddc7bed7cf74a5d81985b72a0d60ff043f44d1ed47fe2fe52334a389c0
Instruction ID: daf4ce9af57bd216fa612ab7f9eb60fc00b8540c19c47d06639983cc6b02770c
Opcode Fuzzy Hash: 805723ddc7bed7cf74a5d81985b72a0d60ff043f44d1ed47fe2fe52334a389c0
Instruction Fuzzy Hash: 4D428E72619A81CADB10DF15D490BAD3BA0F784F88F568236CB8E8B769DB3DD511CB40

Function 00007FFE01353110 Relevance: 5.3, Strings: 4, Instructions: 343COMMON

Download Yara Rule

Strings

%sSCALAR SUBQUERY %d, xrefs: 00007FFE01353245
Expression tree is too large (maximum depth %d), xrefs: 00007FFE0135354E
CORRELATED , xrefs: 00007FFE01353235
REUSE SUBQUERY %d, xrefs: 00007FFE0135315D

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %sSCALAR SUBQUERY %d$CORRELATED $Expression tree is too large (maximum depth %d)$REUSE SUBQUERY %d
API String ID: 0-875495356
Opcode ID: 2500a914490ec4f54c6c1694bd0fb91ec3549e782ef5adef13b7e95241b025cc
Instruction ID: c3480a26e4e52a1ce08b4084706b275ee335039900718af82243b75bde391025
Opcode Fuzzy Hash: 2500a914490ec4f54c6c1694bd0fb91ec3549e782ef5adef13b7e95241b025cc
Instruction Fuzzy Hash: 91F19C72A087818AE760CF25D4807A97BA5FB84B84F569235DF8D4B765DF3CE451CB00

Function 00007FFE013482B0 Relevance: 5.2, Strings: 3, Instructions: 1469COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFE01348B83, 00007FFE01348D5E, 00007FFE01348D99, 00007FFE01349061
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE01348B61, 00007FFE01348C10, 00007FFE01348D3C, 00007FFE01348D77, 00007FFE01348FBC, 00007FFE0134903F, 00007FFE01349730
database corruption, xrefs: 00007FFE01348B79, 00007FFE01348D57, 00007FFE01348D92, 00007FFE0134905A

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$database corruption
API String ID: 0-155238906
Opcode ID: cb6595698c4938a6bb728b6c014e91e86e889e1afb8d787a44370e5b7b0fcd67
Instruction ID: 7d86556a1700eeb0766c123126fdbfad6115ab1dd80a072016f75f98a29a533e
Opcode Fuzzy Hash: cb6595698c4938a6bb728b6c014e91e86e889e1afb8d787a44370e5b7b0fcd67
Instruction Fuzzy Hash: 09E27B76A08A918AEB50CF65E4406AE7BB1F748B88F114135EF8D5BB68DF3CE445CB40

Function 00007FFE013E4900 Relevance: 4.9, Strings: 3, Instructions: 1166COMMON

Download Yara Rule

Strings

at most %d tables in a join, xrefs: 00007FFE013E4966
SCAN CONSTANT ROW, xrefs: 00007FFE013E4DC3
, xrefs: 00007FFE013E4986

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: $SCAN CONSTANT ROW$at most %d tables in a join
API String ID: 0-717196896
Opcode ID: 762dd9e840892b7ddc29a3942fe6d94a378c9fb91c98f9795c1e99f7d2808c66
Instruction ID: c290cdba30d76ecc3aa855c556e39c1e82a248fc714c42682e82193aa06f012c
Opcode Fuzzy Hash: 762dd9e840892b7ddc29a3942fe6d94a378c9fb91c98f9795c1e99f7d2808c66
Instruction Fuzzy Hash: 21C27A76A08B818AEB64CF15D0447A97BE4FB98B88F064135DB8E4B7A9DF3CE451C700

Function 00007FFE0138E260 Relevance: 4.8, Strings: 3, Instructions: 1011COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFE0138E43C
BBB, xrefs: 00007FFE0138E47A, 00007FFE0138F11B, 00007FFE0138F290
sqlite\_%, xrefs: 00007FFE0138E370

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: BBB$p$sqlite\_%
API String ID: 0-2988038722
Opcode ID: 5816150149daf270d209d04d605996feb6a5589464549f64c077c5ca631b2801
Instruction ID: 5682b6283e603d3fcb470e92ba5e2704a80141ab74b1442221e8a377fab199a9
Opcode Fuzzy Hash: 5816150149daf270d209d04d605996feb6a5589464549f64c077c5ca631b2801
Instruction Fuzzy Hash: D3B25D72618B818ADB60DF15D040BAD7BA4F788F88F568236DA8E4B769DF3DD445CB00

Function 00007FFE01345680 Relevance: 4.6, Strings: 3, Instructions: 837COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFE013456EE, 00007FFE01345FE2, 00007FFE01346026, 00007FFE013460CF
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE013456CE, 00007FFE01345FC8, 00007FFE01346006, 00007FFE013460B5
database corruption, xrefs: 00007FFE013456E7, 00007FFE01345FDB, 00007FFE0134601F, 00007FFE013460C8

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$database corruption
API String ID: 0-155238906
Opcode ID: 924ef14f8cb07c0a68abc310fa40045ed465ec91da555ce68851ab87387703ce
Instruction ID: 10e2f8c4ff7ccf5103761298d331ffb399a1c3aea7e3c7b93c2c1036464884ff
Opcode Fuzzy Hash: 924ef14f8cb07c0a68abc310fa40045ed465ec91da555ce68851ab87387703ce
Instruction Fuzzy Hash: 218269B2A0978287EB648F25D0842B977A1FB49B84F164135DA4D4B7B1DF3DF896C700

Function 00007FFE013F0568 Relevance: 4.5, APIs: 3, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FFE013F066D,?,?,?,?,?,?,00007FFE0140491E,?,00000000,?,00000000,00000000), ref: 00007FFE013F0573
UnhandledExceptionFilter.KERNEL32(?,?,?,00007FFE013F066D,?,?,?,?,?,?,00007FFE0140491E,?,00000000,?,00000000,00000000), ref: 00007FFE013F057C
GetCurrentProcess.KERNEL32(?,?,?,00007FFE013F066D,?,?,?,?,?,?,00007FFE0140491E,?,00000000,?,00000000,00000000), ref: 00007FFE013F0582

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: e894c875aad3164a7e7f05ed7a9ae4fa21b59bd118822bcd2b43b8446e047bc0
Instruction ID: d3ee1dfbd5f292817a4ab92f6cbde8e8875752c6ebe410878a9ce2b0c8d0ce8d
Opcode Fuzzy Hash: e894c875aad3164a7e7f05ed7a9ae4fa21b59bd118822bcd2b43b8446e047bc0
Instruction Fuzzy Hash: 6AD092A1E18A0B8AEB1A5BB3A9150362220AF5DB41B091038CA4A4E330AD3C9C9A8300

Function 00007FFE01351C60 Relevance: 4.4, Strings: 3, Instructions: 667COMMON

Download Yara Rule

Strings

USING ROWID SEARCH ON TABLE %s FOR IN-OPERATOR, xrefs: 00007FFE01351F04
USING INDEX %s FOR IN-OPERATOR, xrefs: 00007FFE01352323
p, xrefs: 00007FFE01351EF4

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: USING INDEX %s FOR IN-OPERATOR$USING ROWID SEARCH ON TABLE %s FOR IN-OPERATOR$p
API String ID: 0-3341458115
Opcode ID: 8e5e7d1d6f7fe6d0542a773a9cce19f009fcb8df88c3b48351c823b9d408ba94
Instruction ID: b8eef15f20abdd0915e35c4ba46d5d05683a46a4a960db96a8660b3f24298209
Opcode Fuzzy Hash: 8e5e7d1d6f7fe6d0542a773a9cce19f009fcb8df88c3b48351c823b9d408ba94
Instruction Fuzzy Hash: E952A072A09A96C6EB608B15D0407BA7BA1FB84FC4F468136DE4E5B7A5DF3CE841C740

Function 0000026AECD87220 Relevance: 4.4, Strings: 3, Instructions: 626COMMON

Download Yara Rule

Strings

@, xrefs: 0000026AECD87525
0, xrefs: 0000026AECD8750E
, xrefs: 0000026AECD874E1

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID: $0$@
API String ID: 0-2347541974
Opcode ID: be94cb7cfc3cd8444ac11f04680e5f8e06e857b9d45ba6d7f6f85da26437d9a4
Instruction ID: cb0aac98e958c1720eaf311c36b3d29372188f26223022979949528d4091104c
Opcode Fuzzy Hash: be94cb7cfc3cd8444ac11f04680e5f8e06e857b9d45ba6d7f6f85da26437d9a4
Instruction Fuzzy Hash: BB32DF34218B488FE7A5EF18C8997EAB7E1FB88304F50462DA09ED3291DF769544CB43

Function 00007FFE013A0580 Relevance: 4.3, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

column%d, xrefs: 00007FFE013A0775
%.*z:%u, xrefs: 00007FFE013A08E9
rowid, xrefs: 00007FFE013A06E8

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %.*z:%u$column%d$rowid
API String ID: 0-2903559916
Opcode ID: 5df1f845a0169827f4ebb929a4d498e5ffb10677090673640a5b631f1ad6e02f
Instruction ID: 37a8bca0b8468da86ec8d38a84eacdfa779a2600d12e9cbe321215c1ea9714e5
Opcode Fuzzy Hash: 5df1f845a0169827f4ebb929a4d498e5ffb10677090673640a5b631f1ad6e02f
Instruction Fuzzy Hash: DC32BD32A09B9685EB588F15D5507BD3BA4FB44B88F8A8235EE5D4B7A4DF3CE841C300

Function 00007FFE0135F330 Relevance: 4.3, Strings: 3, Instructions: 516COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFE0135F509, 00007FFE0135FB5F
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE0135F4F0, 00007FFE0135FB46
database corruption, xrefs: 00007FFE0135F4FD, 00007FFE0135FB53

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$database corruption
API String ID: 0-155238906
Opcode ID: 434da0afe0a843df92a2d92c3322ba158b526cb666c47b577ec03a7073e51b4a
Instruction ID: 306f0d818b3d720d20a2c9f04e1123f1a740b20f42af6c9f0e47f1c69739351d
Opcode Fuzzy Hash: 434da0afe0a843df92a2d92c3322ba158b526cb666c47b577ec03a7073e51b4a
Instruction Fuzzy Hash: 3C224C62E0C6D286F7258A2494503B9779ABF84B94F228231DE9E4F7F5DE7CE845C700

Function 00007FFE0134E6A0 Relevance: 4.2, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFE0134ED5B
row value misused, xrefs: 00007FFE0134E76F
6, xrefs: 00007FFE0134E7A1

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: 4$6$row value misused
API String ID: 0-1561282310
Opcode ID: 5a447cc84392f222daed4218e4186f4790ce6c0b03865afd276801cc29a87e65
Instruction ID: f513ec225a1afe59a700f52e9b9f1a4f4893c479494d9f4a7dbe36a033ed2536
Opcode Fuzzy Hash: 5a447cc84392f222daed4218e4186f4790ce6c0b03865afd276801cc29a87e65
Instruction Fuzzy Hash: 93328E72A086858BEB60CF15D440BBD7BA1F785F94F568136DA8E4BBA5CB3CE441CB00

Function 00007FFE01339F20 Relevance: 4.2, Strings: 3, Instructions: 456COMMON

Download Yara Rule

Strings

statement too long, xrefs: 00007FFE0133A151
out of memory, xrefs: 00007FFE01339FFB
database schema is locked: %s, xrefs: 00007FFE0133A17D

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: database schema is locked: %s$out of memory$statement too long
API String ID: 0-1046679716
Opcode ID: 0f53a5c38835b30bbcbcec31bcc2245aa6736640e18324b5b5b86baf3f8a0e5e
Instruction ID: 658ac34ae408a733c175d6f88570bb1582e827befd37b2fdbf6d6a4d6e2bf92d
Opcode Fuzzy Hash: 0f53a5c38835b30bbcbcec31bcc2245aa6736640e18324b5b5b86baf3f8a0e5e
Instruction Fuzzy Hash: 23227C22A08B8286FB69CF21D5547B977A0FB45F88F0A4135DA8D8B7A5DF7CE490C344

Function 00007FFE01343150 Relevance: 4.0, Strings: 3, Instructions: 202COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 00007FFE013433E5
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE013433CD
database corruption, xrefs: 00007FFE013433D9

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$database corruption
API String ID: 0-155238906
Opcode ID: 8e9262d8ef864c3c613e53130453f73bf643014a30dfa8d05f7c87cf02335ca1
Instruction ID: da464e400b1608f21aea70790af24eee6585cc3aab1aecabf5ebd0b3e84f59ea
Opcode Fuzzy Hash: 8e9262d8ef864c3c613e53130453f73bf643014a30dfa8d05f7c87cf02335ca1
Instruction Fuzzy Hash: 43717F62B1875287EB649B1AD08063E77A1FB98B94F565139DA4E4BBB0CF3DF4428700

Function 00007FFE013BA7B0 Relevance: 3.5, Strings: 2, Instructions: 1043COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFE013BAE90
BINARY, xrefs: 00007FFE013BB345, 00007FFE013BB39B

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: BINARY$p
API String ID: 0-743207482
Opcode ID: ce0cf3135fe0130cd0845329c03141dee4e8b813658fc461949ffc38931a6a79
Instruction ID: f4e66fcd06a8915d754bc5ddd5d5bd944dcffe331bba169d7c7c689f891ee9d9
Opcode Fuzzy Hash: ce0cf3135fe0130cd0845329c03141dee4e8b813658fc461949ffc38931a6a79
Instruction Fuzzy Hash: 4EA2D272A08A8686EB64DF25D1807BD7BA1FB84B84F428136DB8D4B7A5EF3DD451C700

Function 00007FFE013FAD3C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FFE013FBCE6), ref: 00007FFE013FADB0

Strings

GetLocaleInfoEx, xrefs: 00007FFE013FAD58, 00007FFE013FAD69

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: ddf6b8e3b2590f114d1e39ce45bf1c026e30b68cff69a9460e1018caa995f10b
Instruction ID: a444b28bcf513d2bb9712c8441af77424ea478dfaec3fca902e5cec49b2fbb2b
Opcode Fuzzy Hash: ddf6b8e3b2590f114d1e39ce45bf1c026e30b68cff69a9460e1018caa995f10b
Instruction Fuzzy Hash: 73018B21B08B8286E745AB97F5400A6B760EF88BD0F594039DE4D5BBB5CE3CD9458744

Function 00007FFE013CCA30 Relevance: 3.3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

Strings

rows deleted, xrefs: 00007FFE013CD72C
@, xrefs: 00007FFE013CD005

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: @$rows deleted
API String ID: 0-3120709674
Opcode ID: 5ded48c33ac152c705024983470e06f33181cbf37df0fe89e396c86754ddd954
Instruction ID: f07675737d8adf79a181183e829ce741b6b855fb58e30d958814386bbdff56cd
Opcode Fuzzy Hash: 5ded48c33ac152c705024983470e06f33181cbf37df0fe89e396c86754ddd954
Instruction Fuzzy Hash: 0C826072A087C186EB70DF25E0447AA7BA5FB88B84F564135DA8D4BBA5DF3CE441CB40

Function 00007FFE0139F420 Relevance: 3.3, Strings: 2, Instructions: 765COMMON

Download Yara Rule

Strings

USE TEMP B-TREE FOR %sORDER BY, xrefs: 00007FFE0139F49F
RIGHT PART OF , xrefs: 00007FFE0139F4AB

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: RIGHT PART OF $USE TEMP B-TREE FOR %sORDER BY
API String ID: 0-1759156464
Opcode ID: 85e8ca64c877a2097d2e3e55b046f10e7ca872548ff6035d304841ca6c7930ad
Instruction ID: 120e34c6dca67e10d1e993c4641dce63e86516bdd49f8dc1153d2713d8367881
Opcode Fuzzy Hash: 85e8ca64c877a2097d2e3e55b046f10e7ca872548ff6035d304841ca6c7930ad
Instruction Fuzzy Hash: 12829E72618A818ADB20DF15D040BAD7FA4F784F88F668235DB8E8B768DB3DD455CB40

Function 0000026AECD8B5E0 Relevance: 3.0, Strings: 2, Instructions: 550COMMON

Download Yara Rule

Strings

), xrefs: 0000026AECD8B7D9
p, xrefs: 0000026AECD8B6DA

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID: )$p
API String ID: 0-1764766951
Opcode ID: 421272b06df671110bcbb96d125b78b1997457c6984bab933b9aa6f3bccc1757
Instruction ID: 03f71a6f42e54fba18280bb19c4d556888020d2645ff81f16a3bc511df8dad15
Opcode Fuzzy Hash: 421272b06df671110bcbb96d125b78b1997457c6984bab933b9aa6f3bccc1757
Instruction Fuzzy Hash: C7129234218B488FE7A5DF28C8997AAB7E1FB88304F50452DA09FD3291DB779945CB43

Function 00007FFE013EF860 Relevance: 3.0, Strings: 2, Instructions: 492COMMON

Download Yara Rule

Strings

Expression tree is too large (maximum depth %d), xrefs: 00007FFE013EFC31
RIGHT-JOIN %s, xrefs: 00007FFE013EF8C1

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)$RIGHT-JOIN %s
API String ID: 0-3209196797
Opcode ID: 6bdc4e3d87ef28e8d4cb3090bc1980dd562276af739fe34276e87d9da798e62e
Instruction ID: 29c5219c1b37db0a2e840a0412f9147d2f844e9e7c62ec0fe71eb592dc1fd722
Opcode Fuzzy Hash: 6bdc4e3d87ef28e8d4cb3090bc1980dd562276af739fe34276e87d9da798e62e
Instruction Fuzzy Hash: 8632AD72A08B8186EB24DF15D1407AA7BA4FB94F84F528235DB8D4B7A9DF7CE451CB00

Function 00007FFE01377C7A Relevance: 2.9, Strings: 2, Instructions: 434COMMON

Download Yara Rule

Strings

siX, xrefs: 00007FFE013780C7
p, xrefs: 00007FFE01377EB4

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: p$siX
API String ID: 0-2543382682
Opcode ID: 91d87498988205396fb95b5f8bce35e2dff831bc6c63c88aad0b90ab928b15b8
Instruction ID: 350f66a8d8b5cfc408b803461f916a4cb35a09d2c0104b9f68bfb689da0ce432
Opcode Fuzzy Hash: 91d87498988205396fb95b5f8bce35e2dff831bc6c63c88aad0b90ab928b15b8
Instruction Fuzzy Hash: 03126B36B08B4186EB60DF56E4446AE77A1FB88B98F164136DE4D5BBA4CF3DE441C700

Function 00007FFE0138B8A0 Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

%s%cetilqs_, xrefs: 00007FFE0138BA13
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00007FFE0138BA5C

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s%cetilqs_$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
API String ID: 0-3061913499
Opcode ID: 79e5f45c5ac972cc5ede2905bf1b76c27e51d6835a4432ced497a8249ae736b6
Instruction ID: 238277465563e17503c2f6f835becbf9ae55cd0333bb920f06f889631e600f78
Opcode Fuzzy Hash: 79e5f45c5ac972cc5ede2905bf1b76c27e51d6835a4432ced497a8249ae736b6
Instruction Fuzzy Hash: 22B13842B1D7CA07DF0D8B3D645127CABA18759B84F58817AEA9D8B7E6DC2CF602C710

Function 00007FFE013E7170 Relevance: 2.2, Strings: 1, Instructions: 938COMMON

Download Yara Rule

Strings

Expression tree is too large (maximum depth %d), xrefs: 00007FFE013E7DA1

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)
API String ID: 0-1961352115
Opcode ID: 0d26762867f4d32bc4fdc670b73027a736a2d59be08dd843a354fa051f637e28
Instruction ID: 1a3d49c9d60a1e97c47444916642fd8278ad8433ec3c51731724640aadc3d87f
Opcode Fuzzy Hash: 0d26762867f4d32bc4fdc670b73027a736a2d59be08dd843a354fa051f637e28
Instruction Fuzzy Hash: 8782BC32A0D78682EB648B16D1402BA77E0FB64B94F164236DF5D4BBE9DF3CE4518780

Function 00007FFE013E2B40 Relevance: 1.9, Strings: 1, Instructions: 673COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFE013E326E

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7a1f70aac5878618fc27b4bbb8b1710e93b5d2fa79008adcbcc6485344c47f9f
Instruction ID: 15583b663c998b460bad0b4295bc388e10e435b26f46faf5e42bfef02b36bf7f
Opcode Fuzzy Hash: 7a1f70aac5878618fc27b4bbb8b1710e93b5d2fa79008adcbcc6485344c47f9f
Instruction Fuzzy Hash: EB52A322A0C79581EB648B16D04027AB7E5FBA5B94F165035EE8E5B7ECDF3DE841CB00

Function 00007FFE013A5650 Relevance: 1.9, Strings: 1, Instructions: 668COMMON

Download Yara Rule

Strings

Expression tree is too large (maximum depth %d), xrefs: 00007FFE013A5F0B

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)
API String ID: 0-1961352115
Opcode ID: 34a6e5e20e9b24df41e93f6d9eefb58c0fdad4450c2412d552c72a54081b2a9f
Instruction ID: 6301964652143069d0f60b74aed9bca5f572a52491a9622e6bf7884fd6819cce
Opcode Fuzzy Hash: 34a6e5e20e9b24df41e93f6d9eefb58c0fdad4450c2412d552c72a54081b2a9f
Instruction Fuzzy Hash: 8B628972A09B8186EB54CF25D1847AD77A8FB48B88F568139EE4D4B7A5DF3DE490C300

Function 00007FFE013AFE30 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

nth_value, xrefs: 00007FFE013AFE9D, 00007FFE013AFFE3, 00007FFE013B0816

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: nth_value
API String ID: 0-3295069819
Opcode ID: 4c66cdc7379dffe4fd20e66b7d3e3fc2b3fe02861234f793d0e83d5af507c5d7
Instruction ID: 01fcb8715728ee5ffdf5510f486c0af81fb6237d421e7ff2c13463b6d30e32fd
Opcode Fuzzy Hash: 4c66cdc7379dffe4fd20e66b7d3e3fc2b3fe02861234f793d0e83d5af507c5d7
Instruction Fuzzy Hash: AD628172619A818AEB14DF25D480BAD3BA1F784F88F568135DB8E4B769DF3CD444CB40

Function 00007FFE01340DD0 Relevance: 1.8, Strings: 1, Instructions: 592COMMON

Download Yara Rule

Strings

:memory:, xrefs: 00007FFE01340E3D

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: :memory:
API String ID: 0-2920599690
Opcode ID: 01d8120b715621296ce3fb142db599264703c9df6a827bc3ccc610bab5870b93
Instruction ID: 92822db32fdb314346bd71694c3c0d1c728badfac5a88496102d1b35600402ce
Opcode Fuzzy Hash: 01d8120b715621296ce3fb142db599264703c9df6a827bc3ccc610bab5870b93
Instruction Fuzzy Hash: 4C427822E0DB8682EB658B66955037927A0FF95B84F164139DE4E4B7B4EF7CF894C300

Function 0000026AECD65D60 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

(, xrefs: 0000026AECD65FE6

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction ID: c583c1b9eefbc5f7172a45ae0950be0d627daafbb0658985ced5e631540ac4b2
Opcode Fuzzy Hash: abcda2cce44acd7600387513da42d6dbaa6d0e49c1554b2389a16b5e095b6a28
Instruction Fuzzy Hash: D9F1A574658B448FEBA9DF2884897AFB6D1F788304F50453EE09BD3291DB379846CA43

Function 00007FFE01387B80 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00007FFE013880C6

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 3d4d7d1bd9c7307eeb24ddd32e45d821d4e2ed8b8e1d30334e9bbc6760b1444b
Instruction ID: c77504718f10a1cf8a4d2fa8a3d7526a772c610c461b83a9fe703a83b77c0942
Opcode Fuzzy Hash: 3d4d7d1bd9c7307eeb24ddd32e45d821d4e2ed8b8e1d30334e9bbc6760b1444b
Instruction Fuzzy Hash: E722CC62A09B4281EB248F65D4502BD33A5FF84B98F264632EE5D5B7E5DF3CE442C350

Function 00007FFE013DE340 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFE013DE44E

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: cca450176754c46bf21ac8982ee6ab971f96ed00f54e41eaba65e85559b04508
Instruction ID: 19ddfc5991b3994448b5134039e7ca5926c1366f16798972392cadf988dbffdf
Opcode Fuzzy Hash: cca450176754c46bf21ac8982ee6ab971f96ed00f54e41eaba65e85559b04508
Instruction Fuzzy Hash: E632B072A19A818ADB60DF15E440BAD7FA5F784F84F568136DB8E4B7A8DB3CD441CB00

Function 00007FFE0136A640 Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFE0136A865

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 87a4f4fadbc6888c0203715d688b38bff993bdfe6ee01d37a1eb2aa68f2a8791
Instruction ID: da6217a5eced69c4846a52d8849161b037fdf2b5e1985127892ced2ea10e3bad
Opcode Fuzzy Hash: 87a4f4fadbc6888c0203715d688b38bff993bdfe6ee01d37a1eb2aa68f2a8791
Instruction Fuzzy Hash: 8C226E72A08A828AEB60DF15D040BA93BA1FB85FC8F568135CE4E5B7A5DF3DE455C700

Function 00007FFE013CD850 Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

sqlite_stat1, xrefs: 00007FFE013CDCB8

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: sqlite_stat1
API String ID: 0-692927832
Opcode ID: 62995e8ffe89db7e16c3332a6130806eab158480cd25a03722bf3d80ea9bce6f
Instruction ID: de3905d6c7a79640d05c8dd7369e99f7d4e12d1d0983bd859e2a4795c451214a
Opcode Fuzzy Hash: 62995e8ffe89db7e16c3332a6130806eab158480cd25a03722bf3d80ea9bce6f
Instruction Fuzzy Hash: 8012E472A086818AEB608F65D5407BE7BA4FB95F84F064135EB8E4BBA5DF3CD441C740

Function 0000026AECD84550 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

8, xrefs: 0000026AECD84666

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 6b67e5068f6b5c119f0bffc7c64d18de370588fa1bf746384f48e482c057c185
Instruction ID: 15c938ec76aae44d9fea98ce8525d2e629490e5ac47a36378cd68cdf071848a3
Opcode Fuzzy Hash: 6b67e5068f6b5c119f0bffc7c64d18de370588fa1bf746384f48e482c057c185
Instruction Fuzzy Hash: 56D1EB34258B488BE766EB18D89A7EAB3D1F784304F50453DA45BD32D2DF7799018A83

Function 00007FFE013B2820 Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFE013B2C1C

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 478220aae51809fbfcec016796735ebdd5260293ee67cc10018442a66457af5a
Instruction ID: aad98cf98cc4ed46d7dc368955712ac493b36e16155ac801b38cb6030caa1854
Opcode Fuzzy Hash: 478220aae51809fbfcec016796735ebdd5260293ee67cc10018442a66457af5a
Instruction Fuzzy Hash: 4402AF726186818AE760DF16D080B7A7BA0FB85F84F125235DB8A4BB65EF3DF551CB00

Function 0000026AECD866E0 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

, xrefs: 0000026AECD8677D

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 990200c829865227b6571aa3573083370787801c1570d2fe66e4a338792caab8
Instruction ID: 09e9b2eaddf535d162158c08903bd1cdac3d61363e5087bb30a25682559184e4
Opcode Fuzzy Hash: 990200c829865227b6571aa3573083370787801c1570d2fe66e4a338792caab8
Instruction Fuzzy Hash: 7AA11B352586448BE755AB2CD89A37EB7D1FB88304F40453CF09BD3292DA7BD9428B83

Function 00007FFE01402648 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE013FA524: GetLastError.KERNEL32 ref: 00007FFE013FA533
Part of subcall function 00007FFE013FA524: FlsGetValue.KERNEL32 ref: 00007FFE013FA548
Part of subcall function 00007FFE013FA524: SetLastError.KERNEL32 ref: 00007FFE013FA5D3

EnumSystemLocalesW.KERNEL32(?,?,?,00007FFE01402E3F,?,00000000,00000092,?,?,00000000,?,00007FFE013FBB0D), ref: 00007FFE014026E6

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 3f1b1e3eb3dc78c35f4179ae3ba720a2dfa3b9b342b5332880479f1ba560979a
Instruction ID: 718bd8bf900d439ef154da0add56db1647e405bcaaa503517e0cc08c4c782ea2
Opcode Fuzzy Hash: 3f1b1e3eb3dc78c35f4179ae3ba720a2dfa3b9b342b5332880479f1ba560979a
Instruction Fuzzy Hash: 6211D267E186458AEB169F66D444AB877A0FB50BA0F458139CA2D4B3F0CBBCD9D1C740

Function 00007FFE01402718 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE013FA524: GetLastError.KERNEL32 ref: 00007FFE013FA533
Part of subcall function 00007FFE013FA524: FlsGetValue.KERNEL32 ref: 00007FFE013FA548
Part of subcall function 00007FFE013FA524: SetLastError.KERNEL32 ref: 00007FFE013FA5D3

EnumSystemLocalesW.KERNEL32(?,?,?,00007FFE01402DFB,?,00000000,00000092,?,?,00000000,?,00007FFE013FBB0D), ref: 00007FFE01402796

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 5501cd416a1d754832eb2aab725368e657402348989c4a7e402598e2c7d5e552
Instruction ID: 25669d8c7a792d527d152a4b549e7d30d6d448dff9cf34ca1ec79e1fe9d3b904
Opcode Fuzzy Hash: 5501cd416a1d754832eb2aab725368e657402348989c4a7e402598e2c7d5e552
Instruction Fuzzy Hash: 6301B172E0828286E7125F96E444BB976E1EB40BA4F458239D66D4B2F4CFBC98858700

Function 00007FFE013FA9A8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FFE013FAD0B,?,?,?,?,?,?,?,?,00000000,00007FFE01401C80), ref: 00007FFE013FA9F7

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 6b0a6223b7cf5906a18646ad8956f3befa6e53c9cb96d98eea890e9931d18a90
Instruction ID: 6c94010b26b98bd2e1db88ab5e19cbf6001b90f84d93cffa79b32c9eae4206c7
Opcode Fuzzy Hash: 6b0a6223b7cf5906a18646ad8956f3befa6e53c9cb96d98eea890e9931d18a90
Instruction Fuzzy Hash: 49F0AF72B08B8583E700EB25F8905A93361FBA87C0F958039DA4D9B374DE3CE5918300

Function 00007FFE013310B0 Relevance: 1.5, APIs: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE013F64A4

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: bda6ed82e027d74987d1db50b8e518f77e0611497fcd5cb496a64431374b2807
Instruction ID: 4d04e0e66fbebeabaac3f8a46169fdb3f9e14809f6467d17526c93c02f6cb131
Opcode Fuzzy Hash: bda6ed82e027d74987d1db50b8e518f77e0611497fcd5cb496a64431374b2807
Instruction Fuzzy Hash: B7F0E9E1F2968942EF24A755941137852429F5CBF0F009339ED3E5E7E9EE2CE0504300

Function 00007FFE01407924 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFE0140794F

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 87582c9bebe7a3e4c7d159f22016cb2b02e1682909312de42912900847b5cbe1
Instruction ID: 4105d654c96517c39dfa60bfc9c48f5030e25d308ee1742a42e683d961c8c092
Opcode Fuzzy Hash: 87582c9bebe7a3e4c7d159f22016cb2b02e1682909312de42912900847b5cbe1
Instruction Fuzzy Hash: 91E06772615B10A5F7009BB4E46479E3774F3417BCF501745AFB426AD9CBB983488344

Function 0000026AECD666C0 Relevance: 1.0, Instructions: 996COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction ID: a79d38f32fce6ea66ea28c02a9edd7fa8d7ab86536b66a0f712fa606b8d57652
Opcode Fuzzy Hash: c77ee9db95c24773db9081a7deccb5cf2f36f3081fec3039551d8f54b381666b
Instruction Fuzzy Hash: D772B478360A058BFF5A9B289CDA7A933D6FB8C340F854074A857D72C5CE77E841CA52

Function 00007FFE013E5C40 Relevance: .9, Instructions: 945COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c26f94e001009ceeff9b25b996670fbf22535e96e30090b0422cf688ba8a0f
Instruction ID: 5d13f6cde8185690d8d42c2d3b5377ad6d4349cca3817bc41e990a21a3a94998
Opcode Fuzzy Hash: d1c26f94e001009ceeff9b25b996670fbf22535e96e30090b0422cf688ba8a0f
Instruction Fuzzy Hash: E7A282B2A19B818AEB10DF19C041BAD7BA1F7A4F48F568136DA4E4B7A9DF3DD441C700

Function 00007FFE013C9AD0 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b5a7939cd80df77f78470cfcdbaac86cec07939c3a871c21a9c402b1ddd94c
Instruction ID: 865c3f31d941885814f9bfb69b83a32f80c83318811fe4ebecd2faf2092d5fde
Opcode Fuzzy Hash: b1b5a7939cd80df77f78470cfcdbaac86cec07939c3a871c21a9c402b1ddd94c
Instruction Fuzzy Hash: 47524D72A08B8686EB60CF16E4447B977A4FB85B94F464135DE8D4BBA4DF3CE484CB00

Function 00007FFE013B0C30 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce10308d26f1e608ba220d5ad9824a985c8af5d3ccc692004c464b560a4cff2
Instruction ID: d8cf7bbd4f6db688acb7a34956316813a33317c550660db76068d2fb49cd51c6
Opcode Fuzzy Hash: bce10308d26f1e608ba220d5ad9824a985c8af5d3ccc692004c464b560a4cff2
Instruction Fuzzy Hash: 2A429172619A818AD760CF15D090BAD3BB0F784F88F568135DB8E4BB69EB3DE451CB00

Function 00007FFE0133C990 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85f5a95eb0344a530453e3b24b5230fd56c2c77a4411218a7e9eb9391d776bf
Instruction ID: 2909d82fd55170f1db71bc62102bef1a9ee911bd3f3f354afc14093d68e78021
Opcode Fuzzy Hash: e85f5a95eb0344a530453e3b24b5230fd56c2c77a4411218a7e9eb9391d776bf
Instruction Fuzzy Hash: D2228B76B09B8286EB64DB5AD48436977A0FB88F84F029036CE4D5B771CF3CE8958744

Function 0000026AECD699D0 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4268b6c979d72500600cd7bade4e6cf27a5649bde7adde496e2e793c183ab8e
Instruction ID: 55f460f11885deff1371cb2f44365c7d5fbc1895346a3d8e6693f2f3082e22c2
Opcode Fuzzy Hash: d4268b6c979d72500600cd7bade4e6cf27a5649bde7adde496e2e793c183ab8e
Instruction Fuzzy Hash: 32F18F34258B488FE765EB28D4997AAB7D1FB88304F10463D949BD3292DF379845CB43

Function 0000026AECD90210 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction ID: 972a2b125e1bd4e52ad492ec9af2aa0a88d5eb17acbe65c309a0b90018afad04
Opcode Fuzzy Hash: 9aa099fc02c16ba095d4bf4291fdb0dcd3e10970e4b1abe0c916cefc9fc1f856
Instruction Fuzzy Hash: 7FE16634258B488BE755EB1CD89A36AB7D1FBC8304F50452DA09BD3292DE7BD9418B83

Function 0000026AECD74DB0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e5cb04a7b8afc38bfdb1fe03543906a8b7734bb26e47d94f1bfbbc31827fd8
Instruction ID: d90bd2d2c57b710be84a42132784f4f74a63322dc4a6e8e02c9ecde6fec9da42
Opcode Fuzzy Hash: 67e5cb04a7b8afc38bfdb1fe03543906a8b7734bb26e47d94f1bfbbc31827fd8
Instruction Fuzzy Hash: 08E1D834268B488FE756EB2CC49A76AB7D1FB89344F50453DA09BD3292DE77D8018B43

Function 00007FFE013E1000 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cb904ff898f0cd07191ba6fd6bf6cd41ad634501b5e061c1ce7f67f1b18ccd
Instruction ID: cf299fba9b76892b44a27d02ec96434904018c4081fdc6917ce97d4a36002a44
Opcode Fuzzy Hash: e9cb904ff898f0cd07191ba6fd6bf6cd41ad634501b5e061c1ce7f67f1b18ccd
Instruction Fuzzy Hash: AC228D62A1C78286E760CB25E5407BD3BE5FB68784F065135EE4D9BAE8DB3CE550CB00

Function 00007FFE013D4DB0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5b8185ffa5e425ac5672294442339b9676011be98afc1e05e448be90b784a7
Instruction ID: 9f34aa91830ab0163815536ce119d2610a89be3df3105ecb62f5b77f7afd48a4
Opcode Fuzzy Hash: 4c5b8185ffa5e425ac5672294442339b9676011be98afc1e05e448be90b784a7
Instruction Fuzzy Hash: 04126E76B09A8686EB608B5AE88472E77B4FB84B84F524035DE8D4B774DF3DE845C700

Function 0000026AECD855E0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction ID: 0b98c885bafae9cd57ccf7cdbc3677868761f66ca06e5af31978fc849e07a1bd
Opcode Fuzzy Hash: d67f70248d9871493b444570412385d01f8192461fdcfc939c1c5d9bc251a4ce
Instruction Fuzzy Hash: D8C19334328B448FE755EB2CC49A76AB7D1FB89308F50452DA09BD3292DB7AD9418B43

Function 00007FFE013B2200 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ed813a0efaa55299fd38e73dfe6d2f712fde8d2b4ad995ab00ca54d5939209
Instruction ID: 469a2a62d28a51199b38e10e65d4646e974dc3e655b780fd8b93da3ab964f139
Opcode Fuzzy Hash: a1ed813a0efaa55299fd38e73dfe6d2f712fde8d2b4ad995ab00ca54d5939209
Instruction Fuzzy Hash: 6E129432A19A8186DB50DF15D090BAD3BA1F794F88F568236CB8E4B769DF3CE455C700

Function 00007FFE0139DA70 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd26b64c9d1f3f06ac55391d0e3bf786ea7103685a080d01c4bf1d5f1593e05f
Instruction ID: 408338af2e2a2c2e2cc355ee7dfab5359876c96416954b36654d41960d800951
Opcode Fuzzy Hash: fd26b64c9d1f3f06ac55391d0e3bf786ea7103685a080d01c4bf1d5f1593e05f
Instruction Fuzzy Hash: 8C12C272A186818AD760DF2AD441BAD7BA0F784F88F468135DB4E4BB69DF3CE441CB40

Function 00007FFE013C5710 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a82b3215b32b201a3b488b237311b68fdf40bd6e280f0fe68ad1ecac2f78089
Instruction ID: 8b62ad9e20b2d91dbc8b9532fbbe8abbde3e538c06c270cce524834114e9d0b1
Opcode Fuzzy Hash: 6a82b3215b32b201a3b488b237311b68fdf40bd6e280f0fe68ad1ecac2f78089
Instruction Fuzzy Hash: 4CF14E76F09A568AEB10CFA5D4802AD37B1FB48798F424135DE0D6BB68DE7CE815C740

Function 00007FFE01388480 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef79badb1275741fda65e0c80cded77a85b2722d8b4bb4ccdc40576210651e25
Instruction ID: 93e7744e2c955550d925ab908aee3d8688bcd0b1576d2b0e0d4fbbb287d86bf3
Opcode Fuzzy Hash: ef79badb1275741fda65e0c80cded77a85b2722d8b4bb4ccdc40576210651e25
Instruction Fuzzy Hash: 21D16963E1C7D186FB368724E4203BC6BA1EB61750F8A45B5C39A0BBE1DA2DD545C311

Function 0000026AECD7BED0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548461707.0000026AECD61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026AECD61000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_26aecd61000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction ID: d547922a91928b06d3a3cd59346c2b74cea2ff2485cce5ae345bf37cb05872aa
Opcode Fuzzy Hash: 2428df4c2b5cda2abb3800129e89791470056923b1d70c4f1012cb95f183359f
Instruction Fuzzy Hash: ACB14F74218B488FE7A8DF1CC499BAAB7E1FB99304F50452DA08ED3291DB76D845CB43

Function 00007FFE01346A20 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ac3ff416e8dab6c36538aed586f309d236c5f8a5e7d4a34461dbbd6eca2443
Instruction ID: b7978aaca029df15ceab0a0ce3c22c57836141c061f723b9f471520d3df86a95
Opcode Fuzzy Hash: f3ac3ff416e8dab6c36538aed586f309d236c5f8a5e7d4a34461dbbd6eca2443
Instruction Fuzzy Hash: C9D1D3B2B1D78187EB648F2AD08137D67A1FB46B84F159035DE4E4B7A5CE3DE4858700

Function 00007FFE01385DB0 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ac38aa2fe8bcd28d399c926bbba0b7e6fbf5d90d0f7448f588db00ab38c5d5
Instruction ID: 227af23be244e8f840f0f611b1f4ec8913010fac8ad48e8fc753f647b0e60a50
Opcode Fuzzy Hash: 18ac38aa2fe8bcd28d399c926bbba0b7e6fbf5d90d0f7448f588db00ab38c5d5
Instruction Fuzzy Hash: CFB18C77B106648FE318CFB998418DD7BE1F388748750462AEF17D3B44EA74AA56CB80

Function 00007FFE013FB95C Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: cf9b97d7cc483afff70f3a3d20c81dd90e8c6ed473082f89619dd5e72547d075
Instruction ID: 62302f2745cc83a0d00c0e9607210e77f61898bb3d67b9361452bb806b0e93f2
Opcode Fuzzy Hash: cf9b97d7cc483afff70f3a3d20c81dd90e8c6ed473082f89619dd5e72547d075
Instruction Fuzzy Hash: 93C1E7A6B086C285EB60AF61D5107BAA7A4FF84788F414039EE4D6B6EDDF3CD504C701

Function 00007FFE0139B1F0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751e48c6b89df9bcf41dba2fe0b1d5c5adbad5e4920f81634528e1558f8acf8e
Instruction ID: 4ed1a9f0c5a388ef6595c21c634432a6185ff4c5952cff30f3676a59e8446455
Opcode Fuzzy Hash: 751e48c6b89df9bcf41dba2fe0b1d5c5adbad5e4920f81634528e1558f8acf8e
Instruction Fuzzy Hash: 7ED19472A18B818AE750DF25E540BAE7BA4F794B88F119235DE8D47B69DF3CD051CB00

Function 00007FFE013C6210 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a1def9a490e3ade9ce55c21f00aaaaa3a826b5da76908a59614d9ce2aee6d3
Instruction ID: 7c06c2a56f80f94294aa252da9ef81170e5e9d511a1167afd298801840b142dc
Opcode Fuzzy Hash: f8a1def9a490e3ade9ce55c21f00aaaaa3a826b5da76908a59614d9ce2aee6d3
Instruction Fuzzy Hash: C8B17C72F04A558AEB10CFB6D4816AD77B2FB48B88B024535DE0D67B68DE3CD806C780

Function 00007FFE01388DD0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406dcc27e4e7ac63449c9c517ce1bf9e29620da6dafbc456747df58ca3807661
Instruction ID: 5e85cb097e417c4cd386226fd6c6ef12ca013915e0d7d7f24a3c27002c587fe1
Opcode Fuzzy Hash: 406dcc27e4e7ac63449c9c517ce1bf9e29620da6dafbc456747df58ca3807661
Instruction Fuzzy Hash: 24917C62B1878587DB18CF2C910437C77A1F798B48F95A228DB5A87B51EB3CE685C700

Function 00007FFE013F6150 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3d3be46f2ecb87892e1911f91da2774aebb2273f689d7041ca54b41c0f4b1c77
Instruction ID: 5188bd4e6147fddd5a08cf1ed1d1730b7a311a5a8d97d6abbb7ec2d850dac77d
Opcode Fuzzy Hash: 3d3be46f2ecb87892e1911f91da2774aebb2273f689d7041ca54b41c0f4b1c77
Instruction Fuzzy Hash: 0E81A372A04A9585EB64EF29D48237D3360FB44B98F56463AEF1EAB7A5CF3CD0518340

Function 00007FFE0136F4E0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cab641b06e301bd0ea6670f61f5b8643485071a42dfd5a6d8b5d5fd2df9db7
Instruction ID: 116e8d78a77c4c876c93d00e0ae39602d77b405855cb5653b2142d5ec05356ff
Opcode Fuzzy Hash: 24cab641b06e301bd0ea6670f61f5b8643485071a42dfd5a6d8b5d5fd2df9db7
Instruction Fuzzy Hash: 8891BC62E18B8682E705CF29911427C77A4FB98B88F1AE235DB4D47766EF3CE5918340

Function 00007FFE013922C7 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28e8264853b8d8a58b4bc98b4794268070b3f7229a2536823b2e08521162688
Instruction ID: 5b38cde9c25a8afe7ce723d04f0795580dcc3154dab9227ebc4b43036985c735
Opcode Fuzzy Hash: e28e8264853b8d8a58b4bc98b4794268070b3f7229a2536823b2e08521162688
Instruction Fuzzy Hash: E281E663A0C99282F714CB16955117BABA1FB91B94F034032EE8D5B7B5DF3CE442DB11

Function 00007FFE013D4690 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f36d36e8b577014ed520573b28e8af05decb50f5d9a63111295d2c1c6783dc6
Instruction ID: 6df766e0e3cde3a6b1f521a0269a58b0895c5d961c6b23b400bbd2bf0f445ac2
Opcode Fuzzy Hash: 9f36d36e8b577014ed520573b28e8af05decb50f5d9a63111295d2c1c6783dc6
Instruction Fuzzy Hash: 5761E472A186A586E7208F15E44167A7BA0F789BC4F165132EFCE4BB64DF3DD941CB00

Function 00007FFE0137C790 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d063c41d688151cab6f20f8f2de51a63d07d51dbfdf167c3fd7e8c928c60c106
Instruction ID: e2cbdde78080eaca0ad8110f7bca18b062ee31b915b5071935b346c19a093904
Opcode Fuzzy Hash: d063c41d688151cab6f20f8f2de51a63d07d51dbfdf167c3fd7e8c928c60c106
Instruction Fuzzy Hash: B491C122A0CBC685E7328B28A4456FABBA4FB89784F455235EE8D4B775DF3CD141CB00

Function 00007FFE0139B6B0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c99d5806c2a2077ccc8b3489acfaa95e3ecd85dd21d1acc95e3badb75ceb24
Instruction ID: bfa3175f42de2933ebd9866f2a3b0336d4bd09c84a736b225079aaf16a99445e
Opcode Fuzzy Hash: d3c99d5806c2a2077ccc8b3489acfaa95e3ecd85dd21d1acc95e3badb75ceb24
Instruction Fuzzy Hash: 6661E032A0869185EB249B26A454FAFB7A5FB45FC4F965135EE8D0FB6ADE3CD000C700

Function 00007FFE013E7F70 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a415baf843f345d083c0d973dc3e42ad1215a5686fff7d8fe97db61a72f22e
Instruction ID: eda3e63ae62e8cb04edfa1dfa6c19e50ac4b7a5b26d332ae887f4f4ade6388de
Opcode Fuzzy Hash: 70a415baf843f345d083c0d973dc3e42ad1215a5686fff7d8fe97db61a72f22e
Instruction Fuzzy Hash: F8518D72E1C7519AEB64DA2594001BA67E1FB54BC4B0B9471DE4D0F6ACDF3CE8428740

Function 00007FFE013D7950 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3941cfbd6796fb25c625dc9a1d3ec830ef6782199b8fc75aa4aaec98026999c4
Instruction ID: ae6de883d30d95509e489baefba10cd2932bcf67f2c9729d64e158e8cbd66bdf
Opcode Fuzzy Hash: 3941cfbd6796fb25c625dc9a1d3ec830ef6782199b8fc75aa4aaec98026999c4
Instruction Fuzzy Hash: 3A5179623087F846DB098729A4442BEBEA5F345381F429032EEC95BFB6D63CE845DB00

Function 00007FFE01332440 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb5831347f65725b233d05e29be0b48178cbe697d662fc4a6736bd2425b0af4
Instruction ID: 362ead77cd8bb35a216435614de81949ac1654d83e04b45837c799dca011ae14
Opcode Fuzzy Hash: 8bb5831347f65725b233d05e29be0b48178cbe697d662fc4a6736bd2425b0af4
Instruction Fuzzy Hash: 0B4189A3A6A3C54FEB0D45AC08122E66F50E337A10F89977CD584DB3D7C40CCA66E395

Function 00007FFE01361490 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ed5a33316d43cd1172c21d097fc726b5d164f5c989eca7a35a37f110ce1b0c
Instruction ID: 7d386a683352489559d88e8c1f82f490579ff447ed08c862cb45de5f76fcc150
Opcode Fuzzy Hash: 16ed5a33316d43cd1172c21d097fc726b5d164f5c989eca7a35a37f110ce1b0c
Instruction Fuzzy Hash: B82132C660A6D48EEF42CBA988523B87F91D7777C8F59E066D28C0ABA6C51DD10AD310

Function 00007FFE01331CF0 Relevance: 27.2, APIs: 18, Instructions: 178filesleepCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFE01331D4E
GetLastError.KERNEL32 ref: 00007FFE01331D60
Sleep.KERNEL32 ref: 00007FFE01331D7E
CreateFileW.KERNEL32 ref: 00007FFE01331DB0
GetFileInformationByHandle.KERNEL32 ref: 00007FFE01331DDC
CloseHandle.KERNEL32 ref: 00007FFE01331DE9
GetFileSize.KERNEL32 ref: 00007FFE01331E18
GetLastError.KERNEL32 ref: 00007FFE01331E27
CloseHandle.KERNEL32 ref: 00007FFE01331E34
CloseHandle.KERNEL32 ref: 00007FFE01331E50
CreateFileW.KERNEL32 ref: 00007FFE01331E88
GetLastError.KERNEL32 ref: 00007FFE01331E97
Sleep.KERNEL32 ref: 00007FFE01331EB5
CreateFileW.KERNEL32 ref: 00007FFE01331EE7
GetFileInformationByHandle.KERNEL32 ref: 00007FFE01331F0B
GetFileSize.KERNEL32 ref: 00007FFE01331F34
GetLastError.KERNEL32 ref: 00007FFE01331F43
CloseHandle.KERNEL32 ref: 00007FFE01331F60

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: File$Handle$CloseCreateErrorLast$InformationSizeSleep
String ID:
API String ID: 142978218-0
Opcode ID: 26862680f932b182a8d9d2cc3b4f95d5efc313cd42107615d5aecd2772f46e7c
Instruction ID: 11073d90213d342b84509ccb3ec9cb801b0883135b460e617491915f99b75fe2
Opcode Fuzzy Hash: 26862680f932b182a8d9d2cc3b4f95d5efc313cd42107615d5aecd2772f46e7c
Instruction Fuzzy Hash: 1D716031E08A4286F7619B25A55473A62A0BF89FB4F114334E9BD0BBF4DF3DE8498704

Function 00007FFE01333B50 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FFE01333B78
Sleep.KERNEL32 ref: 00007FFE01333D31
GetTickCount64.KERNEL32 ref: 00007FFE01333D41

Strings

%s at line %d of [%.10s], xrefs: 00007FFE01333CFA
destination database is in use, xrefs: 00007FFE01333C55
API call with %s database connection pointer, xrefs: 00007FFE01333CD7
invalid, xrefs: 00007FFE01333CCB
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE01333B8D
misuse, xrefs: 00007FFE01333CEE
source and destination must be distinct, xrefs: 00007FFE01333BC1

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Count64Tick$Sleep
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API call with %s database connection pointer$destination database is in use$invalid$misuse$source and destination must be distinct
API String ID: 417912201-3158697872
Opcode ID: b081c2a26e7da91c4aeedb44f17af51f8224c98c509d5ffbfbcf2ae96c53074a
Instruction ID: e8e1d726ef5cd7bed7385d0d02279f7522fb7a667520e81ce7282e374a6ca56c
Opcode Fuzzy Hash: b081c2a26e7da91c4aeedb44f17af51f8224c98c509d5ffbfbcf2ae96c53074a
Instruction Fuzzy Hash: 65516B61E08B4286FB559B26E9446B923A1FB84F84F568136DE4D0B7B5CF3CE891C384

Function 00007FFE013FAA24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FFE013FB12C,?,?,?,?,00007FFE013F6402), ref: 00007FFE013FABA0
GetProcAddress.KERNEL32(?,?,?,00007FFE013FB12C,?,?,?,?,00007FFE013F6402), ref: 00007FFE013FABAC

Strings

api-ms-, xrefs: 00007FFE013FAAEA
ext-ms-, xrefs: 00007FFE013FAAFD

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 7562c84af24565a34be147bf0d63188374f690327f7759320bb3070aed37f4fe
Instruction ID: f32b94e5c272db8b009128e23e79f8cd461cbf49ac9166edbaa2a40b67e67e6b
Opcode Fuzzy Hash: 7562c84af24565a34be147bf0d63188374f690327f7759320bb3070aed37f4fe
Instruction Fuzzy Hash: 7E412622B19A4741FB16EB16A9145753392BF45BE0F0A863DDD1D9F7B4EE3CE8458300

Function 00007FFE01333060 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FFE0133306F
Sleep.KERNEL32 ref: 00007FFE013330E6
GetTickCount64.KERNEL32 ref: 00007FFE013330F6

Strings

%s at line %d of [%.10s], xrefs: 00007FFE0133313E
API called with finalized prepared statement, xrefs: 00007FFE0133310F
05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d, xrefs: 00007FFE01333120
misuse, xrefs: 00007FFE01333132

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Count64Tick$Sleep
String ID: %s at line %d of [%.10s]$05941c2a04037fc3ed2ffae11f5d2260706f89431f463518740f72ada350866d$API called with finalized prepared statement$misuse
API String ID: 417912201-2356847551
Opcode ID: 14dbfe15db05f7460b2fb4c622cd54e52d52a6ca8ea0413059ae43ca11291b19
Instruction ID: 07b719cfb08a79b72974f65f939bcf04420c95d37190bfaef414a4a688f51435
Opcode Fuzzy Hash: 14dbfe15db05f7460b2fb4c622cd54e52d52a6ca8ea0413059ae43ca11291b19
Instruction Fuzzy Hash: 13219F21F08B4286FB659BA6E9802B9A3A1FF44F90F418035DA5E4F7B5DF6DE8458304

Function 00007FFE013F79C0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE013F7A03
_invalid_parameter_noinfo.LIBCMT ref: 00007FFE013F7DF0
_invalid_parameter_noinfo.LIBCMT ref: 00007FFE013F808C

Strings

p, xrefs: 00007FFE013F7B2D
f, xrefs: 00007FFE013F7B25
p, xrefs: 00007FFE013F7AB5

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: c9ad3ceda9924f7410024becc4520081b5d7fe8b9201ec39d397413a1bd7d468
Instruction ID: 4e2bd7f661c5a4bacc20434c17c281cbeef5b7cd756aae6ed5ea786fe76a8304
Opcode Fuzzy Hash: c9ad3ceda9924f7410024becc4520081b5d7fe8b9201ec39d397413a1bd7d468
Instruction Fuzzy Hash: D012B462E0C2C386FB24BF14D0546B976A2FB40754FD6413AE6996B6E4DF3CE9848B10

Function 00007FFE013F5CFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE013F5EBB,?,?,?,00007FFE013F2A40,?,?,?,?,00007FFE013F2879), ref: 00007FFE013F5D81
GetLastError.KERNEL32(?,?,?,00007FFE013F5EBB,?,?,?,00007FFE013F2A40,?,?,?,?,00007FFE013F2879), ref: 00007FFE013F5D8F
LoadLibraryExW.KERNEL32(?,?,?,00007FFE013F5EBB,?,?,?,00007FFE013F2A40,?,?,?,?,00007FFE013F2879), ref: 00007FFE013F5DB9
FreeLibrary.KERNEL32(?,?,?,00007FFE013F5EBB,?,?,?,00007FFE013F2A40,?,?,?,?,00007FFE013F2879), ref: 00007FFE013F5E27
GetProcAddress.KERNEL32(?,?,?,00007FFE013F5EBB,?,?,?,00007FFE013F2A40,?,?,?,?,00007FFE013F2879), ref: 00007FFE013F5E33

Strings

api-ms-, xrefs: 00007FFE013F5DA1

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 97cf97467306c0c550e19c554bc7348bfd4a3b55111874371f74137d8fa85d2a
Instruction ID: b6df43d878d7f632f2f7f3afabe88c63eee78500e5a048a4711cdc648bae4893
Opcode Fuzzy Hash: 97cf97467306c0c550e19c554bc7348bfd4a3b55111874371f74137d8fa85d2a
Instruction Fuzzy Hash: A431C422A1AA8281EF16EB12A90467962D4FF48B60F5A4539ED1D5F7B4EF3CE4458300

Function 00007FFE013FA524 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE013FA533
FlsGetValue.KERNEL32 ref: 00007FFE013FA548
FlsSetValue.KERNEL32 ref: 00007FFE013FA569
FlsSetValue.KERNEL32 ref: 00007FFE013FA596
FlsSetValue.KERNEL32 ref: 00007FFE013FA5A7
FlsSetValue.KERNEL32 ref: 00007FFE013FA5B8
SetLastError.KERNEL32 ref: 00007FFE013FA5D3

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: b9a1ac309250ead7b6ce62fd7431341ae0cb016c43f98512d52d2251d7bf1373
Instruction ID: 2cfe8172eaf964d6863e887d459a7abd449e967272827e9e0edb4e13d5cefc10
Opcode Fuzzy Hash: b9a1ac309250ead7b6ce62fd7431341ae0cb016c43f98512d52d2251d7bf1373
Instruction Fuzzy Hash: 1C215E20F0D2C782FB55B721965953D7252AF487A4F56463CE97E6FAF6EE2CE8408200

Function 00007FFE013317E0 Relevance: 9.1, APIs: 6, Instructions: 145filesleepCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32 ref: 00007FFE013318DC
CreateFileW.KERNEL32 ref: 00007FFE01331967
GetLastError.KERNEL32 ref: 00007FFE01331976
Sleep.KERNEL32 ref: 00007FFE01331994
CreateFileW.KERNEL32 ref: 00007FFE013319BA
Wow64RevertWow64FsRedirection.KERNEL32 ref: 00007FFE013319DF

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Wow64$CreateFileRedirection$DisableErrorLastRevertSleep
String ID:
API String ID: 816130295-0
Opcode ID: 8bc8b1338c340a8ddbdd9b67acbd75ea5fbde127c461d89fcb9100d212f640d4
Instruction ID: 436ef2c86d89c517f71fc7d148c69cf82e0b1d963532ac5ac85cce2b66c38680
Opcode Fuzzy Hash: 8bc8b1338c340a8ddbdd9b67acbd75ea5fbde127c461d89fcb9100d212f640d4
Instruction Fuzzy Hash: 5E51D532F1869182F7754A29E40473A6591BB94BA0F504339DEAE4BBF5CF3DDC458B08

Function 00007FFE01331FB0 Relevance: 9.1, APIs: 6, Instructions: 109fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 00007FFE01331FFF
LockFileEx.KERNEL32 ref: 00007FFE0133203E

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: FileLock
String ID:
API String ID: 3169042693-0
Opcode ID: b36627909b426c5d2d265d94e02e54517e320222c7ed38f17ffb1feb783f61bc
Instruction ID: 5716b9dfca5031ba97f99552c2e2506de741eff71c6d3d8cadc25f998a5f6f87
Opcode Fuzzy Hash: b36627909b426c5d2d265d94e02e54517e320222c7ed38f17ffb1feb783f61bc
Instruction Fuzzy Hash: 72418132F18B4186EB608B25B48462FB3A6F788B94F558135EA9C47B68DF3CD484CB04

Function 00007FFE013FA69C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA6AB
FlsSetValue.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA6E1
FlsSetValue.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA70E
FlsSetValue.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA71F
FlsSetValue.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA730
SetLastError.KERNEL32(?,?,?,00007FFE013F8239,?,?,?,?,00007FFE013F97EB,?,?,00000000,00007FFE013FA7BA,?,?,?), ref: 00007FFE013FA74B

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 659d54af87f3e3197771c75a9b8051b0d31e11a352b3fda74e1bb30c80f9d6c9
Instruction ID: ec85759d81c1084e0a48ba94d60d6d11199733277e65680b8a2193028b667a68
Opcode Fuzzy Hash: 659d54af87f3e3197771c75a9b8051b0d31e11a352b3fda74e1bb30c80f9d6c9
Instruction Fuzzy Hash: 8A115C24B0D2C242FB55B762A55553932929F987B4F16473CE83E6FAF6EE2CA4418700

Function 00007FFE013891C0 Relevance: 7.6, APIs: 5, Instructions: 70filesleepCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFE0138920A
GetLastError.KERNEL32 ref: 00007FFE01389220
Sleep.KERNEL32 ref: 00007FFE0138923E
CreateFileW.KERNEL32 ref: 00007FFE01389270
CloseHandle.KERNEL32 ref: 00007FFE013892AE

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: CreateFile$CloseErrorHandleLastSleep
String ID:
API String ID: 4217092948-0
Opcode ID: a2ff643abf45aec6c4c85093942659c5441a63467c0d701a9e44b994c773c3d4
Instruction ID: 12326723e1807166acd6da4763d36bac307380c9780108c1d75d265c2de8d2e2
Opcode Fuzzy Hash: a2ff643abf45aec6c4c85093942659c5441a63467c0d701a9e44b994c773c3d4
Instruction Fuzzy Hash: 6D216D71A0874582E7608B66A64473A7690FB99BF8F144735EEB90BBF8CF3CD4498740

Function 00007FFE013FA764 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013FA783
FlsSetValue.KERNEL32(?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013FA7A2
FlsSetValue.KERNEL32(?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013FA7CA
FlsSetValue.KERNEL32(?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013FA7DB
FlsSetValue.KERNEL32(?,?,?,00007FFE013F6B7E,?,?,?,00007FFE013F6BC7,?,?,00000000,00007FFE013F9A3B), ref: 00007FFE013FA7EC

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 90ec7c1a636f1d95c84cb412225ef5d14ba7aca8b717b7e8385991f0027740e3
Instruction ID: 3cbafdefa7be34ca7b4f2971be644e002913493d83ce21b2af51fb8c5f3206f8
Opcode Fuzzy Hash: 90ec7c1a636f1d95c84cb412225ef5d14ba7aca8b717b7e8385991f0027740e3
Instruction Fuzzy Hash: 67119D60F0C3C202FB59B722A55163932526F443A0F06833CE83E6FAF6EE2CE4418200

Function 00007FFE013FA5F8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFE013FA609
FlsSetValue.KERNEL32 ref: 00007FFE013FA628
FlsSetValue.KERNEL32 ref: 00007FFE013FA650
FlsSetValue.KERNEL32 ref: 00007FFE013FA661
FlsSetValue.KERNEL32 ref: 00007FFE013FA672

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ea511fab9fff80f39c8c8f765a17b1fe5af6f23b8e7e1f80ec0b2e79d8b852b7
Instruction ID: 6d03564ab7da9c8e21a6f3b64d80c3422032fa6638b764a79d7333fba721e6c8
Opcode Fuzzy Hash: ea511fab9fff80f39c8c8f765a17b1fe5af6f23b8e7e1f80ec0b2e79d8b852b7
Instruction Fuzzy Hash: CB112790A0D28702FF59B726946667932814FA4375F5A4B3CE83E6F6F2ED2CB4418241

Function 00007FFE01333E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116sleepCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FFE01333E1F
Sleep.KERNEL32 ref: 00007FFE01333F57
GetTickCount64.KERNEL32 ref: 00007FFE01333F67

Strings

e, xrefs: 00007FFE01333EE7

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Count64Tick$Sleep
String ID: e
API String ID: 417912201-4024072794
Opcode ID: d8d85095fabac17001ec52283b05e35ec8faecd96f452eb79881bf3bb05c31bf
Instruction ID: d07dafd80b6bec03b99ee4b42138e1c3b1f1f63aa14b3c72a1111d5a111f3d0d
Opcode Fuzzy Hash: d8d85095fabac17001ec52283b05e35ec8faecd96f452eb79881bf3bb05c31bf
Instruction Fuzzy Hash: FE414A23A09A4286EB568F2AD44037923A1FF94F54F5A8135DA4D0B7B4CF3CE886C744

Function 00007FFE01333980 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114sleepCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 00007FFE013339A3
Sleep.KERNEL32 ref: 00007FFE01333AD1
GetTickCount64.KERNEL32 ref: 00007FFE01333AE1

Strings

unknown database: %s, xrefs: 00007FFE01333A1A

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: Count64Tick$Sleep
String ID: unknown database: %s
API String ID: 417912201-159662586
Opcode ID: f041a6b858bdea5b80568aa1f82bf390a6326fd5199faca200ed2a87d417fd01
Instruction ID: df6c1a537286beaa814ce5278cbdc2a7a57805dc2d625dd150949d2362c24534
Opcode Fuzzy Hash: f041a6b858bdea5b80568aa1f82bf390a6326fd5199faca200ed2a87d417fd01
Instruction Fuzzy Hash: 4D419222E0868285F7658F6A98403796390FF80F94F168135DD5D4F7B4DE3CE4428704

Function 00007FFE013F0EB0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE013F0EDC
GetCurrentThreadId.KERNEL32 ref: 00007FFE013F0EEA
GetCurrentProcessId.KERNEL32 ref: 00007FFE013F0EF6
QueryPerformanceCounter.KERNEL32 ref: 00007FFE013F0F06

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 254015043cd6163a033e16cf8cead884c9bc0520b6899ec2c18d6ce2124c9aa3
Instruction ID: 5dd947dd313eb4a830c23d8d1b952b3a89e77f06a396f823291771d152007108
Opcode Fuzzy Hash: 254015043cd6163a033e16cf8cead884c9bc0520b6899ec2c18d6ce2124c9aa3
Instruction Fuzzy Hash: 5F112E26B14F0689EB00CF61E8552B833A4FB19758F440E35EE6D8A7B4EF7CD5988340

Function 00007FFE0138CAC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFE0138CBB4

Strings

%s%c%s, xrefs: 00007FFE0138CB33
\, xrefs: 00007FFE0138CB44

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$\
API String ID: 4059295235-3534329225
Opcode ID: a4ae827f49f27f6dd31bf8e6d12bc8a602828c457c4dbade2a7348c5239b154d
Instruction ID: 339e20282b4aea5ffd2f7ac575c3997bb7b60b3224f0671c3f1a8452a4c4c391
Opcode Fuzzy Hash: a4ae827f49f27f6dd31bf8e6d12bc8a602828c457c4dbade2a7348c5239b154d
Instruction Fuzzy Hash: 3E41E152E0CB8781FF169B62A8106BE67D0AF84B84F0A5135ED4D0F6F6DE3CE8819315

Function 00007FFE013F2724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE013F0EAF), ref: 00007FFE013F2774
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE013F0EAF), ref: 00007FFE013F27B5

Strings

csm, xrefs: 00007FFE013F27A2

Memory Dump Source

Source File: 00000003.00000002.3548881477.00007FFE01331000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE01330000, based on PE: true

Associated: 00000003.00000002.3548847662.00007FFE01330000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3548979487.00007FFE01408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549037327.00007FFE0142B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549067589.00007FFE0142C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549091385.00007FFE0142E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.3549117367.00007FFE01430000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe01330000_rundll32.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 803400b020b35e7b7cee79a36dcbfeac4c00b13c1ec3e981fe52a929148dd7ad
Instruction ID: 2f3c492ec71c5497c321c2b5a28b799690ae325ad0e7e1306ec4d2a1ab19701a
Opcode Fuzzy Hash: 803400b020b35e7b7cee79a36dcbfeac4c00b13c1ec3e981fe52a929148dd7ad
Instruction Fuzzy Hash: 12114F32A18B8182EB218F15F54026A77E5FB88B84F594238EF8C1B769DF3CD955CB00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sqx.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
sqx.dll.dll

Function 0000026AECD84D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Function 0000026AECD7F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215
threadprocessCOMMON

Function 0000026AECD6CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Function 0000026AECD755C0 Relevance: .9, Instructions: 926
COMMON

Function 0000026AECD671B0 Relevance: .1, Instructions: 140
COMMON

Function 0000026AECD94360 Relevance: .1, Instructions: 138
COMMON

Function 0000026AECD67830 Relevance: 7.8, APIs: 5, Instructions: 340
networkCOMMON

Function 0000026AECD78C60 Relevance: 3.2, APIs: 2, Instructions: 188
COMMON

Function 0000026AECD68ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Function 0000026AECD8B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Function 00007FFE013F0AE0 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 00007FFE013F1100 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 00007FFE013F9784 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE